auth

.gitattributes

@@ -0,0 +1,3 @@
+# Force Go as the main language
+*.go linguist-detectable=true
+* linguist-language=Go

.gitignore

@@ -20,4 +20,4 @@
 
 # Go workspace file
 go.work
-
+env.env

Dockerfile

@@ -10,8 +10,6 @@ RUN go mod download
 
 FROM golang:alpine AS builder
 
-RUN apk add git
-
 RUN go install github.com/beego/bee/v2@latest
 
 WORKDIR /oc-auth 

Makefile

@@ -21,15 +21,22 @@ clean:
 	rm -rf oc-auth oc-auth.tar.gz
 
 docker:
-	DOCKER_BUILDKIT=1 docker build -t oc/oc-auth:0.0.1 -f Dockerfile .
-	docker tag oc/oc-auth:0.0.1 oc/oc-auth:latest
-
+	DOCKER_BUILDKIT=1 docker build -t oc-auth -f Dockerfile . --build-arg=HOST=$(HOST)
+	docker tag oc-auth opencloudregistry/oc-auth:latest
+	
 publish-kind:
-	kind load docker-image oc/oc-auth:0.0.1 --name opencloud
+	kind load docker-image opencloudregistry/oc-auth:latest --name $(CLUSTER_NAME) | true
 
 publish-registry:
-	@echo "TODO"
+	docker push opencloudregistry/oc-auth:latest
 
-all: docker publish-kind publish-registry
+docker-deploy:
+	docker compose up -d
+
+run-docker: docker publish-kind publish-registry docker-deploy
+
+all: docker publish-kind
+
+ci: docker publish-registry
 
 .PHONY: build run clean docker publish-kind publish-registry

README.md

@@ -14,3 +14,51 @@ If default Swagger page is displayed instead of tyour api, change url in swagger
 
     url: "swagger.json"
 
+
+┌─────────┐        ┌──────────┐        ┌────────────┐        ┌────────┐
+│ Browser │        │   UI     │        │   Hydra    │        │  API   │
+└────┬────┘        └────┬─────┘        └────┬───────┘        └───┬────┘
+     │                   │                    │                   │
+     │ 1. Click "Login"  │                    │                   │
+     │─────────────────► │                    │                   │
+     │                   │                    │                   │
+     │ 2. Redirect auth  │──────────────────► │                   │
+     │                   │  /oauth2/auth      │                   │
+     │                   │                    │                   │
+     │                   │ ◄──────────────────│                   │
+     │                   │   login challenge  │                   │
+     │                   │                    │                   │
+     │                   │ 3. Login UI        │                   │
+     │                   │  (credentials)     │                   │
+     │                   │                    │                   │
+     │                   │──────────────────► │                   │
+     │                   │  accept login      │                   │
+     │                   │                    │                   │
+     │                   │ ◄──────────────────│                   │
+     │                   │ consent challenge  │                   │
+     │                   │                    │                   │
+     │                   │ 4. CALL API        │                   │
+     │                   │──────────────────────────────────────► │
+     │                   │  fetch peer / roles                    │
+     │                   │                    │                   │
+     │                   │ ◄──────────────────────────────────────│
+     │                   │  peer, permissions                      │
+     │                   │                    │                   │
+     │                   │ 5. Accept consent │                   │
+     │                   │──────────────────► │                   │
+     │                   │  + custom claims   │                   │
+     │                   │                    │                   │
+     │                   │ ◄──────────────────│                   │
+     │                   │ redirect w/ code   │                   │
+     │                   │                    │                   │
+     │ 6. Exchange code  │──────────────────► │                   │
+     │   for token       │   /oauth2/token    │                   │
+     │                   │                    │                   │
+     │ ◄─────────────────│                    │                   │
+     │ 7. JWT access_token                    │                   │
+     │                    (signed + enriched)                     │
+     │                                                           │
+     │ 8. API call with Bearer token                              │
+     │───────────────────────────────────────────────────────────►│
+     │                                                           │
+     │ ◄──────────────────────────────────────────────────────────│

conf/config.go

@@ -12,6 +12,7 @@ type Config struct {
 	LDAPBindDN     string
 	LDAPBindPW     string
 	LDAPBaseDN     string
+	LDAPUserBaseDN string
 	LDAPRoleBaseDN string
 
 	ClientSecret                string
@@ -22,12 +23,12 @@ type Config struct {
 	AuthConnectPublicHost  string
 	AuthConnectorHost      string
 	AuthConnectorPort      int
-	AuthConnectorAdminPort int
+	AuthConnectorAdminPort string
 
 	PermissionConnectorWriteHost string
 	PermissionConnectorReadHost  string
-	PermissionConnectorPort      int
-	PermissionConnectorAdminPort int
+	PermissionConnectorPort      string
+	PermissionConnectorAdminPort string
 
 	Local bool
 }

controllers/oauth2.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	oclib "cloud.o-forge.io/core/oc-lib"
+	"cloud.o-forge.io/core/oc-lib/models/peer"
 	model "cloud.o-forge.io/core/oc-lib/models/peer"
 	beego "github.com/beego/beego/v2/server/web"
 )
@@ -70,6 +71,7 @@ func (o *OAuthController) Login() {
 	if conf.GetConfig().SourceMode == "ldap" {
 		ldap := auth_connectors.New()
 		found, err := ldap.Authenticate(o.Ctx.Request.Context(), res.Username, res.Password)
+		fmt.Println("login", clientID, found, err)
 		if err != nil || !found {
 			o.Data["json"] = err
 			o.Ctx.ResponseWriter.WriteHeader(401)
@@ -84,6 +86,7 @@ func (o *OAuthController) Login() {
 				Name:  "csrf_token",
 				Value: o.XSRFToken(),
 			})
+		fmt.Println("login token", token, err)
 		if err != nil || token == nil {
 			o.Data["json"] = err
 			o.Ctx.ResponseWriter.WriteHeader(401)
@@ -225,15 +228,15 @@ func (o *OAuthController) extractOrigin(request *http.Request) (string, string,
 	if t != "" {
 		searchStr = strings.Replace(searchStr, t, "", -1)
 	}
-	peer := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), user, peerID, groups, nil).Search(nil, searchStr, false)
-	if peer.Code != 200 || len(peer.Data) == 0 { // TODO: add state of partnership
+	pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), user, peerID, groups, nil).Search(nil, searchStr, false)
+	if pp.Code != 200 || len(pp.Data) == 0 { // TODO: add state of partnership
 		return "", "", external
 	}
-	p := peer.Data[0].(*model.Peer)
+	p := pp.Data[0].(*model.Peer)
 	publicKey = p.PublicKey
-	origin = p.Url
+	origin = p.APIUrl
 	if origin != "" { // is external
-		if strings.Contains(origin, "localhost") || strings.Contains(origin, "127.0.0.1") || p.State == model.SELF {
+		if p.Relation == peer.SELF {
 			external = false
 		}
 	} else {

docker-compose.yml

@@ -20,6 +20,7 @@ services:
           LDAP_BINDDN: cn=admin,dc=example,dc=com
           LDAP_BINDPW: password
           LDAP_BASEDN: "dc=example,dc=com"
+          LDAP_USER_BASEDN: "ou=users,dc=example,dc=com"
           LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
     networks: 
       - oc

env.env

@@ -0,0 +1,4 @@
+KUBERNETES_SERVICE_HOST=192.168.47.20
+KUBE_CA="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpNeE1USXdNell3SGhjTk1qUXdPREE0TVRBeE16VTJXaGNOTXpRd09EQTJNVEF4TXpVMgpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpNeE1USXdNell3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTVlk3ZHZhNEdYTVdkMy9jMlhLN3JLYjlnWXgyNSthaEE0NmkyNVBkSFAKRktQL2UxSVMyWVF0dzNYZW1TTUQxaStZdzJSaVppNUQrSVZUamNtNHdhcnFvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWtlUVJpNFJiODduME5yRnZaWjZHClc2SU55NnN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnRXA5ck04WmdNclRZSHYxZjNzOW5DZXZZeWVVa3lZUk4KWjUzazdoaytJS1FDSVFDbk05TnVGKzlTakIzNDFacGZ5ays2NEpWdkpSM3BhcmVaejdMd2lhNm9kdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+KUBE_CERT="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJWUxWNkFPQkdrU1F3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekl6TVRFeU1ETTJNQjRYRFRJME1EZ3dPREV3TVRNMU5sb1hEVEkxTURndwpPREV3TVRNMU5sb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJGQ2Q1MFdPeWdlQ2syQzcKV2FrOWY4MVAvSkJieVRIajRWOXBsTEo0ck5HeHFtSjJOb2xROFYxdUx5RjBtOTQ2Nkc0RmRDQ2dqaXFVSk92Swp3NVRPNnd5alNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCVFJkOFI5cXVWK2pjeUVmL0ovT1hQSzMyS09XekFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQTArbThqTDBJVldvUTZ0dnB4cFo4NVlMalF1SmpwdXM0aDdnSXRxS3NmUVVDSUI2M2ZNdzFBMm5OVWU1TgpIUGZOcEQwSEtwcVN0Wnk4djIyVzliYlJUNklZCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTWpNeE1USXdNell3SGhjTk1qUXdPREE0TVRBeE16VTJXaGNOTXpRd09EQTJNVEF4TXpVMgpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTWpNeE1USXdNell3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRc3hXWk9pbnIrcVp4TmFEQjVGMGsvTDF5cE01VHAxOFRaeU92ektJazQKRTFsZWVqUm9STW0zNmhPeVljbnN3d3JoNnhSUnBpMW5RdGhyMzg0S0Z6MlBvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTBYZkVmYXJsZm8zTWhIL3lmemx6Cnl0OWlqbHN3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUxJL2dNYnNMT3MvUUpJa3U2WHVpRVMwTEE2cEJHMXgKcnBlTnpGdlZOekZsQWlFQW1wdjBubjZqN3M0MVI0QzFNMEpSL0djNE53MHdldlFmZWdEVGF1R2p3cFk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+KUBE_DATA="LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU5ZS1BFb1dhd1NKUzJlRW5oWmlYMk5VZlY1ZlhKV2krSVNnV09TNFE5VTlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVUozblJZN0tCNEtUWUx0WnFUMS96VS84a0Z2Sk1lUGhYMm1Vc25pczBiR3FZblkyaVZEeApYVzR2SVhTYjNqcm9iZ1YwSUtDT0twUWs2OHJEbE03ckRBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="

go.mod

@@ -1,11 +1,9 @@
 module oc-auth
 
-go 1.23.0
-
-toolchain go1.23.3
+go 1.24.6
 
 require (
-	cloud.o-forge.io/core/oc-lib v0.0.0-20250219142942-5111c9c8bec7
+	cloud.o-forge.io/core/oc-lib v0.0.0-20260210081202-3bcf0da56aa1
 	github.com/beego/beego/v2 v2.3.1
 	github.com/smartystreets/goconvey v1.7.2
 	go.uber.org/zap v1.27.0
@@ -17,12 +15,13 @@ require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/biter777/countries v1.7.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/gofrs/uuid v4.3.0+incompatible // indirect
+	github.com/libp2p/go-libp2p/core v0.43.0-rc2 // indirect
 	github.com/nats-io/nats.go v1.37.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/robfig/cron v1.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
 )
 
@@ -63,11 +62,11 @@ require (
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	go.mongodb.org/mongo-driver v1.17.1 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
-	google.golang.org/protobuf v1.35.1 // indirect
+	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,7 +1,7 @@
-cloud.o-forge.io/core/oc-lib v0.0.0-20250219104152-3ecb0e9d960b h1:DhRqJdw2VePaYVlsh8OUA3zl+76Q0FWwGu+a+3aOf6s=
-cloud.o-forge.io/core/oc-lib v0.0.0-20250219104152-3ecb0e9d960b/go.mod h1:2roQbUpv3a6mTIr5oU1ux31WbN8YucyyQvCQ0FqwbcE=
-cloud.o-forge.io/core/oc-lib v0.0.0-20250219142942-5111c9c8bec7 h1:fh6SzBPenzIxufIIzExtx4jEE4OhFposqn3EbHFr92Q=
-cloud.o-forge.io/core/oc-lib v0.0.0-20250219142942-5111c9c8bec7/go.mod h1:2roQbUpv3a6mTIr5oU1ux31WbN8YucyyQvCQ0FqwbcE=
+cloud.o-forge.io/core/oc-lib v0.0.0-20260204083845-d9f646aac28b h1:/TkmuO5ERpHJCqNpKBlmzw8pYTVDGcFcDo+e1ndXlm0=
+cloud.o-forge.io/core/oc-lib v0.0.0-20260204083845-d9f646aac28b/go.mod h1:T0UCxRd8w+qCVVC0NEyDiWIGC5ADwEbQ7hFcvftd4Ks=
+cloud.o-forge.io/core/oc-lib v0.0.0-20260210081202-3bcf0da56aa1 h1:CSPqJlSepu0efDRFV8tv62Fg5XP2UwSZKfaaL81YuVY=
+cloud.o-forge.io/core/oc-lib v0.0.0-20260210081202-3bcf0da56aa1/go.mod h1:jmyBwmsac/4V7XPL347qawF60JsBCDmNAMfn/ySXKYo=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -25,6 +25,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/elazarl/go-bindata-assetfs v1.0.1 h1:m0kkaHRKEu7tUIUFVwhGGGYClXvyl4RE03qmvRTNfbw=
 github.com/elazarl/go-bindata-assetfs v1.0.1/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
 github.com/etcd-io/etcd v3.3.17+incompatible/go.mod h1:cdZ77EstHBwVtD6iTgzgvogwcjo9m4iOqoijouPJ4bs=
@@ -93,6 +95,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/libp2p/go-libp2p/core v0.43.0-rc2 h1:1X1aDJNWhMfodJ/ynbaGLkgnC8f+hfBIqQDrzxFZOqI=
+github.com/libp2p/go-libp2p/core v0.43.0-rc2/go.mod h1:NYeJ9lvyBv9nbDk2IuGb8gFKEOkIv/W5YRIy1pAJB2Q=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
@@ -132,10 +136,9 @@ github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPA
 github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
-github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
@@ -156,8 +159,8 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
@@ -186,6 +189,8 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
 golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -206,6 +211,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -222,6 +229,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -237,6 +246,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
 golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -245,6 +256,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
 google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

infrastructure/auth_connector/hydra_connector.go

@@ -31,7 +31,7 @@ type HydraConnector struct {
 func (a HydraConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
-	host := conf.GetConfig().AuthConnectorHost
+	host := conf.GetConfig().AuthConnectPublicHost
 	if conf.GetConfig().Local {
 		host = "localhost"
 	}
@@ -80,6 +80,7 @@ func (a HydraConnector) challenge(username string, url string, challenge string,
 	if err != nil {
 		return nil, s[1], cookies, err
 	}
+	fmt.Println(string(b))
 	var token Redirect
 	err = json.Unmarshal(b, &token)
 	if err != nil {
@@ -126,6 +127,7 @@ func (a HydraConnector) tryLog(username string, url string, subpath string, chal
 func (a HydraConnector) getClient(clientID string) string {
 	resp, err := a.Caller.CallGet(a.getPath(true, false), "/clients")
 	if err != nil {
+		fmt.Println(err)
 		return ""
 	}
 	var clients []interface{}
@@ -143,11 +145,16 @@ func (a HydraConnector) getClient(clientID string) string {
 
 func (a HydraConnector) Login(clientID string, username string, cookies ...*http.Cookie) (t *Token, err error) {
 	clientID = a.getClient(clientID)
+	if clientID == "" {
+		return nil, errors.New("no client found")
+	}
 	redirect, _, cookies, err := a.tryLog(username, a.getPath(false, true),
 		"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
 		"login", cookies...)
-	fmt.Println("login", clientID, username, a.getPath(false, true), redirect, err)
 	if err != nil || redirect == nil {
+		if redirect == nil {
+			return nil, errors.New("no oauth redirection " + clientID)
+		}
 		return nil, err
 	}
 	redirect, _, cookies, err = a.tryLog(username, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", "consent", cookies...)
@@ -177,16 +184,19 @@ func (a HydraConnector) Login(clientID string, username string, cookies ...*http
 	var m map[string]interface{}
 	defer resp.Body.Close()
 	b, err := io.ReadAll(resp.Body)
+	fmt.Println("login", b, err, a.getPath(false, true), "/token")
 	if err != nil {
 		return nil, err
 	}
 	err = json.Unmarshal(b, &token)
+	fmt.Println("login2", token, err)
 	if err != nil {
 		return nil, err
 	}
 	json.Unmarshal(b, &m)
 	pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), false)
 	if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
+		fmt.Println(pp.Data, pp.Code, pp.Err, strconv.Itoa(peer.SELF.EnumIndex()))
 		return nil, errors.New("peer not found")
 	}
 	now := time.Now().UTC()
@@ -244,6 +254,7 @@ func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool,
 	}
 	var introspect Token
 	err = json.Unmarshal(b, &introspect)
+	fmt.Println(introspect.Active, token)
 	if err != nil {
 		return false, err
 	}
@@ -252,13 +263,16 @@ func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool,
 }
 
 func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
-	host := conf.GetConfig().AuthConnectorHost
+	host := conf.GetConfig().AuthConnectPublicHost
+	if isAdmin {
+		host = conf.GetConfig().AuthConnectorHost
+	}
 	if conf.GetConfig().Local {
 		host = "localhost"
 	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	if isAdmin {
-		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
+		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort)
 	}
 	oauth := ""
 	if isOauth {

infrastructure/auth_connector/ldap.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"net"
 	"oc-auth/conf"
 	"strings"
@@ -48,6 +49,7 @@ type Config struct {
 	BindPass       string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
 	BaseDN         string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
 	AttrClaims     map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
+	UserBaseDN     string            `envconfig:"user_basedn" required:"true" desc:"a LDAP base DN for searching users"`
 	RoleBaseDN     string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
 	RoleAttr       string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
 	RoleClaim      string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
@@ -64,11 +66,12 @@ func New() *Client {
 		BindDN:     conf.GetConfig().LDAPBindDN,
 		BindPass:   conf.GetConfig().LDAPBindPW,
 		BaseDN:     conf.GetConfig().LDAPBaseDN,
+		UserBaseDN: conf.GetConfig().LDAPUserBaseDN,
 		RoleBaseDN: conf.GetConfig().LDAPRoleBaseDN,
 	}
 	return &Client{
 		Config:    cnf,
-		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
+		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, UserBaseDN: cnf.UserBaseDN, IsTLS: cnf.IsTLS},
 		cache:     freecache.NewCache(cnf.CacheSize * 1024),
 	}
 }
@@ -83,27 +86,27 @@ func (cli *Client) Authenticate(ctx context.Context, username string, password s
 	if username == "" || password == "" {
 		return false, nil
 	}
-
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
-
+	fmt.Println("Connect", ctx, username, password)
 	cn, ok := <-cli.connect(ctx)
 	cancel()
 	if !ok {
 		return false, errConnectionTimeout
 	}
 	defer cn.Close()
-
+	fmt.Println("findBasicUserDetails", cn, username, password)
 	// Find a user DN by his or her username.
 	details, err := cli.findBasicUserDetails(cn, username, []string{"dn"})
-	if err != nil {
+	if err != nil || details == nil {
 		return false, err
 	}
-	if details == nil {
-		return false, nil
-	}
+	fmt.Println(details)
 	a := details["dn"]
+	fmt.Println(a)
+	log.Println("Binding DN:", a[0], "with password:", password)
 	if err := cn.Bind(a[0], password); err != nil {
+		fmt.Println(err)
 		if err == errInvalidCredentials {
 			return false, nil
 		}
@@ -280,7 +283,7 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
 
 			cn, err := cli.connector.Connect(ctx, addr)
 			if err != nil {
-				fmt.Println("Failed to create a LDAP connection", "address", addr)
+				fmt.Println("Failed to create a LDAP connection", "address", addr, err)
 				return
 			}
 			select {
@@ -300,6 +303,7 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
 }
 
 func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, error) {
+	fmt.Println("cli", cli.BindDN, cli.BindPass)
 	if cli.BindDN != "" {
 		// We need to login to a LDAP server with a service account for retrieving user data.
 		if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
@@ -372,19 +376,20 @@ func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, er
 
 // findBasicUserDetails finds user's LDAP attributes that were specified. It returns nil if no such user.
 func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string) (map[string][]string, error) {
+	fmt.Println("Second woth : ", cli.BindDN, cli.BindPass)
 	if cli.BindDN != "" {
 		// We need to login to a LDAP server with a service account for retrieving user data.
 		if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
 			return nil, errors.New(err.Error() + " : failed to login to a LDAP woth a service account")
 		}
 	}
-
 	entries, err := cn.SearchUser(username, attrs...)
 	if err != nil {
 		return nil, err
 	}
-	if len(entries) != 1 {
+	if len(entries) == 0 {
 		// We didn't find the user.
+		fmt.Println("user not found")
 		return nil, nil
 	}
 
@@ -403,6 +408,7 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
 type ldapConnector struct {
 	BaseDN     string
 	RoleBaseDN string
+	UserBaseDN string
 	IsTLS      bool
 }
 
@@ -424,12 +430,13 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
 	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
 
 	ldapcn.Start()
-	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
+	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, UserBaseDN: c.UserBaseDN, RoleBaseDN: c.RoleBaseDN}, nil
 }
 
 type ldapConn struct {
 	*ldap.Conn
 	BaseDN     string
+	UserBaseDN string
 	RoleBaseDN string
 }
 
@@ -445,7 +452,7 @@ func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string][]stri
 	query := fmt.Sprintf(
 		"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
 			"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
-	return c.searchEntries(c.BaseDN, query, attrs)
+	return c.searchEntries(c.UserBaseDN, query, attrs)
 }
 
 func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string][]string, error) {
@@ -463,15 +470,17 @@ func (c *ldapConn) SearchRoles(attrs ...string) ([]map[string][]string, error) {
 
 // searchEntries executes a LDAP query, and returns a result as entries where each entry is mapping of LDAP attributes.
 func (c *ldapConn) searchEntries(baseDN, query string, attrs []string) ([]map[string][]string, error) {
+	fmt.Println(baseDN, query, attrs)
 	req := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, query, attrs, nil)
 	res, err := c.Search(req)
 	if err != nil {
 		return nil, err
 	}
+	fmt.Println(res.Entries)
 
 	var entries []map[string][]string
 	for _, v := range res.Entries {
-		entry := map[string][]string{"dn": []string{v.DN}}
+		entry := map[string][]string{"dn": {v.DN}}
 		for _, attr := range v.Attributes {
 			// We need the first value only for the named attribute.
 			entry[attr.Name] = attr.Values

infrastructure/claims/hydra_claims.go

@@ -144,7 +144,7 @@ func (h HydraClaims) AddClaimsToToken(clientID string, userId string, p *peer.Pe
 		}
 		claims.Session.AccessToken[key] = perm.Subject
 	}
-	sign, err := h.encodeSignature(p.Url)
+	sign, err := h.encodeSignature(p.APIUrl)
 	if err != nil {
 		return claims
 	}

main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"oc-auth/conf"
@@ -9,6 +10,7 @@ import (
 	auth_connectors "oc-auth/infrastructure/auth_connector"
 	_ "oc-auth/routers"
 	"os"
+	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"
@@ -18,7 +20,7 @@ import (
 	"cloud.o-forge.io/core/oc-lib/models/utils"
 	"cloud.o-forge.io/core/oc-lib/tools"
 	beego "github.com/beego/beego/v2/server/web"
-	"github.com/beego/beego/v2/server/web/filter/cors"
+	"github.com/i-core/rlog"
 )
 
 const appname = "oc-auth"
@@ -28,10 +30,9 @@ const appname = "oc-auth"
 // @name Authorization
 // @description Type "Bearer" followed by a space and JWT token.
 func main() {
-	// Init the oc-lib
-	oclib.Init(appname)
+	oclib.InitAPI(appname)
 	// Load the right config file
-	o := oclib.GetConfLoader()
+	o := oclib.GetConfLoader(appname)
 
 	conf.GetConfig().AdminRole = o.GetStringDefault("ADMIN_ROLE", "admin")
 	conf.GetConfig().PublicKeyPath = o.GetStringDefault("PUBLIC_KEY_PATH", "./pem/public.pem")
@@ -43,11 +44,11 @@ func main() {
 	conf.GetConfig().AuthConnectorHost = o.GetStringDefault("AUTH_CONNECTOR_HOST", "localhost")
 	conf.GetConfig().AuthConnectPublicHost = o.GetStringDefault("AUTH_CONNECTOR_PUBLIC_HOST", "localhost")
 	conf.GetConfig().AuthConnectorPort = o.GetIntDefault("AUTH_CONNECTOR_PORT", 4444)
-	conf.GetConfig().AuthConnectorAdminPort = o.GetIntDefault("AUTH_CONNECTOR_ADMIN_PORT", 4445)
+	conf.GetConfig().AuthConnectorAdminPort = o.GetStringDefault("AUTH_CONNECTOR_ADMIN_PORT", "4445/admin")
 	conf.GetConfig().PermissionConnectorWriteHost = o.GetStringDefault("PERMISSION_CONNECTOR_WRITE_HOST", "keto")
 	conf.GetConfig().PermissionConnectorReadHost = o.GetStringDefault("PERMISSION_CONNECTOR_READ_HOST", "keto")
-	conf.GetConfig().PermissionConnectorPort = o.GetIntDefault("PERMISSION_CONNECTOR_PORT", 4466)
-	conf.GetConfig().PermissionConnectorAdminPort = o.GetIntDefault("PERMISSION_CONNECTOR_ADMIN_PORT", 4467)
+	conf.GetConfig().PermissionConnectorPort = o.GetStringDefault("PERMISSION_CONNECTOR_PORT", "4466")
+	conf.GetConfig().PermissionConnectorAdminPort = o.GetStringDefault("PERMISSION_CONNECTOR_ADMIN_PORT", "4467")
 	conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)
 
 	// config LDAP
@@ -56,44 +57,41 @@ func main() {
 	conf.GetConfig().LDAPBindDN = o.GetStringDefault("LDAP_BINDDN", "cn=admin,dc=example,dc=com")
 	conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password")
 	conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com")
+	conf.GetConfig().LDAPUserBaseDN = o.GetStringDefault("LDAP_USER_BASEDN", "ou=users,dc=example,dc=com")
 	conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com")
 	go generateSelfPeer()
 	go generateRole()
 	go discovery()
-	beego.BConfig.Listen.HTTPPort = o.GetIntDefault("port", 8080)
-	beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
-		AllowAllOrigins:  true,
-		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-		AllowHeaders:     []string{"Origin", "Authorization", "Content-Type"},
-		ExposeHeaders:    []string{"Content-Length", "Content-Type"},
-		AllowCredentials: true,
-	}))
+
 	beego.Run()
 }
 
 func generateRole() {
 	defer func() {
 		if r := recover(); r != nil {
-			fmt.Println("Recovered in f", r)
+			fmt.Println("generateRole Recovered in f", r, debug.Stack())
 		}
 	}()
 	// if from ldap, create roles from ldap
 	if conf.GetConfig().SourceMode == "ldap" {
-		ldap := auth_connectors.New()
-		roles, err := ldap.GetRoles(context.Background())
-		if err == nil {
-			fmt.Println("ROLE", roles)
-			for _, role := range roles {
-				for r, m := range role.Members {
-					infrastructure.GetPermissionConnector("").CreateRole(r)
-					for _, p := range m {
-						infrastructure.GetPermissionConnector("").BindRole(r, p)
+		for {
+			ldap := auth_connectors.New()
+			roles, err := ldap.GetRoles(context.Background())
+			if err == nil {
+				fmt.Println("ROLE", roles)
+				for _, role := range roles {
+					for r, m := range role.Members {
+						infrastructure.GetPermissionConnector("").CreateRole(r)
+						for _, p := range m {
+							infrastructure.GetPermissionConnector("").BindRole(r, p)
+						}
 					}
 				}
+				break
+			} else {
+				time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+				continue
 			}
-		} else {
-			time.Sleep(10 * time.Second) // Pause execution for 10 seconds
-			generateRole()
 		}
 	}
 }
@@ -101,76 +99,96 @@ func generateRole() {
 func generateSelfPeer() error {
 	defer func() {
 		if r := recover(); r != nil {
-			fmt.Println("Recovered in f", r)
+			fmt.Println("generateSelfPeer Recovered in f", r, debug.Stack())
 		}
 	}()
-	// TODO check if files at private & public path are set
-	// check if files at private & public path are set
-	if _, err := os.Stat(conf.GetConfig().PrivateKeyPath); errors.Is(err, os.ErrNotExist) {
-		return errors.New("private key path does not exist")
-	}
-	if _, err := os.Stat(conf.GetConfig().PublicKeyPath); errors.Is(err, os.ErrNotExist) {
-		return errors.New("public key path does not exist")
-	}
-	// check if peer already exists
-	p := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), false)
-	file := ""
-	f, err := os.ReadFile(conf.GetConfig().PublicKeyPath)
-	if err != nil {
-		return err
-	}
-	file = string(f)
-	if len(p.Data) > 0 {
-		// check public key with the one in the database
-		// compare the public key from file with the one in the database
-		if !strings.Contains(file, p.Data[0].(*peer.Peer).PublicKey) {
-			return errors.New("public key is different from the one in the database")
+	log := rlog.FromContext(context.Background()).Sugar()
+	for {
+		// TODO check if files at private & public path are set
+		// check if files at private & public path are set
+		if _, err := os.Stat(conf.GetConfig().PrivateKeyPath); errors.Is(err, os.ErrNotExist) {
+			return errors.New("private key path does not exist")
 		}
-		return nil
-	}
-	// create a new peer
-	o := oclib.GetConfLoader()
-	peer := &peer.Peer{
-		Url: o.GetStringDefault("HOSTNAME", "http://localhost"),
-		AbstractObject: utils.AbstractObject{
-			Name: o.GetStringDefault("NAME", "local"),
-		},
-		PublicKey:     file,
-		State:         peer.SELF,
-		WalletAddress: "my-wallet",
-	}
-	data := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).StoreOne(peer.Serialize(peer))
-	if data.Err != "" {
-		time.Sleep(10 * time.Second) // Pause execution for 10 seconds
-		generateSelfPeer()
-		return errors.New(data.Err)
+		if _, err := os.Stat(conf.GetConfig().PublicKeyPath); errors.Is(err, os.ErrNotExist) {
+			return errors.New("public key path does not exist")
+		}
+		// check if peer already exists
+		p := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), false)
+		file := ""
+		f, err := os.ReadFile(conf.GetConfig().PublicKeyPath)
+		if err != nil {
+			time.Sleep(10 * time.Second)
+			log.Error(err)
+			continue
+		}
+		file = string(f)
+		if len(p.Data) > 0 {
+			// check public key with the one in the database
+			// compare the public key from file with the one in the database
+			if !strings.Contains(file, p.Data[0].(*peer.Peer).PublicKey) {
+				return errors.New("public key is different from the one in the database")
+			}
+			return nil
+		}
+		// create a new peer
+		o := oclib.GetConfLoader(appname)
+		peer := &peer.Peer{
+			APIUrl:      o.GetStringDefault("HOSTNAME", "http://localhost"),
+			NATSAddress: oclib.GetConfig().NATSUrl,
+			AbstractObject: utils.AbstractObject{
+				Name: o.GetStringDefault("NAME", "local"),
+			},
+			PublicKey:     file,
+			Relation:      peer.SELF,
+			State:         peer.ONLINE,
+			WalletAddress: "my-wallet",
+		}
+		data := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).StoreOne(peer.Serialize(peer))
+		if data.Err != "" {
+			time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+			log.Error(err)
+			continue
+		}
+		break
 	}
+
 	return nil
 }
 
 func discovery() {
 	defer func() {
 		if r := recover(); r != nil {
-			fmt.Println("Recovered in f", r)
+			fmt.Println("discovery Recovered in f", r, debug.Stack())
 		}
 	}()
-	api := tools.API{}
-	conn := infrastructure.GetPermissionConnector("")
-	fmt.Println("AdminRole", conn, conf.GetConfig().PermissionConnectorWriteHost)
-	_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
-	if err != nil {
-		time.Sleep(10 * time.Second) // Pause execution for 10 seconds
-		discovery()
-		return
-	}
-	conn.BindRole(conf.GetConfig().AdminRole, "admin")
-	addPermissions := func(m map[string]interface{}) {
-		for k, v := range m {
-			for _, p := range v.([]interface{}) {
-				conn.CreatePermission(k, p.(string), true)
+	for {
+		api := tools.API{}
+		conn := infrastructure.GetPermissionConnector("")
+		fmt.Println("AdminRole", conn, conf.GetConfig().PermissionConnectorWriteHost)
+		_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
+		if err != nil {
+			time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+			continue
+		}
+		conn.BindRole(conf.GetConfig().AdminRole, "admin")
+		addPermissions := func(m tools.NATSResponse) {
+			var resp map[string][]interface{}
+			json.Unmarshal(m.Payload, &resp)
+			for k, v := range resp {
+				for _, p := range v {
+					conn.CreatePermission(k, p.(string), true)
+				}
 			}
 		}
+		api.ListenRouter(addPermissions)
+		b, _ := json.Marshal(map[string]interface{}{})
+		tools.NewNATSCaller().SetNATSPub(tools.DISCOVERY, tools.NATSResponse{
+			FromApp:  "oc-auth",
+			Datatype: -1,
+			User:     "root",
+			Method:   tools.GET.EnumIndex(),
+			Payload:  b,
+		})
+		break
 	}
-	api.ListenRouter(addPermissions)
-	tools.NewNATSCaller().SetNATSPub("api", tools.DISCOVERY, map[string]interface{}{})
 }