How to boostrap applications using Casdoor?

[SchoolGuy]

I am an application developer and I am integrating Casdoor as my primary authentication and authorization point at the moment. I am planning to lower the barrier of entry for people who want to self-host it as much as possible.

My biggest problem is that I have no way to setup up everything that my application needs out of the box in Casdoor (#2606). Let's assume this is fixed and continue my thoughts.

Now the application needs to know about the relevant Casdoor configuration.

• Regarding the URL this should be fairly easily possible since for less tech-savvy people, I plan on using a containerized solution that enables an internal DNS solution.
• Regarding the organization name, clientId, clientSecret and certificate, I will just assume that the data from initial_data.json is available and allows me to parse this data.

Scripting all of this is trivial in any language and as such one can easily bootstrap this solution in a pre-defined environment.

What is not so easy in my eyes is to ensure that the certificates stay valid over time and are refreshed without trouble for the people using the application.

Is there a reliable way to make those secrets unique to every application instance and still perform a hands-free setup for self-hosting folks?

[hsluoyz]

@SchoolGuy can you list your specific questions in 1, 2, 3?

[SchoolGuy]

Then I only have two questions:

1. How to automatically ensure that bootstrap certificates and secrets are unique to each installation of an application?
2. How to ensure that without user interaction certificates and secrets are automatically rotated for Casdoor to application communication?

[hsluoyz]

I think we are probably not aligned in the same page? Can you use every detailed steps to describe? Can you avoid using phrases like "bootstrap", "installation"? They are not a part of this project.

1. The cert is created by yourself. If you don't provide cert content, Casdoor will fill into the blanks automatically.
2. Does this cert: https://door.casdoor.com/certs/admin/cert-built-in expire? Casdoor never said that that cert will expire. If you really want to renew it, delete it and create a new cert with the same name

[SchoolGuy]

1. Okay now that I know that I can use just a standard OpenSSL x509 certificate that makes things more simple because that means the script can generate those during first startup. Also through looking at random.go I learned that clientId and clientSecret are just random hexadecimal strings with 10 and 20. That can be also generated during first startup.
2. Having a certificate valid for so long, especially to provide access to protected resources is in my eyes not desired. I think switching this at least every year, better every 6 months should be targeted. Since the boostrap is only read during first initialization I think using the API client in golang to rotate this is the most sane way. My application will then have a CLI command that the admin can use to rotate the cert via the HTTP API of Casdoor.