Fournisseur d'identité LDAP pour serveur Ory/Hydra (OpenID Connect). Basé sur https://github.com/i-core/werther
Go to file
2019-06-07 11:02:50 +03:00
cmd/werther initial commit 2019-06-07 11:02:50 +03:00
internal initial commit 2019-06-07 11:02:50 +03:00
.gitignore initial commit 2019-06-07 11:02:50 +03:00
.golangci.yml initial commit 2019-06-07 11:02:50 +03:00
CHANGELOG.md initial commit 2019-06-07 11:02:50 +03:00
ci-testing.yaml initial commit 2019-06-07 11:02:50 +03:00
Dockerfile initial commit 2019-06-07 11:02:50 +03:00
go.mod initial commit 2019-06-07 11:02:50 +03:00
go.sum initial commit 2019-06-07 11:02:50 +03:00
README.md initial commit 2019-06-07 11:02:50 +03:00

GoDoc

Werther

Werther is a login provider for ORY Hydra that is an OAuth2 provider.

Build

go install ./...

Development

Assume that your IP is set as $MY_HOST. The instruction will use 4444 TCP port for OAuth2 Provider Hydra, 3000 TCP port for Login Provider Werther, and 8080 TCP port for a callback. Tokens will be expired in one minute. There is environment variable HYDRA_VERSION that equals to v1.0.0-beta8.

  1. Create a network:

    docker network create hydra-net
    
  2. Run ORY Hydra:

    docker run --network hydra-net -d --restart always --name hydra                                  \
          -p 4444:4444                                                                               \
          -p 4445:4445                                                                               \
          -e OAUTH2_SHARE_ERROR_DEBUG=1                                                              \
          -e LOG_LEVEL=debug                                                                         \
          -e ACCESS_TOKEN_LIFESPAN=10m                                                               \
          -e ID_TOKEN_LIFESPAN=10m                                                                   \
          -e CORS_ALLOWED_ORIGINS=http://$MY_HOST:8080                                          \
          -e CORS_ALLOWED_CREDENTIALS=true                                                           \
          -e OIDC_DISCOVERY_SCOPES_SUPPORTED=profile,email,phone                                     \
          -e OIDC_DISCOVERY_CLAIMS_SUPPORTED=name,family_name,given_name,nickname,email,phone_number \
          -e OAUTH2_CONSENT_URL=http://$MY_HOST:3000/auth/consent                               \
          -e OAUTH2_LOGIN_URL=http://$MY_HOST:3000/auth/login                                   \
          -e OAUTH2_ISSUER_URL=http://$MY_HOST:4444                                             \
          -e DATABASE_URL=memory                                                                     \
          oryd/hydra:$HYDRA_VERSION serve all --dangerous-force-http
    
    

    You can learn additional properties with help command:

    docker run -it --rm oryd/hydra:$HYDRA_VERSION serve --help
    
  3. Register a client:

    docker run -it --rm --network hydra-net                \
          -e HYDRA_ADMIN_URL=http://hydra:4445             \
          oryd/hydra:$HYDRA_VERSION clients create         \
          --skip-tls-verify                                \
          --id test-client                                 \
          --secret test-secret                             \
          --response-types id_token,token,"id_token token" \
          --grant-types implicit                           \
          --scope openid,profile,email                     \
          --callbacks http://$MY_HOST:8080
    
  4. Run Werther:

    docker run --network hydra-net -d --restart always --name werther -p 3000:8080 \
          -e WERTHER_LOG_FORMAT=console                                            \
          -e WERTHER_HYDRA_ADMIN_URL=http://hydra:4445                             \
          -e WERTHER_LDAP_ENDPOINTS=icdc0.icore.local:389,icdc1.icore.local:389    \
          -e WERTHER_LDAP_BINDDN=<BINDDN>                                          \
          -e WERTHER_LDAP_BINDPW=<BINDDN_PASSWORD>                                 \
          -e WERTHER_LDAP_BASEDN="DC=icore,DC=local"                               \
          -e WERTHER_LDAP_ROLE_BASEDN="OU=AppRoles,OU=Domain Groups,DC=icore,DC=local"  \
          hub.das.i-core.ru/p/base-werther
    

    For all options see option help:

    docker run -it --rm hub.das.i-core.ru/p/base-werther -help
    
  5. Start an authentication process in a browser:

    open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678
    
  6. Get user info:

    http get "http://$MY_HOST:4444/userinfo" "Authorization: Bearer <ACCESS_TOKEN>"
    

    For example, you can get the next output:

    HTTP/1.1 200 OK
    Content-Length: 218
    Content-Type: application/json
    Date: Tue, 31 Jul 2018 17:17:51 GMT
    Vary: Origin
    
    {
        "email": "klepa@i-core.ru",
        "family_name": "Lepa",
        "given_name": "Konstantin",
        "http://i-core.ru/claims/roles": {
            "HeraldTest1": [
                "user"
            ]
        },
        "name": "Konstantin Lepa",
        "sub": "CN=Konstantin Lepa,OU=Domain Users,DC=icore,DC=local"
    }
    

    Look for details in OpenID Connect Core 1.0.

  7. Re-get a token by httpie:

    http --session u1 -F -v get \
          "http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile&state=12345678&prompt=none" \
          "Cookie:<COOKIES_FROM_WERTHER_DOMAIN>"
    
  8. Delete a user's session from a browser:

    open "http://$MY_HOST:4444/oauth2/auth/sessions/login/revoke"
    
  9. (Optional) Sniff TCP packets between Hydra and Werther

    docker run -it --rm --net=container:hydra nicolaka/netshoot tcpdump -i eth0 -A -nn port 4444