Fournisseur d'identité LDAP pour serveur Ory/Hydra (OpenID Connect). Basé sur https://github.com/i-core/werther
Go to file
2019-06-07 11:03:00 +03:00
cmd/werther logout: add support of logout flow 2019-06-07 11:03:00 +03:00
internal logout: add support of logout flow 2019-06-07 11:03:00 +03:00
.gitignore initial commit 2019-06-07 11:02:50 +03:00
.golangci.yml logout: add support of logout flow 2019-06-07 11:03:00 +03:00
CHANGELOG.md logout: add support of logout flow 2019-06-07 11:03:00 +03:00
ci-testing.yaml logout: add support of logout flow 2019-06-07 11:03:00 +03:00
Dockerfile logout: add support of logout flow 2019-06-07 11:03:00 +03:00
go.mod logout: add support of logout flow 2019-06-07 11:03:00 +03:00
go.sum logout: add support of logout flow 2019-06-07 11:03:00 +03:00
README.md logout: add support of logout flow 2019-06-07 11:03:00 +03:00

GoDoc

Werther

Werther is an identity provider for ORY Hydra that is an OAuth2 provider.

Important! The current version is compatible with ORY Hydra v1.0.0-rc.12 or higher.

Build

go install ./...

Development

Assume that your IP is set as $MY_HOST. The instruction will use 4444 TCP port for OAuth2 Provider Hydra, 3000 TCP port for Login Provider Werther, and 8080 TCP port for a callback. Tokens will be expired in ten minutes.

  1. Create a network:

    docker network create hydra-net
    
  2. Run ORY Hydra:

    docker run --network hydra-net -d --restart always --name hydra                                          \
        -p 4444:4444                                                                                         \
        -p 4445:4445                                                                                         \
        -e OAUTH2_EXPOSE_INTERNAL_ERRORS=true                                                                \
        -e LOG_LEVEL=debug                                                                                   \
        -e TTL_ACCESS_TOKEN=10m                                                                              \
        -e TTL_ID_TOKEN=10m                                                                                  \
        -e SERVE_PUBLIC_CORS_ENABLED=true                                                                    \
        -e SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=http://$MY_HOST:8080                                            \
        -e SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS=true                                                          \
        -e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES=profile,email,phone                                     \
        -e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=name,family_name,given_name,nickname,email,phone_number \
        -e URLS_SELF_ISSUER=http://localhost:4444                                                            \
        -e URLS_SELF_PUBLIC=http://localhost:4444                                                            \
        -e URLS_LOGIN=http://$MY_HOST:3000/auth/login                                                        \
        -e URLS_CONSENT=http://$MY_HOST:3000/auth/consent                                                    \
        -e URLS_LOGOUT=http://$MY_HOST:3000/auth/logout                                                      \
        -e DSN=memory                                                                                        \
        oryd/hydra:v1.0.0-rc.12 serve all --dangerous-force-http
    

    You can learn additional properties with help command:

    docker run -it --rm oryd/hydra:v1.0.0-rc.12 serve --help
    
  3. Register a client:

    docker run -it --rm --network hydra-net                                 \
          -e HYDRA_ADMIN_URL=http://hydra:4445                              \
          oryd/hydra:$HYDRA_VERSION clients create                          \
          --skip-tls-verify                                                 \
          --id test-client                                                  \
          --secret test-secret                                              \
          --response-types id_token,token,"id_token token"                  \
          --grant-types implicit                                            \
          --scope openid,profile,email                                      \
          --callbacks http://$MY_HOST:8080                                  \
          --post-logout-callbacks http://$MY_HOST:8080/post-logout-callback
    
  4. Run Werther:

    docker run --network hydra-net -d --restart always --name werther -p 3000:8080      \
          -e WERTHER_IDENTP_HYDRA_URL=http://hydra:4445                                  \
          -e WERTHER_LDAP_ENDPOINTS=icdc0.icore.local:389,icdc1.icore.local:389         \
          -e WERTHER_LDAP_BINDDN=<BINDDN>                                               \
          -e WERTHER_LDAP_BINDPW=<BINDDN_PASSWORD>                                      \
          -e WERTHER_LDAP_BASEDN="DC=icore,DC=local"                                    \
          -e WERTHER_LDAP_ROLE_BASEDN="OU=AppRoles,OU=Domain Groups,DC=icore,DC=local"  \
          hub.das.i-core.ru/p/base-werther
    

    For all options see option help:

    docker run -it --rm hub.das.i-core.ru/p/base-werther -help
    
  5. Start an authentication process in a browser to get an access token:

    open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678
    
  6. Start an authentication process in a browser to get an access token and id token:

    open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=id_token%20token&scope=openid%20profile%20email&state=12345678&nonce=87654321
    
  7. Get user info:

    http get "http://$MY_HOST:4444/userinfo" "Authorization: Bearer <ACCESS_TOKEN>"
    

    For example, you can get the next output:

    HTTP/1.1 200 OK
    Content-Length: 218
    Content-Type: application/json
    Date: Tue, 31 Jul 2018 17:17:51 GMT
    Vary: Origin
    
    {
        "email": "klepa@i-core.ru",
        "family_name": "Lepa",
        "given_name": "Konstantin",
        "http://i-core.ru/claims/roles": {
            "HeraldTest1": [
                "user"
            ]
        },
        "name": "Konstantin Lepa",
        "sub": "CN=Konstantin Lepa,OU=Domain Users,DC=icore,DC=local"
    }
    

    Look for details in OpenID Connect Core 1.0.

  8. Re-get a token by httpie:

    http --session u1 -F -v get \
          "http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile&state=12345678&prompt=none" \
          "Cookie:<COOKIES_FROM_WERTHER_DOMAIN>"
    
  9. Delete a user's session from a browser:

    open "http://$MY_HOST:4444/oauth2/auth/sessions/login/revoke"
    
  10. Log a user out from a browser:

    open http://$MY_HOST:4444/oauth2/sessions/logout?id_token_hint=<id_token>&post_logout_redirect_uri=http://$MY_HOST:8080/post-logout-callback&state=87654321
    

    After a successful logout, a user will be redirected to the page "http://$MY_HOST:8080/post-logout-callback?state=87654321".

  11. (Optional) Sniff TCP packets between Hydra and Werther

    docker run -it --rm --net=container:hydra nicolaka/netshoot tcpdump -i eth0 -A -nn port 4444