lenticular_cloud/config_development.toml

@@ -22,6 +22,7 @@ HYDRA_PUBLIC_URL = 'http://127.0.0.1:4444'
 SUBJECT_PREFIX = 'something random'
 
 OAUTH_ID = 'identiy_provider'
+OAUTH_SECRET = 'ThisIsNotSafe'
 
 
 [LENTICULAR_CLOUD_SERVICES.jabber]

lenticular_cloud/hydra.py

@@ -1,13 +1,9 @@
-from secrets import token_hex
 from flask import Flask
 from ory_hydra_client import Client
 from typing import Optional
-from ory_hydra_client.api.o_auth_2 import list_o_auth_2_clients, create_o_auth_2_client, set_o_auth_2_client
+from ory_hydra_client.api.o_auth_2 import list_o_auth_2_clients, create_o_auth_2_client
 from ory_hydra_client.models.o_auth_20_client import OAuth20Client
 
-import logging
-
-logger = logging.getLogger(__name__)
 
 class HydraService:
 
@@ -23,7 +19,7 @@ class HydraService:
         self.set_hydra_client(Client(base_url=app.config['HYDRA_ADMIN_URL']))
 
         client_name = app.config['OAUTH_ID']
-        client_secret = token_hex(16)
+        client_secret = app.config['OAUTH_SECRET']
 
         clients = list_o_auth_2_clients.sync_detailed(_client=self.hydra_client).parsed
         if clients is None:
@@ -49,11 +45,6 @@ class HydraService:
             ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client)
             if ret is None:
                 raise RuntimeError("could not crate account")
-        else:
-            client.client_secret = client_secret
-            ret = set_o_auth_2_client.sync(id=client.client_id,json_body=client, _client=self.hydra_client)
-            if ret is None:
-                raise RuntimeError("could not crate account")
         if type(client.client_id) is not str:
             raise RuntimeError("could not parse client_id from ory-hydra")
         self.client_id = client.client_id

lenticular_cloud/views/oauth2.py

@@ -92,7 +92,7 @@ def init_login_manager(app: Flask) -> None:
     oauth2.register(
         name="custom",
         client_id=hydra_service.client_id,
-        client_secret=hydra_service.client_secret,
+        client_secret=app.config['OAUTH_SECRET'],
         server_metadata_url=f'{base_url}/.well-known/openid-configuration',
         access_token_url=f"{base_url}/oauth2/token",
         authorize_url=f"{base_url}/oauth2/auth",

module.nix

@@ -10,10 +10,6 @@ in
     services.lenticular-cloud = {
       enable = mkEnableOption "lenticluar service enable";
       domain = mkOption {
-        type = lib.types.str;
-        example = "example.com";
-      };
-      service_domain = mkOption {
         type = lib.types.str;
         example = "account.example.com";
       };
@@ -72,10 +68,10 @@ in
     };
 
     services.nginx.enable = true;
-    services.nginx.virtualHosts."${cfg.service_domain}" = {
+    services.nginx.virtualHosts."${cfg.domain}" = {
       addSSL = true;
       enableACME = true;
-      serverName = cfg.service_domain;
+      serverName = cfg.domain;
       locations."/" = {
         recommendedProxySettings = true;
         proxyPass = "http://unix:/run/${username}/web.sock";