Compare commits
3 Commits
Author | SHA1 | Date | |
---|---|---|---|
b9a1c627a5 | |||
ee865701c8 | |||
6d7dee6175 |
@ -17,7 +17,7 @@ cache:
|
||||
- "$GOPATH/pkg/mod"
|
||||
- "$GOPATH/bin"
|
||||
|
||||
install: "(cd $HOME && go get -v github.com/golangci/golangci-lint/cmd/golangci-lint@v1.16.0)"
|
||||
install: curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.16.0
|
||||
|
||||
script:
|
||||
- go test -v -coverprofile=coverage.txt ./...
|
||||
|
180
README.md
180
README.md
@ -98,6 +98,15 @@ of the user role's claim `https://github.com/i-core/werther/claims/roles`.
|
||||
```
|
||||
|
||||
To customize the roles claim's name you should set a value of the environment variable `WERTHER_LDAP_ROLE_CLAIM`.
|
||||
Also you should map the custom name of the roles' claim to a roles's scope using the environment variable
|
||||
`WERTHER_IDENTP_CLAIM_SCOPES` (the name must be [URL encoded][uri-spec-encoding]):
|
||||
|
||||
```bash
|
||||
env WERTHER_LDAP_ROLE_CLAIM=https://my-company.com/claims/roles \
|
||||
WERTHER_IDENTP_CLAIM_SCOPES=name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fmy-company.com%2Fclaims%2Froles:roles \
|
||||
werther
|
||||
```
|
||||
|
||||
For more details about claims naming see [OpenID Connect Core 1.0][oidc-spec-additional-claims].
|
||||
|
||||
**NB** There are cases when we need to create several roles with the same name in LDAP.
|
||||
@ -204,93 +213,98 @@ For a full example of a login page's template see [source code](internal/web/tem
|
||||
```yaml
|
||||
version: "3"
|
||||
services:
|
||||
hydra-client:
|
||||
image: oryd/hydra:v1.0.0-rc.12
|
||||
environment:
|
||||
HYDRA_ADMIN_URL: http://hydra:4445
|
||||
command:
|
||||
- clients
|
||||
- create
|
||||
- --skip-tls-verify
|
||||
- --id
|
||||
- test-client
|
||||
- --secret
|
||||
- test-secret
|
||||
- --response-types
|
||||
- id_token,token,"id_token token"
|
||||
- --grant-types
|
||||
- implicit
|
||||
- --scope
|
||||
- openid,profile,email
|
||||
- --callbacks
|
||||
- http://localhost:3000
|
||||
- --post-logout-callbacks
|
||||
- http://localhost:3000/post-logout-callback
|
||||
networks:
|
||||
- hydra-net
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: none
|
||||
depends_on:
|
||||
- hydra
|
||||
hydra:
|
||||
image: oryd/hydra:v1.0.0-rc.12
|
||||
environment:
|
||||
URLS_SELF_ISSUER: http://localhost:4444
|
||||
URLS_SELF_PUBLIC: http://localhost:4444
|
||||
URLS_LOGIN: http://localhost:8080/auth/login
|
||||
URLS_CONSENT: http://localhost:8080/auth/consent
|
||||
URLS_LOGOUT: http://localhost:8080/auth/logout
|
||||
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone
|
||||
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
|
||||
DSN: memory
|
||||
command: serve all --dangerous-force-http
|
||||
networks:
|
||||
- hydra-net
|
||||
ports:
|
||||
- "4444:4444"
|
||||
- "4445:4445"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
depends_on:
|
||||
- werther
|
||||
werther:
|
||||
image: icoreru/werther:v1.0.0
|
||||
environment:
|
||||
WERTHER_IDENTP_HYDRA_URL: http://hydra:4445
|
||||
WERTHER_LDAP_ENDPOINTS: ldap:389
|
||||
WERTHER_LDAP_BINDDN: cn=admin,dc=example,dc=com
|
||||
WERTHER_LDAP_BINDPW: password
|
||||
WERTHER_LDAP_BASEDN: "dc=example,dc=com"
|
||||
WERTHER_LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
|
||||
networks:
|
||||
- hydra-net
|
||||
ports:
|
||||
- "8080:8080"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
depends_on:
|
||||
- ldap
|
||||
ldap:
|
||||
image: pgarrett/ldap-alpine
|
||||
volumes:
|
||||
- "./ldap.ldif:/ldif/ldap.ldif"
|
||||
networks:
|
||||
- hydra-net
|
||||
ports:
|
||||
- "389:389"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
hydra-client:
|
||||
image: oryd/hydra:v1.0.0-rc.12
|
||||
environment:
|
||||
HYDRA_ADMIN_URL: http://hydra:4445
|
||||
command:
|
||||
- clients
|
||||
- create
|
||||
- --skip-tls-verify
|
||||
- --id
|
||||
- test-client
|
||||
- --secret
|
||||
- test-secret
|
||||
- --response-types
|
||||
- id_token,token,"id_token token"
|
||||
- --grant-types
|
||||
- implicit
|
||||
- --scope
|
||||
- openid,profile,email
|
||||
- --callbacks
|
||||
- http://localhost:3000
|
||||
- --post-logout-callbacks
|
||||
- http://localhost:3000/post-logout-callback
|
||||
networks:
|
||||
- hydra-net
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: none
|
||||
depends_on:
|
||||
- hydra
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-f", "http://hydra:4445"]
|
||||
interval: 10s
|
||||
timeout: 10s
|
||||
retries: 10
|
||||
hydra:
|
||||
image: oryd/hydra:v1.0.0-rc.12
|
||||
environment:
|
||||
URLS_SELF_ISSUER: http://localhost:4444
|
||||
URLS_SELF_PUBLIC: http://localhost:4444
|
||||
URLS_LOGIN: http://localhost:8080/auth/login
|
||||
URLS_CONSENT: http://localhost:8080/auth/consent
|
||||
URLS_LOGOUT: http://localhost:8080/auth/logout
|
||||
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone
|
||||
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
|
||||
DSN: memory
|
||||
command: serve all --dangerous-force-http
|
||||
networks:
|
||||
- hydra-net
|
||||
ports:
|
||||
- "4444:4444"
|
||||
- "4445:4445"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
depends_on:
|
||||
- werther
|
||||
werther:
|
||||
image: icoreru/werther:v1.0.0
|
||||
environment:
|
||||
WERTHER_IDENTP_HYDRA_URL: http://hydra:4445
|
||||
WERTHER_LDAP_ENDPOINTS: ldap:389
|
||||
WERTHER_LDAP_BINDDN: cn=admin,dc=example,dc=com
|
||||
WERTHER_LDAP_BINDPW: password
|
||||
WERTHER_LDAP_BASEDN: "dc=example,dc=com"
|
||||
WERTHER_LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
|
||||
networks:
|
||||
- hydra-net
|
||||
ports:
|
||||
- "8080:8080"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
depends_on:
|
||||
- ldap
|
||||
ldap:
|
||||
image: pgarrett/ldap-alpine
|
||||
volumes:
|
||||
- "./ldap.ldif:/ldif/ldap.ldif"
|
||||
networks:
|
||||
- hydra-net
|
||||
ports:
|
||||
- "389:389"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
networks:
|
||||
hydra-net:
|
||||
```
|
||||
|
||||
3. Run the command:
|
||||
```bash
|
||||
docker stack deploy docker-compose.yml auth
|
||||
docker stack deploy -c docker-compose.yml auth
|
||||
```
|
||||
|
||||
4. Open the browser with http://localhost:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678.
|
||||
@ -347,4 +361,6 @@ The code in this project is licensed under [MIT license][license].
|
||||
[oidc-spec-additional-claims]: https://openid.net/specs/openid-connect-core-1_0.html#AdditionalClaims
|
||||
[oidc-spec-session]: https://openid.net/specs/openid-connect-session-1_0.html
|
||||
[oidc-spec-front-channel-logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html
|
||||
[oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
|
||||
[oidc-spec-back-channel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0.html
|
||||
|
||||
[uri-spec-encoding]: https://tools.ietf.org/html/rfc3986#section-2
|
||||
|
@ -11,6 +11,7 @@ import (
|
||||
"flag"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
|
||||
"github.com/i-core/rlog"
|
||||
@ -58,6 +59,10 @@ func main() {
|
||||
fmt.Fprintf(os.Stderr, "Invalid configuration: %s\n", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
if _, ok := cnf.Identp.ClaimScopes[url.QueryEscape(cnf.LDAP.RoleClaim)]; !ok {
|
||||
fmt.Fprintf(os.Stderr, "Roles claim %q has no mapping to an OpenID Connect scope\n", cnf.LDAP.RoleClaim)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
logFunc := zap.NewProduction
|
||||
if cnf.DevMode {
|
||||
|
@ -29,7 +29,7 @@ const loginTmplName = "login.tmpl"
|
||||
type Config struct {
|
||||
HydraURL string `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
|
||||
SessionTTL time.Duration `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
|
||||
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,http%3A%2F%2Ffithub.com%2Fi-core.ru%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
|
||||
ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
|
||||
}
|
||||
|
||||
// UserManager is an interface that is used for authentication and providing user's claims.
|
||||
|
Reference in New Issue
Block a user