logout: add support of logout flow
This commit is contained in:
Nikolay Stupak
103
README.md
103
README.md
@ -2,7 +2,10 @@
|
||||
|
||||
# Werther
|
||||
|
||||
Werther is a login provider for ORY Hydra that is an OAuth2 provider.
|
||||
Werther is an identity provider for ORY Hydra that is an OAuth2 provider.
|
||||
|
||||
**Important!**
|
||||
**The current version is compatible with ORY Hydra v1.0.0-rc.12 or higher.**
|
||||
|
||||
## Build
|
||||
```
|
||||
@ -12,8 +15,7 @@ go install ./...
|
||||
## Development
|
||||
|
||||
Assume that your IP is set as $MY_HOST. The instruction will use 4444 TCP port for OAuth2 Provider Hydra,
|
||||
3000 TCP port for Login Provider Werther, and 8080 TCP port for a callback. Tokens will be expired in one minute.
|
||||
There is environment variable HYDRA_VERSION that equals to v1.0.0-beta8.
|
||||
3000 TCP port for Login Provider Werther, and 8080 TCP port for a callback. Tokens will be expired in ten minutes.
|
||||
|
||||
1. Create a network:
|
||||
```
|
||||
@ -22,53 +24,55 @@ There is environment variable HYDRA_VERSION that equals to v1.0.0-beta8.
|
||||
|
||||
2. Run ORY Hydra:
|
||||
```
|
||||
docker run --network hydra-net -d --restart always --name hydra \
|
||||
-p 4444:4444 \
|
||||
-p 4445:4445 \
|
||||
-e OAUTH2_SHARE_ERROR_DEBUG=1 \
|
||||
-e LOG_LEVEL=debug \
|
||||
-e ACCESS_TOKEN_LIFESPAN=10m \
|
||||
-e ID_TOKEN_LIFESPAN=10m \
|
||||
-e CORS_ALLOWED_ORIGINS=http://$MY_HOST:8080 \
|
||||
-e CORS_ALLOWED_CREDENTIALS=true \
|
||||
-e OIDC_DISCOVERY_SCOPES_SUPPORTED=profile,email,phone \
|
||||
-e OIDC_DISCOVERY_CLAIMS_SUPPORTED=name,family_name,given_name,nickname,email,phone_number \
|
||||
-e OAUTH2_CONSENT_URL=http://$MY_HOST:3000/auth/consent \
|
||||
-e OAUTH2_LOGIN_URL=http://$MY_HOST:3000/auth/login \
|
||||
-e OAUTH2_ISSUER_URL=http://$MY_HOST:4444 \
|
||||
-e DATABASE_URL=memory \
|
||||
oryd/hydra:$HYDRA_VERSION serve all --dangerous-force-http
|
||||
|
||||
docker run --network hydra-net -d --restart always --name hydra \
|
||||
-p 4444:4444 \
|
||||
-p 4445:4445 \
|
||||
-e OAUTH2_EXPOSE_INTERNAL_ERRORS=true \
|
||||
-e LOG_LEVEL=debug \
|
||||
-e TTL_ACCESS_TOKEN=10m \
|
||||
-e TTL_ID_TOKEN=10m \
|
||||
-e SERVE_PUBLIC_CORS_ENABLED=true \
|
||||
-e SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=http://$MY_HOST:8080 \
|
||||
-e SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS=true \
|
||||
-e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES=profile,email,phone \
|
||||
-e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=name,family_name,given_name,nickname,email,phone_number \
|
||||
-e URLS_SELF_ISSUER=http://localhost:4444 \
|
||||
-e URLS_SELF_PUBLIC=http://localhost:4444 \
|
||||
-e URLS_LOGIN=http://$MY_HOST:3000/auth/login \
|
||||
-e URLS_CONSENT=http://$MY_HOST:3000/auth/consent \
|
||||
-e URLS_LOGOUT=http://$MY_HOST:3000/auth/logout \
|
||||
-e DSN=memory \
|
||||
oryd/hydra:v1.0.0-rc.12 serve all --dangerous-force-http
|
||||
```
|
||||
|
||||
You can learn additional properties with help command:
|
||||
```
|
||||
docker run -it --rm oryd/hydra:$HYDRA_VERSION serve --help
|
||||
docker run -it --rm oryd/hydra:v1.0.0-rc.12 serve --help
|
||||
```
|
||||
|
||||
3. Register a client:
|
||||
```
|
||||
docker run -it --rm --network hydra-net \
|
||||
-e HYDRA_ADMIN_URL=http://hydra:4445 \
|
||||
oryd/hydra:$HYDRA_VERSION clients create \
|
||||
--skip-tls-verify \
|
||||
--id test-client \
|
||||
--secret test-secret \
|
||||
--response-types id_token,token,"id_token token" \
|
||||
--grant-types implicit \
|
||||
--scope openid,profile,email \
|
||||
--callbacks http://$MY_HOST:8080
|
||||
docker run -it --rm --network hydra-net \
|
||||
-e HYDRA_ADMIN_URL=http://hydra:4445 \
|
||||
oryd/hydra:$HYDRA_VERSION clients create \
|
||||
--skip-tls-verify \
|
||||
--id test-client \
|
||||
--secret test-secret \
|
||||
--response-types id_token,token,"id_token token" \
|
||||
--grant-types implicit \
|
||||
--scope openid,profile,email \
|
||||
--callbacks http://$MY_HOST:8080 \
|
||||
--post-logout-callbacks http://$MY_HOST:8080/post-logout-callback
|
||||
```
|
||||
|
||||
4. Run Werther:
|
||||
```
|
||||
docker run --network hydra-net -d --restart always --name werther -p 3000:8080 \
|
||||
-e WERTHER_LOG_FORMAT=console \
|
||||
-e WERTHER_HYDRA_ADMIN_URL=http://hydra:4445 \
|
||||
-e WERTHER_LDAP_ENDPOINTS=icdc0.icore.local:389,icdc1.icore.local:389 \
|
||||
-e WERTHER_LDAP_BINDDN=<BINDDN> \
|
||||
-e WERTHER_LDAP_BINDPW=<BINDDN_PASSWORD> \
|
||||
-e WERTHER_LDAP_BASEDN="DC=icore,DC=local" \
|
||||
docker run --network hydra-net -d --restart always --name werther -p 3000:8080 \
|
||||
-e WERTHER_IDENTP_HYDRA_URL=http://hydra:4445 \
|
||||
-e WERTHER_LDAP_ENDPOINTS=icdc0.icore.local:389,icdc1.icore.local:389 \
|
||||
-e WERTHER_LDAP_BINDDN=<BINDDN> \
|
||||
-e WERTHER_LDAP_BINDPW=<BINDDN_PASSWORD> \
|
||||
-e WERTHER_LDAP_BASEDN="DC=icore,DC=local" \
|
||||
-e WERTHER_LDAP_ROLE_BASEDN="OU=AppRoles,OU=Domain Groups,DC=icore,DC=local" \
|
||||
hub.das.i-core.ru/p/base-werther
|
||||
```
|
||||
@ -78,12 +82,16 @@ There is environment variable HYDRA_VERSION that equals to v1.0.0-beta8.
|
||||
docker run -it --rm hub.das.i-core.ru/p/base-werther -help
|
||||
```
|
||||
|
||||
5. Start an authentication process in a browser:
|
||||
5. Start an authentication process in a browser to get an access token:
|
||||
```
|
||||
open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678
|
||||
```
|
||||
6. Start an authentication process in a browser to get an access token and id token:
|
||||
```
|
||||
open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=id_token%20token&scope=openid%20profile%20email&state=12345678&nonce=87654321
|
||||
```
|
||||
|
||||
6. Get user info:
|
||||
7. Get user info:
|
||||
```
|
||||
http get "http://$MY_HOST:4444/userinfo" "Authorization: Bearer <ACCESS_TOKEN>"
|
||||
```
|
||||
@ -95,7 +103,7 @@ There is environment variable HYDRA_VERSION that equals to v1.0.0-beta8.
|
||||
Content-Type: application/json
|
||||
Date: Tue, 31 Jul 2018 17:17:51 GMT
|
||||
Vary: Origin
|
||||
|
||||
|
||||
{
|
||||
"email": "klepa@i-core.ru",
|
||||
"family_name": "Lepa",
|
||||
@ -112,19 +120,26 @@ There is environment variable HYDRA_VERSION that equals to v1.0.0-beta8.
|
||||
|
||||
Look for details in [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter).
|
||||
|
||||
7. Re-get a token by httpie:
|
||||
8. Re-get a token by httpie:
|
||||
```
|
||||
http --session u1 -F -v get \
|
||||
"http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile&state=12345678&prompt=none" \
|
||||
"Cookie:<COOKIES_FROM_WERTHER_DOMAIN>"
|
||||
```
|
||||
|
||||
8. Delete a user's session from a browser:
|
||||
9. Delete a user's session from a browser:
|
||||
```
|
||||
open "http://$MY_HOST:4444/oauth2/auth/sessions/login/revoke"
|
||||
```
|
||||
|
||||
9. (Optional) Sniff TCP packets between Hydra and Werther
|
||||
10. Log a user out from a browser:
|
||||
```
|
||||
open http://$MY_HOST:4444/oauth2/sessions/logout?id_token_hint=<id_token>&post_logout_redirect_uri=http://$MY_HOST:8080/post-logout-callback&state=87654321
|
||||
```
|
||||
After a successful logout, a user will be redirected to the page "http://$MY_HOST:8080/post-logout-callback?state=87654321".
|
||||
|
||||
|
||||
11. (Optional) Sniff TCP packets between Hydra and Werther
|
||||
```
|
||||
docker run -it --rm --net=container:hydra nicolaka/netshoot tcpdump -i eth0 -A -nn port 4444
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user