infra
/
docker-sso
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First working version

Browse Source
master
Meliurwen 4 years ago
commit 182878e16c
Signed by: meliurwen
GPG Key ID: 818A8B35E9F1CE10
7 changed files with 439 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      .gitignore
  2. 102
      README.md
  3. 125
      docker-compose.yml
  4. 86
      kratos/.kratos.yml
  5. 41
      kratos/identity.schema.json
  6. 79
      kratos/kratos.yml
  7. 5
      setup.sh

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
kratos-selfservice-ui-node/

102
README.md
Unescape View File

@ -0,0 +1,102 @@
# ORY Kratos as Login Provider for ORY Hydra
**Warning: ** this is a preliminary example and will properly be implemented in ORY Kratos directly.
For now, to run this example execute:
```shell script
$ docker-compose up --build
```
Next, create an OAuth2 Client
```shell script
$ docker-compose exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id auth-code-client \
--secret secret \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,offline \
--callbacks http://127.0.0.1:5555/callback
```
and perform an OAuth2 Authorize Code Flow
```shell script
$ docker-compose exec hydra \
hydra token user \
--client-id auth-code-client \
--client-secret secret \
--endpoint http://hydra.server.lan/ \
--port 5555 \
--scope openid,offline
```
## Setup
Clone the ui:
```shell script
./setup.sh
```
Spin the containers:
```shell script
docker-compose build --pull && docker-compose up -d
```
## Gitea
Create an OAuth2 Client
```shell script
$ docker-compose exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id gitea-client \
--secret superSecret \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,offline \
--callbacks http://git.dev.server.lan/user/oauth2/hydra/callback
```
and perform an OAuth2 Authorize Code Flow
```shell script
$ docker-compose exec hydra \
hydra token user \
--client-id gitea-client \
--client-secret superSecret \
--endpoint http://hydra.server.lan/ \
--port 5555 \
--scope openid,offline
```
## Nextcloud
```shell script
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id nextcloud \
--secret superSecret \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,offline \
--callbacks http://cloud.server.lan/apps/oidc_login/oidc
```
```php
'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'superSecret',
'oidc_login_provider_url' => 'http://hydra.server.lan',
'oidc_login_disable_registration' => false,
'oidc_login_attributes' => array(
'id' => 'sub',
),
```

125
docker-compose.yml
Unescape View File

@ -0,0 +1,125 @@
# This docker-compose file sets up ORY Kratos, ORY Hydra, and this app in a network and configures
# in such a way that ORY Kratos is the Login Provider for ORY Hydra.
version: '3.7'
services:
hydra-migrate:
image: oryd/hydra:v1.9.0-sqlite
environment:
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
volumes:
- hydra-sqlite:/var/lib/sqlite
command:
migrate sql -e --yes
restart: on-failure
networks:
- intranet
hydra:
image: oryd/hydra:v1.9.0-sqlite
depends_on:
- hydra-migrate
expose:
- "4444" # Public port http://hydra.server.lan
ports:
- "4445:4445" # Admin port
- "5555:5555" # Port for hydra token user
command:
serve all --sqa-opt-out --dangerous-force-http --dangerous-allow-insecure-redirect-urls "http://git.dev.server.lan/user/oauth2/hydra/callback","http://cloud.server.lan/apps/oidc_login/oidc"
restart: on-failure # TODO figure out why we need this (incorporate health check into hydra migrate command?)
environment:
- LOG_LEAK_SENSITIVE_VALUES=true
- URLS_SELF_ISSUER=http://hydra.server.lan
- URLS_SELF_PUBLIC=http://hydra.server.lan
- URLS_CONSENT=http://auth.server.lan/auth/hydra/consent
- URLS_LOGIN=http://auth.server.lan/auth/hydra/login
- URLS_LOGOUT=http://auth.server.lan/logout
- SECRETS_SYSTEM=youReallyNeedToChangeThis
- OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
- OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
- SERVE_PUBLIC_HOST=
- PORT=4444
- VIRTUAL_HOST=hydra.server.lan
- VIRTUAL_PORT=4444
networks:
- default
- intranet
volumes:
- hydra-sqlite:/var/lib/sqlite
kratos-selfservice-ui-node:
build:
context: kratos-selfservice-ui-node
dockerfile: Dockerfile
environment:
- HYDRA_ADMIN_URL=http://hydra:4445
- KRATOS_PUBLIC_URL=http://kratos:4433/
- KRATOS_ADMIN_URL=http://kratos:4434/
- SECURITY_MODE=standalone
- KRATOS_BROWSER_URL=http://auth.server.lan/.ory/kratos/public
- VIRTUAL_HOST=auth.server.lan
- VIRTUAL_PORT=3000
expose:
- "3000" # http://auth.server.lan
networks:
- default
- intranet
volumes:
- /tmp/ui-node/logs:/root/.npm/_logs
kratos-migrate:
image: oryd/kratos:v0.5.4-alpha.1-sqlite
environment:
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
volumes:
- kratos-sqlite:/var/lib/sqlite
- ./kratos:/etc/config/kratos
command:
-c /etc/config/kratos/.kratos.yml migrate sql -e --yes
restart: on-failure
networks:
- intranet
kratos:
depends_on:
- kratos-migrate
image: oryd/kratos:v0.5.4-alpha.1-sqlite
ports:
- "4433:4433" # public
- "4434:4434" # admin
restart: unless-stopped
environment:
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
command:
serve -c /etc/config/kratos/.kratos.yml --dev --disable-telemetry
volumes:
- kratos-sqlite:/var/lib/sqlite
- ./kratos:/etc/config/kratos
networks:
- intranet
# Sending emails is not part of this demo, so this is commented out:
#
# mailslurper:
# image: oryd/mailslurper:latest-smtps
# ports:
# - "4436:4436"
# - "4437:4437"
# networks:
# - intranet
networks:
default:
external:
name: ${NETWORK:-webservices}
intranet:
volumes:
kratos-sqlite:
hydra-sqlite:

86
kratos/.kratos.yml
Unescape View File

@ -0,0 +1,86 @@
serve:
public:
base_url: http://auth.server.lan/.ory/kratos/public/
port: 4433
cors:
enabled: true
allowed_origins:
- http://server.lan
- http://*.server.lan
- http://*.dev.server.lan
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
admin:
base_url: http://kratos:4434/
selfservice:
default_browser_return_url: http://auth.server.lan/
whitelisted_return_urls:
- http://auth.server.lan/
- http://auth.server.lan/auth/hydra/login
methods:
password:
enabled: true
flows:
error:
ui_url: http://auth.server.lan/error
settings:
ui_url: http://auth.server.lan/settings
verification:
ui_url: http://auth.server.lan/verification
enabled: false
recovery:
ui_url: http://auth.server.lan/recovery
enabled: false
logout:
after:
default_browser_return_url: http://auth.server.lan/auth/login
login:
ui_url: http://auth.server.lan/auth/login
registration:
ui_url: http://auth.server.lan/auth/registration
after:
password:
hooks:
-
hook: session
log:
level: debug
leak_sensitive_values: true
hashers:
argon2:
parallelism: 1
memory: 131072
iterations: 2
salt_length: 16
key_length: 16
identity:
default_schema_url: file:///etc/config/kratos/identity.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
session:
cookie:
persistent: true
#same_site: None
domain: server.lan
lifespan: 1h

41
kratos/identity.schema.json
Unescape View File

@ -0,0 +1,41 @@
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Person",
"type": "object",
"properties": {
"traits":{
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
}
}
},
"name": {
"type": "object",
"properties": {
"first": {
"type": "string"
},
"last": {
"type": "string"
}
}
}
},
"required": [
"email"
]
}
},
"additionalProperties": false
}

79
kratos/kratos.yml
Unescape View File

@ -0,0 +1,79 @@
version: v0.4.6-alpha.1
dsn: memory
serve:
public:
base_url: http://127.0.0.1:4433/
cors:
enabled: true
admin:
base_url: http://kratos:4434/
selfservice:
default_browser_return_url: http://127.0.0.1:4455/
whitelisted_return_urls:
- http://127.0.0.1:4455
methods:
password:
enabled: true
flows:
error:
ui_url: http://127.0.0.1:4455/error
settings:
ui_url: http://127.0.0.1:4455/settings
privileged_session_max_age: 15m
recovery:
enabled: true
ui_url: http://127.0.0.1:4455/recovery
verification:
enabled: true
ui_url: http://127.0.0.1:4455/verify
after:
default_browser_return_url: http://127.0.0.1:4455/
logout:
after:
default_browser_return_url: http://127.0.0.1:4455/auth/login
login:
ui_url: http://127.0.0.1:4455/auth/login
lifespan: 10m
registration:
lifespan: 10m
ui_url: http://127.0.0.1:4455/auth/registration
after:
password:
hooks:
-
hook: session
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
hashers:
argon2:
parallelism: 1
memory: 131072
iterations: 2
salt_length: 16
key_length: 16
identity:
default_schema_url: file:///etc/config/kratos/identity.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

5
setup.sh
Unescape View File

@ -0,0 +1,5 @@
#!/bin/sh
git clone https://github.com/ory/kratos-selfservice-ui-node.git
cd kratos-selfservice-ui-node || exit
git checkout hydra-integration-2021
Write Preview
Loading…
Cancel
Save