commit
182878e16c
@ -0,0 +1 @@ |
||||
kratos-selfservice-ui-node/ |
@ -0,0 +1,102 @@ |
||||
# ORY Kratos as Login Provider for ORY Hydra |
||||
|
||||
**Warning: ** this is a preliminary example and will properly be implemented in ORY Kratos directly. |
||||
|
||||
For now, to run this example execute: |
||||
|
||||
```shell script |
||||
$ docker-compose up --build |
||||
``` |
||||
|
||||
Next, create an OAuth2 Client |
||||
|
||||
```shell script |
||||
$ docker-compose exec hydra \ |
||||
hydra clients create \ |
||||
--endpoint http://127.0.0.1:4445 \ |
||||
--id auth-code-client \ |
||||
--secret secret \ |
||||
--grant-types authorization_code,refresh_token \ |
||||
--response-types code,id_token \ |
||||
--scope openid,offline \ |
||||
--callbacks http://127.0.0.1:5555/callback |
||||
``` |
||||
|
||||
and perform an OAuth2 Authorize Code Flow |
||||
|
||||
```shell script |
||||
$ docker-compose exec hydra \ |
||||
hydra token user \ |
||||
--client-id auth-code-client \ |
||||
--client-secret secret \ |
||||
--endpoint http://hydra.server.lan/ \ |
||||
--port 5555 \ |
||||
--scope openid,offline |
||||
``` |
||||
|
||||
|
||||
|
||||
## Setup |
||||
|
||||
Clone the ui: |
||||
|
||||
```shell script |
||||
./setup.sh |
||||
``` |
||||
|
||||
Spin the containers: |
||||
|
||||
```shell script |
||||
docker-compose build --pull && docker-compose up -d |
||||
``` |
||||
|
||||
## Gitea |
||||
|
||||
Create an OAuth2 Client |
||||
|
||||
```shell script |
||||
$ docker-compose exec hydra \ |
||||
hydra clients create \ |
||||
--endpoint http://127.0.0.1:4445 \ |
||||
--id gitea-client \ |
||||
--secret superSecret \ |
||||
--grant-types authorization_code,refresh_token \ |
||||
--response-types code,id_token \ |
||||
--scope openid,offline \ |
||||
--callbacks http://git.dev.server.lan/user/oauth2/hydra/callback |
||||
``` |
||||
|
||||
and perform an OAuth2 Authorize Code Flow |
||||
|
||||
```shell script |
||||
$ docker-compose exec hydra \ |
||||
hydra token user \ |
||||
--client-id gitea-client \ |
||||
--client-secret superSecret \ |
||||
--endpoint http://hydra.server.lan/ \ |
||||
--port 5555 \ |
||||
--scope openid,offline |
||||
``` |
||||
|
||||
## Nextcloud |
||||
|
||||
```shell script |
||||
hydra clients create \ |
||||
--endpoint http://127.0.0.1:4445 \ |
||||
--id nextcloud \ |
||||
--secret superSecret \ |
||||
--grant-types authorization_code,refresh_token \ |
||||
--response-types code,id_token \ |
||||
--scope openid,offline \ |
||||
--callbacks http://cloud.server.lan/apps/oidc_login/oidc |
||||
``` |
||||
|
||||
```php |
||||
'oidc_login_client_id' => 'nextcloud', |
||||
'oidc_login_client_secret' => 'superSecret', |
||||
'oidc_login_provider_url' => 'http://hydra.server.lan', |
||||
'oidc_login_disable_registration' => false, |
||||
'oidc_login_attributes' => array( |
||||
'id' => 'sub', |
||||
), |
||||
``` |
@ -0,0 +1,125 @@ |
||||
# This docker-compose file sets up ORY Kratos, ORY Hydra, and this app in a network and configures |
||||
# in such a way that ORY Kratos is the Login Provider for ORY Hydra. |
||||
|
||||
version: '3.7' |
||||
|
||||
services: |
||||
hydra-migrate: |
||||
image: oryd/hydra:v1.9.0-sqlite |
||||
environment: |
||||
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc |
||||
volumes: |
||||
- hydra-sqlite:/var/lib/sqlite |
||||
command: |
||||
migrate sql -e --yes |
||||
restart: on-failure |
||||
networks: |
||||
- intranet |
||||
|
||||
hydra: |
||||
image: oryd/hydra:v1.9.0-sqlite |
||||
depends_on: |
||||
- hydra-migrate |
||||
expose: |
||||
- "4444" # Public port http://hydra.server.lan |
||||
ports: |
||||
- "4445:4445" # Admin port |
||||
- "5555:5555" # Port for hydra token user |
||||
command: |
||||
serve all --sqa-opt-out --dangerous-force-http --dangerous-allow-insecure-redirect-urls "http://git.dev.server.lan/user/oauth2/hydra/callback","http://cloud.server.lan/apps/oidc_login/oidc" |
||||
restart: on-failure # TODO figure out why we need this (incorporate health check into hydra migrate command?) |
||||
environment: |
||||
- LOG_LEAK_SENSITIVE_VALUES=true |
||||
- URLS_SELF_ISSUER=http://hydra.server.lan |
||||
- URLS_SELF_PUBLIC=http://hydra.server.lan |
||||
- URLS_CONSENT=http://auth.server.lan/auth/hydra/consent |
||||
- URLS_LOGIN=http://auth.server.lan/auth/hydra/login |
||||
- URLS_LOGOUT=http://auth.server.lan/logout |
||||
- SECRETS_SYSTEM=youReallyNeedToChangeThis |
||||
- OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise |
||||
- OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis |
||||
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc |
||||
|
||||
- SERVE_PUBLIC_HOST= |
||||
- PORT=4444 |
||||
|
||||
- VIRTUAL_HOST=hydra.server.lan |
||||
- VIRTUAL_PORT=4444 |
||||
networks: |
||||
- default |
||||
- intranet |
||||
volumes: |
||||
- hydra-sqlite:/var/lib/sqlite |
||||
|
||||
kratos-selfservice-ui-node: |
||||
build: |
||||
context: kratos-selfservice-ui-node |
||||
dockerfile: Dockerfile |
||||
environment: |
||||
- HYDRA_ADMIN_URL=http://hydra:4445 |
||||
- KRATOS_PUBLIC_URL=http://kratos:4433/ |
||||
- KRATOS_ADMIN_URL=http://kratos:4434/ |
||||
- SECURITY_MODE=standalone |
||||
- KRATOS_BROWSER_URL=http://auth.server.lan/.ory/kratos/public |
||||
|
||||
- VIRTUAL_HOST=auth.server.lan |
||||
- VIRTUAL_PORT=3000 |
||||
expose: |
||||
- "3000" # http://auth.server.lan |
||||
networks: |
||||
- default |
||||
- intranet |
||||
volumes: |
||||
- /tmp/ui-node/logs:/root/.npm/_logs |
||||
|
||||
kratos-migrate: |
||||
image: oryd/kratos:v0.5.4-alpha.1-sqlite |
||||
environment: |
||||
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc |
||||
volumes: |
||||
- kratos-sqlite:/var/lib/sqlite |
||||
- ./kratos:/etc/config/kratos |
||||
command: |
||||
-c /etc/config/kratos/.kratos.yml migrate sql -e --yes |
||||
restart: on-failure |
||||
networks: |
||||
- intranet |
||||
|
||||
kratos: |
||||
depends_on: |
||||
- kratos-migrate |
||||
image: oryd/kratos:v0.5.4-alpha.1-sqlite |
||||
ports: |
||||
- "4433:4433" # public |
||||
- "4434:4434" # admin |
||||
restart: unless-stopped |
||||
environment: |
||||
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true |
||||
command: |
||||
serve -c /etc/config/kratos/.kratos.yml --dev --disable-telemetry |
||||
volumes: |
||||
- kratos-sqlite:/var/lib/sqlite |
||||
- ./kratos:/etc/config/kratos |
||||
networks: |
||||
- intranet |
||||
|
||||
# Sending emails is not part of this demo, so this is commented out: |
||||
# |
||||
# mailslurper: |
||||
# image: oryd/mailslurper:latest-smtps |
||||
# ports: |
||||
# - "4436:4436" |
||||
# - "4437:4437" |
||||
# networks: |
||||
# - intranet |
||||
|
||||
networks: |
||||
default: |
||||
external: |
||||
name: ${NETWORK:-webservices} |
||||
intranet: |
||||
|
||||
volumes: |
||||
kratos-sqlite: |
||||
hydra-sqlite: |
||||
|
@ -0,0 +1,86 @@ |
||||
serve: |
||||
public: |
||||
base_url: http://auth.server.lan/.ory/kratos/public/ |
||||
port: 4433 |
||||
cors: |
||||
enabled: true |
||||
allowed_origins: |
||||
- http://server.lan |
||||
- http://*.server.lan |
||||
- http://*.dev.server.lan |
||||
allowed_methods: |
||||
- POST |
||||
- GET |
||||
- PUT |
||||
- PATCH |
||||
- DELETE |
||||
admin: |
||||
base_url: http://kratos:4434/ |
||||
|
||||
selfservice: |
||||
default_browser_return_url: http://auth.server.lan/ |
||||
whitelisted_return_urls: |
||||
- http://auth.server.lan/ |
||||
- http://auth.server.lan/auth/hydra/login |
||||
|
||||
methods: |
||||
password: |
||||
enabled: true |
||||
|
||||
flows: |
||||
|
||||
error: |
||||
ui_url: http://auth.server.lan/error |
||||
|
||||
settings: |
||||
ui_url: http://auth.server.lan/settings |
||||
|
||||
verification: |
||||
ui_url: http://auth.server.lan/verification |
||||
enabled: false |
||||
|
||||
recovery: |
||||
ui_url: http://auth.server.lan/recovery |
||||
enabled: false |
||||
|
||||
logout: |
||||
after: |
||||
default_browser_return_url: http://auth.server.lan/auth/login |
||||
|
||||
login: |
||||
ui_url: http://auth.server.lan/auth/login |
||||
|
||||
registration: |
||||
ui_url: http://auth.server.lan/auth/registration |
||||
after: |
||||
password: |
||||
hooks: |
||||
- |
||||
hook: session |
||||
|
||||
log: |
||||
level: debug |
||||
leak_sensitive_values: true |
||||
|
||||
hashers: |
||||
argon2: |
||||
parallelism: 1 |
||||
memory: 131072 |
||||
iterations: 2 |
||||
salt_length: 16 |
||||
key_length: 16 |
||||
|
||||
identity: |
||||
default_schema_url: file:///etc/config/kratos/identity.schema.json |
||||
|
||||
courier: |
||||
smtp: |
||||
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true |
||||
|
||||
|
||||
session: |
||||
cookie: |
||||
persistent: true |
||||
#same_site: None |
||||
domain: server.lan |
||||
lifespan: 1h |
@ -0,0 +1,41 @@ |
||||
{ |
||||
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", |
||||
"$schema": "http://json-schema.org/draft-07/schema#", |
||||
"title": "Person", |
||||
"type": "object", |
||||
"properties": { |
||||
"traits":{ |
||||
"type": "object", |
||||
"properties": { |
||||
"email": { |
||||
"type": "string", |
||||
"format": "email", |
||||
"title": "E-Mail", |
||||
"minLength": 3, |
||||
"ory.sh/kratos": { |
||||
"credentials": { |
||||
"password": { |
||||
"identifier": true |
||||
} |
||||
} |
||||
} |
||||
}, |
||||
"name": { |
||||
"type": "object", |
||||
"properties": { |
||||
"first": { |
||||
"type": "string" |
||||
}, |
||||
"last": { |
||||
"type": "string" |
||||
} |
||||
} |
||||
} |
||||
}, |
||||
"required": [ |
||||
"email" |
||||
] |
||||
} |
||||
}, |
||||
"additionalProperties": false |
||||
} |
@ -0,0 +1,79 @@ |
||||
version: v0.4.6-alpha.1 |
||||
|
||||
dsn: memory |
||||
|
||||
serve: |
||||
public: |
||||
base_url: http://127.0.0.1:4433/ |
||||
cors: |
||||
enabled: true |
||||
admin: |
||||
base_url: http://kratos:4434/ |
||||
|
||||
selfservice: |
||||
default_browser_return_url: http://127.0.0.1:4455/ |
||||
whitelisted_return_urls: |
||||
- http://127.0.0.1:4455 |
||||
|
||||
methods: |
||||
password: |
||||
enabled: true |
||||
|
||||
flows: |
||||
error: |
||||
ui_url: http://127.0.0.1:4455/error |
||||
|
||||
settings: |
||||
ui_url: http://127.0.0.1:4455/settings |
||||
privileged_session_max_age: 15m |
||||
|
||||
recovery: |
||||
enabled: true |
||||
ui_url: http://127.0.0.1:4455/recovery |
||||
|
||||
verification: |
||||
enabled: true |
||||
ui_url: http://127.0.0.1:4455/verify |
||||
after: |
||||
default_browser_return_url: http://127.0.0.1:4455/ |
||||
|
||||
logout: |
||||
after: |
||||
default_browser_return_url: http://127.0.0.1:4455/auth/login |
||||
|
||||
login: |
||||
ui_url: http://127.0.0.1:4455/auth/login |
||||
lifespan: 10m |
||||
|
||||
registration: |
||||
lifespan: 10m |
||||
ui_url: http://127.0.0.1:4455/auth/registration |
||||
after: |
||||
password: |
||||
hooks: |
||||
- |
||||
hook: session |
||||
|
||||
log: |
||||
level: debug |
||||
format: text |
||||
leak_sensitive_values: true |
||||
|
||||
secrets: |
||||
cookie: |
||||
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE |
||||
|
||||
hashers: |
||||
argon2: |
||||
parallelism: 1 |
||||
memory: 131072 |
||||
iterations: 2 |
||||
salt_length: 16 |
||||
key_length: 16 |
||||
|
||||
identity: |
||||
default_schema_url: file:///etc/config/kratos/identity.schema.json |
||||
|
||||
courier: |
||||
smtp: |
||||
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true |
Loading…
Reference in new issue