From 182878e16c882c99ccdc04d85cbf000c2254bba6 Mon Sep 17 00:00:00 2001 From: meliurwen Date: Thu, 25 Mar 2021 00:14:44 +0100 Subject: [PATCH] First working version --- .gitignore | 1 + README.md | 102 +++++++++++++++++++++++++++++ docker-compose.yml | 125 ++++++++++++++++++++++++++++++++++++ kratos/.kratos.yml | 86 +++++++++++++++++++++++++ kratos/identity.schema.json | 41 ++++++++++++ kratos/kratos.yml | 79 +++++++++++++++++++++++ setup.sh | 5 ++ 7 files changed, 439 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 docker-compose.yml create mode 100755 kratos/.kratos.yml create mode 100755 kratos/identity.schema.json create mode 100755 kratos/kratos.yml create mode 100755 setup.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5ee092b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +kratos-selfservice-ui-node/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..5fae827 --- /dev/null +++ b/README.md @@ -0,0 +1,102 @@ +# ORY Kratos as Login Provider for ORY Hydra + +**Warning: ** this is a preliminary example and will properly be implemented in ORY Kratos directly. + +For now, to run this example execute: + +```shell script +$ docker-compose up --build +``` + +Next, create an OAuth2 Client + +```shell script +$ docker-compose exec hydra \ + hydra clients create \ + --endpoint http://127.0.0.1:4445 \ + --id auth-code-client \ + --secret secret \ + --grant-types authorization_code,refresh_token \ + --response-types code,id_token \ + --scope openid,offline \ + --callbacks http://127.0.0.1:5555/callback +``` + +and perform an OAuth2 Authorize Code Flow + +```shell script +$ docker-compose exec hydra \ + hydra token user \ + --client-id auth-code-client \ + --client-secret secret \ + --endpoint http://hydra.server.lan/ \ + --port 5555 \ + --scope openid,offline +``` + + + +## Setup + +Clone the ui: + +```shell script +./setup.sh +``` + +Spin the containers: + +```shell script +docker-compose build --pull && docker-compose up -d +``` + +## Gitea + +Create an OAuth2 Client + +```shell script +$ docker-compose exec hydra \ + hydra clients create \ + --endpoint http://127.0.0.1:4445 \ + --id gitea-client \ + --secret superSecret \ + --grant-types authorization_code,refresh_token \ + --response-types code,id_token \ + --scope openid,offline \ + --callbacks http://git.dev.server.lan/user/oauth2/hydra/callback +``` + +and perform an OAuth2 Authorize Code Flow + +```shell script +$ docker-compose exec hydra \ + hydra token user \ + --client-id gitea-client \ + --client-secret superSecret \ + --endpoint http://hydra.server.lan/ \ + --port 5555 \ + --scope openid,offline +``` + +## Nextcloud + +```shell script +hydra clients create \ + --endpoint http://127.0.0.1:4445 \ + --id nextcloud \ + --secret superSecret \ + --grant-types authorization_code,refresh_token \ + --response-types code,id_token \ + --scope openid,offline \ + --callbacks http://cloud.server.lan/apps/oidc_login/oidc +``` + +```php +'oidc_login_client_id' => 'nextcloud', +'oidc_login_client_secret' => 'superSecret', +'oidc_login_provider_url' => 'http://hydra.server.lan', +'oidc_login_disable_registration' => false, +'oidc_login_attributes' => array( + 'id' => 'sub', +), +``` diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..39c5198 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,125 @@ +# This docker-compose file sets up ORY Kratos, ORY Hydra, and this app in a network and configures +# in such a way that ORY Kratos is the Login Provider for ORY Hydra. + +version: '3.7' + +services: + hydra-migrate: + image: oryd/hydra:v1.9.0-sqlite + environment: + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc + volumes: + - hydra-sqlite:/var/lib/sqlite + command: + migrate sql -e --yes + restart: on-failure + networks: + - intranet + + hydra: + image: oryd/hydra:v1.9.0-sqlite + depends_on: + - hydra-migrate + expose: + - "4444" # Public port http://hydra.server.lan + ports: + - "4445:4445" # Admin port + - "5555:5555" # Port for hydra token user + command: + serve all --sqa-opt-out --dangerous-force-http --dangerous-allow-insecure-redirect-urls "http://git.dev.server.lan/user/oauth2/hydra/callback","http://cloud.server.lan/apps/oidc_login/oidc" + restart: on-failure # TODO figure out why we need this (incorporate health check into hydra migrate command?) + environment: + - LOG_LEAK_SENSITIVE_VALUES=true + - URLS_SELF_ISSUER=http://hydra.server.lan + - URLS_SELF_PUBLIC=http://hydra.server.lan + - URLS_CONSENT=http://auth.server.lan/auth/hydra/consent + - URLS_LOGIN=http://auth.server.lan/auth/hydra/login + - URLS_LOGOUT=http://auth.server.lan/logout + - SECRETS_SYSTEM=youReallyNeedToChangeThis + - OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise + - OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc + + - SERVE_PUBLIC_HOST= + - PORT=4444 + + - VIRTUAL_HOST=hydra.server.lan + - VIRTUAL_PORT=4444 + networks: + - default + - intranet + volumes: + - hydra-sqlite:/var/lib/sqlite + + kratos-selfservice-ui-node: + build: + context: kratos-selfservice-ui-node + dockerfile: Dockerfile + environment: + - HYDRA_ADMIN_URL=http://hydra:4445 + - KRATOS_PUBLIC_URL=http://kratos:4433/ + - KRATOS_ADMIN_URL=http://kratos:4434/ + - SECURITY_MODE=standalone + - KRATOS_BROWSER_URL=http://auth.server.lan/.ory/kratos/public + + - VIRTUAL_HOST=auth.server.lan + - VIRTUAL_PORT=3000 + expose: + - "3000" # http://auth.server.lan + networks: + - default + - intranet + volumes: + - /tmp/ui-node/logs:/root/.npm/_logs + + kratos-migrate: + image: oryd/kratos:v0.5.4-alpha.1-sqlite + environment: + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc + volumes: + - kratos-sqlite:/var/lib/sqlite + - ./kratos:/etc/config/kratos + command: + -c /etc/config/kratos/.kratos.yml migrate sql -e --yes + restart: on-failure + networks: + - intranet + + kratos: + depends_on: + - kratos-migrate + image: oryd/kratos:v0.5.4-alpha.1-sqlite + ports: + - "4433:4433" # public + - "4434:4434" # admin + restart: unless-stopped + environment: + - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + command: + serve -c /etc/config/kratos/.kratos.yml --dev --disable-telemetry + volumes: + - kratos-sqlite:/var/lib/sqlite + - ./kratos:/etc/config/kratos + networks: + - intranet + +# Sending emails is not part of this demo, so this is commented out: +# +# mailslurper: +# image: oryd/mailslurper:latest-smtps +# ports: +# - "4436:4436" +# - "4437:4437" +# networks: +# - intranet + +networks: + default: + external: + name: ${NETWORK:-webservices} + intranet: + +volumes: + kratos-sqlite: + hydra-sqlite: + diff --git a/kratos/.kratos.yml b/kratos/.kratos.yml new file mode 100755 index 0000000..f2bd136 --- /dev/null +++ b/kratos/.kratos.yml @@ -0,0 +1,86 @@ +serve: + public: + base_url: http://auth.server.lan/.ory/kratos/public/ + port: 4433 + cors: + enabled: true + allowed_origins: + - http://server.lan + - http://*.server.lan + - http://*.dev.server.lan + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + admin: + base_url: http://kratos:4434/ + +selfservice: + default_browser_return_url: http://auth.server.lan/ + whitelisted_return_urls: + - http://auth.server.lan/ + - http://auth.server.lan/auth/hydra/login + + methods: + password: + enabled: true + + flows: + + error: + ui_url: http://auth.server.lan/error + + settings: + ui_url: http://auth.server.lan/settings + + verification: + ui_url: http://auth.server.lan/verification + enabled: false + + recovery: + ui_url: http://auth.server.lan/recovery + enabled: false + + logout: + after: + default_browser_return_url: http://auth.server.lan/auth/login + + login: + ui_url: http://auth.server.lan/auth/login + + registration: + ui_url: http://auth.server.lan/auth/registration + after: + password: + hooks: + - + hook: session + +log: + level: debug + leak_sensitive_values: true + +hashers: + argon2: + parallelism: 1 + memory: 131072 + iterations: 2 + salt_length: 16 + key_length: 16 + +identity: + default_schema_url: file:///etc/config/kratos/identity.schema.json + +courier: + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true + + +session: + cookie: + persistent: true + #same_site: None + domain: server.lan + lifespan: 1h diff --git a/kratos/identity.schema.json b/kratos/identity.schema.json new file mode 100755 index 0000000..2643174 --- /dev/null +++ b/kratos/identity.schema.json @@ -0,0 +1,41 @@ +{ + "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits":{ + "type": "object", + "properties": { + "email": { + "type": "string", + "format": "email", + "title": "E-Mail", + "minLength": 3, + "ory.sh/kratos": { + "credentials": { + "password": { + "identifier": true + } + } + } + }, + "name": { + "type": "object", + "properties": { + "first": { + "type": "string" + }, + "last": { + "type": "string" + } + } + } + }, + "required": [ + "email" + ] + } + }, + "additionalProperties": false +} \ No newline at end of file diff --git a/kratos/kratos.yml b/kratos/kratos.yml new file mode 100755 index 0000000..6c8dfc6 --- /dev/null +++ b/kratos/kratos.yml @@ -0,0 +1,79 @@ +version: v0.4.6-alpha.1 + +dsn: memory + +serve: + public: + base_url: http://127.0.0.1:4433/ + cors: + enabled: true + admin: + base_url: http://kratos:4434/ + +selfservice: + default_browser_return_url: http://127.0.0.1:4455/ + whitelisted_return_urls: + - http://127.0.0.1:4455 + + methods: + password: + enabled: true + + flows: + error: + ui_url: http://127.0.0.1:4455/error + + settings: + ui_url: http://127.0.0.1:4455/settings + privileged_session_max_age: 15m + + recovery: + enabled: true + ui_url: http://127.0.0.1:4455/recovery + + verification: + enabled: true + ui_url: http://127.0.0.1:4455/verify + after: + default_browser_return_url: http://127.0.0.1:4455/ + + logout: + after: + default_browser_return_url: http://127.0.0.1:4455/auth/login + + login: + ui_url: http://127.0.0.1:4455/auth/login + lifespan: 10m + + registration: + lifespan: 10m + ui_url: http://127.0.0.1:4455/auth/registration + after: + password: + hooks: + - + hook: session + +log: + level: debug + format: text + leak_sensitive_values: true + +secrets: + cookie: + - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE + +hashers: + argon2: + parallelism: 1 + memory: 131072 + iterations: 2 + salt_length: 16 + key_length: 16 + +identity: + default_schema_url: file:///etc/config/kratos/identity.schema.json + +courier: + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true diff --git a/setup.sh b/setup.sh new file mode 100755 index 0000000..34d4029 --- /dev/null +++ b/setup.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +git clone https://github.com/ory/kratos-selfservice-ui-node.git +cd kratos-selfservice-ui-node || exit +git checkout hydra-integration-2021