Cadoles/goweb-oidc
10
0
Fork 0
Code Issues 1 Pull Requests Releases 4 Wiki Activity

Compare commits

base: Cadoles:2023.11.6-stable.1557.e16b905
Branches Tags
Cadoles:master Cadoles:dist/debian/bullseye/master Cadoles:dist/debian/bullseye/develop
Cadoles:2025.3.11-stable.1428.6545cb3 Cadoles:2023.12.6-stable.1502.ebfd504 Cadoles:2023.12.6-stable.1453.d4637b2 Cadoles:2023.11.6-stable.1557.e16b905 Cadoles:pkg/stable/debian-bullseye/0.0.1-6 Cadoles:pkg/stable/debian-bullseye/0.0.1-5 Cadoles:pkg/stable/debian-bullseye/0.0.1-4 Cadoles:pkg/stable/debian-bullseye/0.0.1-3 Cadoles:pkg/stable/debian-bullseye/0.0.1-2 Cadoles:pkg/stable/debian-bullseye/0.0.1-1 Cadoles:pkg/stable/debian-bullseye/0.0.1-0 Cadoles:pkg/dev/debian-bullseye/0.0.1-2 Cadoles:pkg/dev/debian-bullseye/0.0.1-1 Cadoles:pkg/dev/debian-bullseye/0.0.1-0 Cadoles:v0.0.0
...
compare: Cadoles:2025.3.11-stable.1428.6545cb3
Branches Tags
Cadoles:master Cadoles:dist/debian/bullseye/master Cadoles:dist/debian/bullseye/develop
Cadoles:2025.3.11-stable.1428.6545cb3 Cadoles:2023.12.6-stable.1502.ebfd504 Cadoles:2023.12.6-stable.1453.d4637b2 Cadoles:2023.11.6-stable.1557.e16b905 Cadoles:pkg/stable/debian-bullseye/0.0.1-6 Cadoles:pkg/stable/debian-bullseye/0.0.1-5 Cadoles:pkg/stable/debian-bullseye/0.0.1-4 Cadoles:pkg/stable/debian-bullseye/0.0.1-3 Cadoles:pkg/stable/debian-bullseye/0.0.1-2 Cadoles:pkg/stable/debian-bullseye/0.0.1-1 Cadoles:pkg/stable/debian-bullseye/0.0.1-0 Cadoles:pkg/dev/debian-bullseye/0.0.1-2 Cadoles:pkg/dev/debian-bullseye/0.0.1-1 Cadoles:pkg/dev/debian-bullseye/0.0.1-0 Cadoles:v0.0.0

5 Commits
2023.11.6- ... 2025.3.11-

Author SHA1 Message Date
Laurent Gourvenec
6545cb3e93 Merge pull request 'Injection de la redirect_uri dans les requêtes d'authentification' (#5) from issue-4 into master
All checks were successful
Cadoles/goweb-oidc/pipeline/head This commit looks good
Details 
Reviewed-on: #5
Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>
 2025-03-11 15:28:40 +01:00
William Petit
e2e4915e93 fix: inject redirect_uri in oauth2 login request (#4)
All checks were successful
Cadoles/goweb-oidc/pipeline/head This commit looks good
Details
Cadoles/goweb-oidc/pipeline/pr-master This commit looks good
Details
2025-03-07 12:08:53 +01:00
William Petit
97bacd0bb8 fix: isolated local dev environment
Some checks reported warnings
Cadoles/goweb-oidc/pipeline/head This commit was not built
Details
2025-03-07 12:08:07 +01:00
William Petit
ebfd504cbd feat: move module to forge.cadoles.com/cadoles.goweb-oidc
All checks were successful
Cadoles/goweb-oidc/pipeline/head This commit looks good
Details
2023-12-06 16:02:40 +01:00
William Petit
d4637b26bc feat: generate and publish artefacts via jenkins
All checks were successful
Cadoles/goweb-oidc/pipeline/head This commit looks good
Details
2023-12-06 15:53:11 +01:00
25 changed files with 392 additions and 62 deletions
Expand all files Collapse all files

2
.dockerignore
View File

@ -3,3 +3,5 @@
/vendor /vendor
/bin /bin
/release /release
/misc/compose
/tools

2
.gitignore vendored
View File

@ -4,3 +4,5 @@
/.vscode /.vscode
/tools /tools
/.mktools /.mktools
.mktools/
/release

29
Jenkinsfile vendored Normal file
View File

@ -0,0 +1,29 @@
@Library('cadoles') _
// Utilisation du pipeline "standard"
// Voir https://forge.cadoles.com/Cadoles/Jenkins/src/branch/master/doc/tutorials/standard-make-pipeline.md
standardMakePipeline([
'dockerfileExtension': '''
RUN apt-get update \
&& apt-get install -y zip jq
RUN wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz \
&& rm -rf /usr/local/go \
&& tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
ENV PATH="${PATH}:/usr/local/go/bin"
''',
'hooks': [
'pre-release': {
// Login into docker registry
sh '''
make .mktools
echo "$MKT_GITEA_RELEASE_PASSWORD" | docker login --username "$MKT_GITEA_RELEASE_USERNAME" --password-stdin reg.cadoles.com
'''
}
],
// Use credentials to push images to registry and pubish gitea release
'credentials': [
usernamePassword(credentialsId: 'kipp-credentials', usernameVariable: 'MKT_GITEA_RELEASE_USERNAME', passwordVariable: 'MKT_GITEA_RELEASE_PASSWORD')
]
])

75
Makefile
View File

@ -1,7 +1,19 @@
DOKKU_HOST := dokku@dev.lookingfora.name
SHELL := /bin/bash SHELL := /bin/bash
DOCKER_IMAGE_NAME ?= reg.cadoles.com/cadoles/oidc-test
DOCKER_IMAGE_TAG ?= $(MKT_PROJECT_VERSION) IMAGE_NAME ?= reg.cadoles.com/cadoles/oidc-test
MKT_GITEA_RELEASE_ORG ?= Cadoles
MKT_GITEA_RELEASE_PROJECT ?= goweb-oidc
MKT_GITEA_RELEASE_VERSION ?= $(MKT_PROJECT_VERSION)
define MKT_GITEA_RELEASE_BODY
## Docker usage
```
docker pull $(IMAGE_NAME):$(MKT_PROJECT_VERSION)
```
endef
export MKT_GITEA_RELEASE_BODY
build: build:
CGO_ENABLED=0 go build -v -o ./bin/server ./cmd/server CGO_ENABLED=0 go build -v -o ./bin/server ./cmd/server
@ -9,14 +21,11 @@ build:
test: test:
go test -v -race ./... go test -v -race ./...
release:
@$(SHELL) ./misc/script/release.sh
tidy: tidy:
go mod tidy go mod tidy
watch: watch: tools/modd/bin/modd
modd tools/modd/bin/modd
lint: lint:
golangci-lint run --enable-all golangci-lint run --enable-all
@ -26,32 +35,44 @@ clean:
rm -rf data rm -rf data
rm -rf bin rm -rf bin
dokku-build: build-image:
docker build \ docker build \
-f ./misc/dokku/Dockerfile \ -t "${IMAGE_NAME}:latest" \
-t goweb-oidc-dokku:latest \ -f ./misc/docker/Dockerfile \
. .
dokku-run: scan: build-image tools/trivy/bin/trivy
docker run -it --rm -p 3002:3002 goweb-oidc-dokku:latest mkdir -p .trivy
tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml $(TRIVY_ARGS) $(IMAGE_NAME):latest
dokku-deploy: tools/trivy/bin/trivy:
$(if $(shell git config remote.dokku-oidc-test.url),, git remote add dokku-oidc-test $(DOKKU_HOST):oidc-test) mkdir -p tools/trivy/bin
git push -f dokku-oidc-test $(shell git rev-parse HEAD):refs/heads/master curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0
docker-build: .mktools tools/modd/bin/modd:
docker build \ mkdir -p tools/modd/bin
-f ./misc/dokku/Dockerfile \ GOBIN=$(PWD)/tools/modd/bin go install github.com/cortesi/modd/cmd/modd@latest
-t $(DOCKER_IMAGE_NAME):latest \
.
docker-release: .mktools docker-build release: release-image release-gitea
docker image tag $(DOCKER_IMAGE_NAME):latest $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)
docker login
docker push $(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG)
docker push $(DOCKER_IMAGE_NAME):latest
.PHONY: lint watch build vendor tidy release release-archive:
@$(SHELL) ./misc/script/release.sh
release-gitea: .mktools release-archive
@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
$(MAKE) MKT_GITEA_RELEASE_ATTACHMENTS="$$(find release/* -maxdepth 0 -type f -printf '%p ')" mkt-gitea-release
release-image: .mktools build-image
@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
docker push "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
.PHONY: lint watch build tidy release
.PHONY: mktools .PHONY: mktools
mktools: mktools:

6
README.md
View File

@ -6,6 +6,6 @@ Middleware [`goweb`](https://forge.cadoles.com/wpetit/goweb) pour authentificati
Une application web de test est disponible dans le répertoire [`cmd/server`](./cmd/server). Voici les principaux exemples d'utilisation de la librairie: Une application web de test est disponible dans le répertoire [`cmd/server`](./cmd/server). Voici les principaux exemples d'utilisation de la librairie:
- [Initialisation du service `oidc`](https://forge.cadoles.com/wpetit/goweb-oidc/src/branch/master/cmd/server/container.go#L78-L87) - [Initialisation du service `oidc`](https://forge.cadoles.com/cadoles/goweb-oidc/src/branch/master/cmd/server/container.go#L78-L87)
- [Ajout du middleware d'authentification dans les routes HTTP](https://forge.cadoles.com/wpetit/goweb-oidc/src/branch/master/internal/route/mount.go#L12-L19) - [Ajout du middleware d'authentification dans les routes HTTP](https://forge.cadoles.com/cadoles/goweb-oidc/src/branch/master/internal/route/mount.go#L12-L19)
- [Récupération de l'`IDToken` dans un handler HTTP](https://forge.cadoles.com/wpetit/goweb-oidc/src/branch/master/internal/route/login.go#L18-L21) - [Récupération de l'`IDToken` dans un handler HTTP](https://forge.cadoles.com/cadoles/goweb-oidc/src/branch/master/internal/route/login.go#L18-L21)

5
cmd/server/container.go
View File

@ -8,8 +8,8 @@ import (
"gitlab.com/wpetit/goweb/logger" "gitlab.com/wpetit/goweb/logger"
"gitlab.com/wpetit/goweb/template/html" "gitlab.com/wpetit/goweb/template/html"
oidc "forge.cadoles.com/wpetit/goweb-oidc" oidc "forge.cadoles.com/cadoles/goweb-oidc"
"forge.cadoles.com/wpetit/goweb-oidc/internal/config" "forge.cadoles.com/cadoles/goweb-oidc/internal/config"
"github.com/gorilla/sessions" "github.com/gorilla/sessions"
"github.com/pkg/errors" "github.com/pkg/errors"
"gitlab.com/wpetit/goweb/service" "gitlab.com/wpetit/goweb/service"
@ -95,6 +95,7 @@ func getServiceContainer(ctx context.Context, conf *config.Config) (*service.Con
oidc.WithScopes(conf.OIDC.Scopes...), oidc.WithScopes(conf.OIDC.Scopes...),
oidc.WithAcrValues(conf.OIDC.AcrValues), oidc.WithAcrValues(conf.OIDC.AcrValues),
oidc.WithSkipIssuerCheck(conf.OIDC.SkipIssuerVerification), oidc.WithSkipIssuerCheck(conf.OIDC.SkipIssuerVerification),
oidc.WithRedirectURL(conf.OIDC.RedirectURL),
)) ))
return ctn, nil return ctn, nil

4
cmd/server/main.go
View File

@ -8,8 +8,8 @@ import (
"net/http" "net/http"
"os" "os"
"forge.cadoles.com/wpetit/goweb-oidc/internal/config" "forge.cadoles.com/cadoles/goweb-oidc/internal/config"
"forge.cadoles.com/wpetit/goweb-oidc/internal/route" "forge.cadoles.com/cadoles/goweb-oidc/internal/route"
"github.com/go-chi/chi/v5" "github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware" "github.com/go-chi/chi/v5/middleware"

103
docker-compose.yml
View File

@ -1,17 +1,98 @@
version: "2.4"
services: services:
oidc-test: oidc-test:
image: reg.cadoles.com/cadoles/goweb-oidc-test build:
context: .
dockerfile: ./misc/docker/Dockerfile
environment: environment:
- LOG_LEVEL=0 - LOG_LEVEL=0
- HTTP_ADDRESS=0.0.0.0:3002 - HTTP_ADDRESS=0.0.0.0:8000
- OIDC_CLIENT_ID=local-test - OIDC_CLIENT_ID=oidc-test
- OIDC_CLIENT_SECRET=local-test - OIDC_CLIENT_SECRET=oidc-test-123456
- OIDC_ISSUER_URL= - OIDC_ISSUER_URL=http://localhost:8081/
- OIDC_REDIRECT_URL=http://localhost:3002 - OIDC_REDIRECT_URL=http://localhost:8000/oauth2/callback
- OIDC_POST_LOGOUT_REDIRECT_URL=http://localhost:3002 - OIDC_POST_LOGOUT_REDIRECT_URL=http://localhost:8000
- OIDC_ACR_VALUES= depends_on:
ports: hydra:
- 80:3002 condition: service_healthy
network_mode: host network_mode: host
restart: unless-stopped
hydra:
build:
context: ./misc/compose/hydra
args:
- HTTP_PROXY=${HTTP_PROXY:-}
- HTTPS_PROXY=${HTTPS_PROXY:-}
- http_proxy=${http_proxy:-}
- https_proxy=${https_proxy:-}
volumes:
- ./misc/compose/hydra/config.yml:/etc/hydra/config.yml
- ./misc/compose/hydra/clients.d:/etc/hydra/clients.d
environment:
- LOG_LEAK_SENSITIVE_VALUES=true
links:
- mariadb
depends_on:
- mariadb
ports:
- 8081:4444
healthcheck:
test:
[
"CMD",
"wget",
"--spider",
"-q",
"http://127.0.0.1:4444/.well-known/openid-configuration",
]
interval: 10s
timeout: 10s
retries: 3
start_period: 10s
restart: unless-stopped
mariadb:
image: mariadb:10.2
environment:
MYSQL_DATABASE: hydra
MYSQL_USER: hydra
MYSQL_PASSWORD: hydra
MYSQL_ROOT_PASSWORD: hydra
TZ: Europe/Paris
volumes:
- ./misc/compose/mariadb/init-db.d:/docker-entrypoint-initdb.d/:ro
- mariadb_data:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
glauth:
build:
context: ./misc/compose/glauth
args:
- HTTP_PROXY=${HTTP_PROXY:-}
- HTTPS_PROXY=${HTTPS_PROXY:-}
- http_proxy=${http_proxy:-}
- https_proxy=${https_proxy:-}
ports:
- 389:389
hydra-werther:
image: icoreru/werther:v1.2.1
environment:
- WERTHER_LDAP_BASEDN=ou=users,dc=example,dc=com
- WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=example,dc=com
- WERTHER_DEV_MODE=True
- WERTHER_LISTEN=0.0.0.0:8080
- WERTHER_IDENTP_HYDRA_URL=http://hydra:4445
- WERTHER_LDAP_ENDPOINTS=glauth:389
- WERTHER_LDAP_BINDDN=cn=admin,dc=example,dc=com
- WERTHER_LDAP_BINDPW=admin
volumes:
- ./misc/glauth/glauth.cfg:/app/config/config.cfg:ro
links:
- glauth
- hydra
ports:
- 8082:8080
volumes:
mariadb_data:

2
go.mod
View File

@ -1,4 +1,4 @@
module forge.cadoles.com/wpetit/goweb-oidc module forge.cadoles.com/cadoles/goweb-oidc
go 1.14 go 1.14

2
internal/route/helper.go
View File

@ -3,7 +3,7 @@ package route
import ( import (
"net/http" "net/http"
"forge.cadoles.com/wpetit/goweb-oidc/internal/config" "forge.cadoles.com/cadoles/goweb-oidc/internal/config"
"github.com/pkg/errors" "github.com/pkg/errors"
"gitlab.com/wpetit/goweb/middleware/container" "gitlab.com/wpetit/goweb/middleware/container"
"gitlab.com/wpetit/goweb/service" "gitlab.com/wpetit/goweb/service"

4
internal/route/home.go
View File

@ -3,8 +3,8 @@ package route
import ( import (
"net/http" "net/http"
oidc "forge.cadoles.com/wpetit/goweb-oidc" oidc "forge.cadoles.com/cadoles/goweb-oidc"
"forge.cadoles.com/wpetit/goweb-oidc/internal/config" "forge.cadoles.com/cadoles/goweb-oidc/internal/config"
"github.com/pkg/errors" "github.com/pkg/errors"
"gitlab.com/wpetit/goweb/middleware/container" "gitlab.com/wpetit/goweb/middleware/container"
"gitlab.com/wpetit/goweb/service/template" "gitlab.com/wpetit/goweb/service/template"

4
internal/route/login.go
View File

@ -3,8 +3,8 @@ package route
import ( import (
"net/http" "net/http"
oidc "forge.cadoles.com/wpetit/goweb-oidc" oidc "forge.cadoles.com/cadoles/goweb-oidc"
"forge.cadoles.com/wpetit/goweb-oidc/internal/config" "forge.cadoles.com/cadoles/goweb-oidc/internal/config"
"github.com/pkg/errors" "github.com/pkg/errors"
"gitlab.com/wpetit/goweb/logger" "gitlab.com/wpetit/goweb/logger"
"gitlab.com/wpetit/goweb/middleware/container" "gitlab.com/wpetit/goweb/middleware/container"

4
internal/route/logout.go
View File

@ -3,8 +3,8 @@ package route
import ( import (
"net/http" "net/http"
oidc "forge.cadoles.com/wpetit/goweb-oidc" oidc "forge.cadoles.com/cadoles/goweb-oidc"
"forge.cadoles.com/wpetit/goweb-oidc/internal/config" "forge.cadoles.com/cadoles/goweb-oidc/internal/config"
"gitlab.com/wpetit/goweb/logger" "gitlab.com/wpetit/goweb/logger"
"gitlab.com/wpetit/goweb/middleware/container" "gitlab.com/wpetit/goweb/middleware/container"
) )

4
internal/route/mount.go
View File

@ -1,8 +1,8 @@
package route package route
import ( import (
oidc "forge.cadoles.com/wpetit/goweb-oidc" oidc "forge.cadoles.com/cadoles/goweb-oidc"
"forge.cadoles.com/wpetit/goweb-oidc/internal/config" "forge.cadoles.com/cadoles/goweb-oidc/internal/config"
chi "github.com/go-chi/chi/v5" chi "github.com/go-chi/chi/v5"
"gitlab.com/wpetit/goweb/static" "gitlab.com/wpetit/goweb/static"

2
internal/route/profile.go
View File

@ -4,7 +4,7 @@ import (
"encoding/json" "encoding/json"
"net/http" "net/http"
oidc "forge.cadoles.com/wpetit/goweb-oidc" oidc "forge.cadoles.com/cadoles/goweb-oidc"
"github.com/pkg/errors" "github.com/pkg/errors"
"gitlab.com/wpetit/goweb/middleware/container" "gitlab.com/wpetit/goweb/middleware/container"
"gitlab.com/wpetit/goweb/service/template" "gitlab.com/wpetit/goweb/service/template"

3
misc/compose/glauth/Dockerfile Normal file
View File

@ -0,0 +1,3 @@
FROM glauth/glauth:v2.1.0
COPY glauth.cfg /app/config/config.cfg

37
misc/compose/glauth/glauth.cfg Normal file
View File

@ -0,0 +1,37 @@
debug = true
[ldap]
enabled = true
listen = "0.0.0.0:389"
[ldaps]
enabled = false
[backend]
datastore = "config"
baseDN = "dc=example,dc=com"
[[users]]
name = "admin"
mail = "admin@localhost"
uidnumber = 5001
primarygroup = 5501
passsha256 = "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" # admin
[[users.capabilities]]
action = "search"
object = "*"
[[users.customattributes]]
objectClass = [ "inetOrgPerson" ]
[[users]]
name = "jdoe"
mail = "jdoe@localhost"
uidnumber = 5006
primarygroup = 5501
passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
[[users.customattributes]]
objectClass = [ "inetOrgPerson" ]
[[groups]]
name = "webapps"
gidnumber = 5501

31
misc/compose/hydra/Dockerfile Normal file
View File

@ -0,0 +1,31 @@
FROM oryd/hydra:v1.11.7
ARG WAIT4X_VERSION="v1.1.0"
USER root
RUN apk add --no-cache gcompat jq
# wait4x - utilisé pour attendre les services externes nécessaires au lancement d'hydra
RUN /bin/sh -c "wget -q -O /usr/local/bin/wait4x https://github.com/atkrad/wait4x/releases/download/$WAIT4X_VERSION/wait4x-linux-amd64" \
&& /bin/sh -c "chmod a+x /usr/local/bin/wait4x"
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN /bin/sh -c "chmod +x /usr/local/bin/docker-entrypoint.sh"
COPY run-hydra.sh /usr/local/bin/run-hydra
RUN /bin/sh -c "chmod +x /usr/local/bin/run-hydra"
RUN /bin/sh -c "mkdir -p /home/ory" \
&& /bin/sh -c "chown -R ory: /home/ory"
COPY clients.d /etc/hydra/clients.d
COPY reload-hydra-clients.sh /usr/local/bin/reload-hydra-clients
RUN /bin/sh -c "chmod +x /usr/local/bin/reload-hydra-clients"
USER ory
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
CMD ["/usr/local/bin/run-hydra"]

19
misc/compose/hydra/clients.d/oidc-test.json Normal file
View File

@ -0,0 +1,19 @@
{
"client_id": "oidc-test",
"client_name": "OIDC Test",
"client_secret": "oidc-test-123456",
"grant_types": [
"authorization_code",
"refresh_token"
],
"jwks": {},
"metadata": {},
"token_endpoint_auth_method": "client_secret_post",
"post_logout_redirect_uris": ["http://localhost:8000"],
"redirect_uris": ["http://localhost:8000/oauth2/callback"],
"response_types": [
"code"
],
"logo_uri": "https://upload.wikimedia.org/wikipedia/commons/e/e1/Password.svg",
"scope": "openid profile email webhook"
}

37
misc/compose/hydra/config.yml Normal file
View File

@ -0,0 +1,37 @@
serve:
cookies:
same_site_mode: Lax
admin:
port: 4445
host: 0.0.0.0
public:
port: 4444
host: 0.0.0.0
level: debug
urls:
self:
# Adresse publique du serveur hydra
issuer: http://localhost:8081
# Configuration des login/consent/logout apps
consent: http://localhost:8082/auth/consent
login: http://localhost:8082/auth/login
logout: http://localhost:8082/auth/logout
secrets:
system:
- youReallyNeedToChangeThis
dsn: mysql://hydra:hydra@tcp(mariadb:3306)/hydra?parseTime=true
oidc:
subject_identifiers:
supported_types:
- pairwise
- public
pairwise:
salt: youReallyNeedToChangeThis

33
misc/compose/hydra/docker-entrypoint.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/sh
set -eo pipefail
# On attend que la base de données MySQL soit disponible
/usr/local/bin/wait4x -t 60s mysql "hydra:hydra@tcp(mariadb:3306)/hydra"
# Au premier lancement du conteneur...
if [ ! -f "$HOME/.first-run" ]; then
# On exécute les migrations Hydra
/usr/bin/hydra migrate sql --read-from-env --yes -c /etc/hydra/config.yml
# On "marque" l'exécution
touch "$HOME/.first-run"
fi
# Démarrage de l'interface admin d'hydra en tâche de fond
/usr/bin/hydra serve --dangerous-force-http admin -c /etc/hydra/config.yml &
# On attend que le service hydra soit dispo
/usr/local/bin/wait4x -t 60s http http://127.0.0.1:4445
# Rechargement des clients OIDC
/usr/local/bin/reload-hydra-clients
# On stoppe l'interface admin d'hydra
kill $(jobs -p)
# On attend que le serveur Hydra soit stoppé
/usr/local/bin/wait4x -v -t 60s http http://127.0.0.1:4445
# On exécute la CMD Docker
exec $@

12
misc/compose/hydra/reload-hydra-clients.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/sh
set -x
HYDRA_CLIENTS_DIR=/etc/hydra/clients.d
HYDRA_ADMIN_ENDPOINT=http://127.0.0.1:4445
for client_file in $HYDRA_CLIENTS_DIR/*.json; do
client_id=$(basename "$client_file" | cut -f 1 -d '.')
/usr/bin/hydra clients delete --skip-tls-verify --endpoint "$HYDRA_ADMIN_ENDPOINT" "$client_id"
/usr/bin/hydra clients import --skip-tls-verify --endpoint "$HYDRA_ADMIN_ENDPOINT" "$client_file"
done

16
misc/compose/hydra/run-hydra.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/sh
set -xeo pipefail
REDIRECT_URLS=$(cat /etc/hydra/clients.d/*.json | jq -n --stream 'fromstream(inputs) | (.redirect_uris + .post_logout_redirect_uris)' | jq -r '.[]')
# À NE PAS FAIRE EN PRODUCTION !
# Voir https://www.ory.sh/docs/hydra/debug#first-aid
export OAUTH2_EXPOSE_INTERNAL_ERRORS=true
/usr/bin/hydra \
serve \
-c /etc/hydra/config.yml \
--dangerous-force-http \
--dangerous-allow-insecure-redirect-urls "$REDIRECT_URLS" \
all

6
misc/compose/mariadb/init-db.d/create_database_hydra.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
set -xeo pipefail
echo "CREATE DATABASE IF NOT EXISTS \`hydra\`;" | "${mysql[@]}"
echo "GRANT ALL ON \`hydra\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"

6
misc/dokku/Dockerfile → misc/docker/Dockerfile
View File

@ -1,4 +1,4 @@
FROM golang:1.19 AS build FROM golang:1.24 AS build
ARG HTTP_PROXY= ARG HTTP_PROXY=
ARG HTTPS_PROXY= ARG HTTPS_PROXY=
@ -11,9 +11,9 @@ COPY . /src
WORKDIR /src WORKDIR /src
RUN make ARCH_TARGETS=amd64 release RUN make ARCH_TARGETS=amd64 release-archive
FROM alpine as certs FROM alpine AS certs
RUN apk update && apk add ca-certificates RUN apk update && apk add ca-certificates