Authentification via OpenID Connect #6

Manually merged
wpetit merged 2 commits from feature/hydra-integration into develop 2020-06-21 11:27:52 +02:00
9 changed files with 141 additions and 7 deletions
Showing only changes of commit 59806edc10 - Show all commits

View File

@ -5,7 +5,7 @@ deps:
cd frontend && npm install cd frontend && npm install
up: build up: build
( cd frontend && npm run server ) & USER_ID=$(shell id -u) docker-compose up && wait ( cd frontend && NODE_ENV=development npm run server ) & USER_ID=$(shell id -u) docker-compose up && wait
sg: sg:
docker-compose exec -u $(shell id -u) super-graph sh docker-compose exec -u $(shell id -u) super-graph sh
@ -18,3 +18,6 @@ down:
db-shell: db-shell:
docker-compose exec postgres psql -Usupergraph docker-compose exec postgres psql -Usupergraph
hydra-shell:
docker-compose exec hydra /bin/sh

View File

@ -28,6 +28,9 @@ Les services suivants devraient être disponibles après démarrage de l'environ
|Application React|HTTP (UI)|http://localhost:8081/|Page d'accueil de l'application React (serveur Webpack)| |Application React|HTTP (UI)|http://localhost:8081/|Page d'accueil de l'application React (serveur Webpack)|
|Interface Web GraphQL|HTTP (UI)|http://localhost:8080/|Interface Web de développement de l'API GraphQL| |Interface Web GraphQL|HTTP (UI)|http://localhost:8080/|Interface Web de développement de l'API GraphQL|
|Serveur GraphQL|HTTP (GraphQL)|http://localhost:8080/api/v1/graphql|Point d'entrée de l'API GraphQL| |Serveur GraphQL|HTTP (GraphQL)|http://localhost:8080/api/v1/graphql|Point d'entrée de l'API GraphQL|
|Serveur Hydra|HTTP (ReST)|http://localhost:4444|Point d'entrée pour l'API OAuth2 d'[Hydra](https://www.ory.sh/hydra/docs/)|
|Serveur Hydra Passwordless|HTTP|http://localhost:3000|Point d'entrée pour la ["Login/Consent App"](https://www.ory.sh/hydra/docs/implementing-consent) [hydra-passwordless](https://forge.cadoles.com/wpetit/hydra-passwordless)|
|Serveur FakeSMTP|HTTP|http://localhost:8082|Interface web du serveur [FakeSMTP](https://forge.cadoles.com/wpetit/fake-smtp)
|Serveur PostgreSQL|TCP/IP (PostgreSQL)|`127.0.0.1:5432`|Port de connexion à la base de données PostgreSQL de développement| |Serveur PostgreSQL|TCP/IP (PostgreSQL)|`127.0.0.1:5432`|Port de connexion à la base de données PostgreSQL de développement|
#### Fichiers/répertoires notables #### Fichiers/répertoires notables
@ -46,6 +49,10 @@ Les services suivants devraient être disponibles après démarrage de l'environ
|`make down`|Stopper et supprimer l'environnement de développement.| |`make down`|Stopper et supprimer l'environnement de développement.|
|`make db-shell`|Ouvrir une console `psql` sur la base de données de développement.| |`make db-shell`|Ouvrir une console `psql` sur la base de données de développement.|
#### Ressources
- [Execute an Authorization Code Grant Flow with PKCE](https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce)
## Licence ## Licence
AGPL-3.0 AGPL-3.0

View File

@ -20,11 +20,69 @@ services:
- postgres - postgres
ports: ports:
- 8080:8080 - 8080:8080
postgres: postgres:
image: postgres:12-alpine build:
context: ./misc/containers/postgres
args:
- HTTP_PROXY=${HTTP_PROXY}
- HTTPS_PROXY=${HTTPS_PROXY}
- http_proxy=${http_proxy}
- https_proxy=${https_proxy}
environment: environment:
- POSTGRES_PASSWORD=daddy - POSTGRES_PASSWORD=postgres
- POSTGRES_USER=daddy
- POSTGRES_DB=daddy
ports: ports:
- 5432:5432 - 5432:5432
volumes:
- postgres_data:/var/lib/postgresql/data
hydra:
build:
context: ./misc/containers/hydra
environment:
DSN: postgres://hydra:hydra@postgres:5432/hydra
URLS_LOGIN: http://localhost:3000/login
URLS_CONSENT: http://localhost:3000/consent
URLS_LOGOUT: http://localhost:3000/logout
SUPPORTED_SCOPES: email
SUPPORTED_CLAIMS: email,email_verified
SECRETS_SYSTEM: fAAya66yXNib52lbXpo16bxy1jD4NZrX
HYDRA_ADMIN_URL: http://localhost:4445
ports:
- 4444:4444
command: hydra serve all --dangerous-force-http
hydra-passwordless:
image: bornholm/hydra-passwordless
ports:
- 3000:3000
environment:
- HTTP_COOKIE_AUTHENTICATION_KEY=XNFEWQwYB9WiVSnkHoFnMtNDL6X88apR4DmDBwh7gVgdJ3LTdLRLwGZAALnVN2yg
- HTTP_COOKIE_ENCRYPTION_KEY=xtHEd36Uo4DFeS2JgPPm94fPBfinY3xi
- HTTP_TOKEN_AUTHENTICATION_KEY=sGToi4yiP5yWrZzKdKaDA3XNpkcg9CRAaycuhr5gy2XnPKzUS7N6wGEFhMq9WPuf
- HTTP_TOKEN_ENCRYPTION_KEY=LAbuEWUeNDCLniRcyjiBCZ8ecgwN9Van
- SMTP_HOST=smtp
- SMTP_PORT=2525
- SMTP_USE_START_TLS=false
- SMTP_USER=
- SMTP_PASSWORD=
- SMTP_INSECURE_SKIP_VERIFY=true
- HYDRA_BASE_URL=http://hydra:4445
- HYDRA_FAKE_SSL_TERMINATION=false
smtp:
image: bornholm/fake-smtp
ports:
- 8082:8080
- 2525:2525
environment:
- FAKESMTP_SMTP_ADDRESS=:2525
- FAKESMTP_SMTP_DEBUG=true
- FAKESMTP_SMTP_USERNAME=
- FAKESMTP_SMTP_PASSWORD=
- FAKESMTP_SMTP_ALLOWINSECUREAUTH=true
volumes:
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
volumes:
postgres_data:

View File

@ -0,0 +1,18 @@
FROM oryd/hydra:v1.4.2-alpine
USER root
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint
RUN chmod a+x /usr/local/bin/docker-entrypoint
COPY first-run.sh /usr/local/bin/docker-first-run
RUN chmod a+x /usr/local/bin/docker-first-run
COPY hydra-init.d /hydra-init.d
RUN mkdir -p /home/ory && chown -R ory: /home/ory
USER ory
ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
CMD ["hydra", "serve", "all"]

View File

@ -0,0 +1,14 @@
#!/bin/sh
set -xeo pipefail
LIFECYCLEFLAGS_DIR="$HOME/.container-lifecycle"
mkdir -p "$LIFECYCLEFLAGS_DIR"
if [ ! -f "$LIFECYCLEFLAGS_DIR/first-run" ]; then
/usr/local/bin/docker-first-run
touch "$LIFECYCLEFLAGS_DIR/first-run"
fi
exec "$@"

View File

@ -0,0 +1,8 @@
#!/bin/sh
hydra migrate sql -e -y
hydra serve all --dangerous-force-http &
HYDRA_PID=$!
run-parts --exit-on-error /hydra-init.d
kill $HYDRA_PID

View File

@ -0,0 +1,8 @@
#!/bin/sh
hydra clients create \
--id daddy \
-n Daddy \
--secret 'KE9wOXR-~7qCXNKWzw23EpNroq' \
-a email,email_verified \
-c http://localhost:8081/oauth2/callback

View File

@ -0,0 +1,3 @@
FROM postgres:12-alpine
COPY ./initdb.d /docker-entrypoint-initdb.d

View File

@ -0,0 +1,15 @@
#!/bin/bash
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
CREATE USER hydra WITH ENCRYPTED PASSWORD 'hydra';
CREATE DATABASE hydra;
GRANT ALL PRIVILEGES ON DATABASE hydra TO hydra;
EOSQL
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
CREATE USER daddy WITH ENCRYPTED PASSWORD 'daddy';
CREATE DATABASE daddy;
GRANT ALL PRIVILEGES ON DATABASE daddy TO daddy;
EOSQL