cmd/werther | ||
internal | ||
.gitignore | ||
.golangci.yml | ||
CHANGELOG.md | ||
ci-testing.yaml | ||
Dockerfile | ||
go.mod | ||
go.sum | ||
README.md |
Werther
Werther is an identity provider for ORY Hydra that is an OAuth2 provider.
Important! The current version is compatible with ORY Hydra v1.0.0-rc.12 or higher.
Build
go install ./...
Development
Assume that your IP is set as $MY_HOST. The instruction will use 4444 TCP port for OAuth2 Provider Hydra, 3000 TCP port for Login Provider Werther, and 8080 TCP port for a callback. Tokens will be expired in ten minutes.
-
Create a network:
docker network create hydra-net
-
Run ORY Hydra:
docker run --network hydra-net -d --restart always --name hydra \ -p 4444:4444 \ -p 4445:4445 \ -e OAUTH2_EXPOSE_INTERNAL_ERRORS=true \ -e LOG_LEVEL=debug \ -e TTL_ACCESS_TOKEN=10m \ -e TTL_ID_TOKEN=10m \ -e SERVE_PUBLIC_CORS_ENABLED=true \ -e SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=http://$MY_HOST:8080 \ -e SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS=true \ -e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES=profile,email,phone \ -e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=name,family_name,given_name,nickname,email,phone_number \ -e URLS_SELF_ISSUER=http://localhost:4444 \ -e URLS_SELF_PUBLIC=http://localhost:4444 \ -e URLS_LOGIN=http://$MY_HOST:3000/auth/login \ -e URLS_CONSENT=http://$MY_HOST:3000/auth/consent \ -e URLS_LOGOUT=http://$MY_HOST:3000/auth/logout \ -e DSN=memory \ oryd/hydra:v1.0.0-rc.12 serve all --dangerous-force-http
You can learn additional properties with help command:
docker run -it --rm oryd/hydra:v1.0.0-rc.12 serve --help
-
Register a client:
docker run -it --rm --network hydra-net \ -e HYDRA_ADMIN_URL=http://hydra:4445 \ oryd/hydra:$HYDRA_VERSION clients create \ --skip-tls-verify \ --id test-client \ --secret test-secret \ --response-types id_token,token,"id_token token" \ --grant-types implicit \ --scope openid,profile,email \ --callbacks http://$MY_HOST:8080 \ --post-logout-callbacks http://$MY_HOST:8080/post-logout-callback
-
Run Werther:
docker run --network hydra-net -d --restart always --name werther -p 3000:8080 \ -e WERTHER_IDENTP_HYDRA_URL=http://hydra:4445 \ -e WERTHER_LDAP_ENDPOINTS=icdc0.icore.local:389,icdc1.icore.local:389 \ -e WERTHER_LDAP_BINDDN=<BINDDN> \ -e WERTHER_LDAP_BINDPW=<BINDDN_PASSWORD> \ -e WERTHER_LDAP_BASEDN="DC=icore,DC=local" \ -e WERTHER_LDAP_ROLE_BASEDN="OU=AppRoles,OU=Domain Groups,DC=icore,DC=local" \ hub.das.i-core.ru/p/base-werther
For all options see option help:
docker run -it --rm hub.das.i-core.ru/p/base-werther -help
-
Start an authentication process in a browser to get an access token:
open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678
-
Start an authentication process in a browser to get an access token and id token:
open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=id_token%20token&scope=openid%20profile%20email&state=12345678&nonce=87654321
-
Get user info:
http get "http://$MY_HOST:4444/userinfo" "Authorization: Bearer <ACCESS_TOKEN>"
For example, you can get the next output:
HTTP/1.1 200 OK Content-Length: 218 Content-Type: application/json Date: Tue, 31 Jul 2018 17:17:51 GMT Vary: Origin { "email": "klepa@i-core.ru", "family_name": "Lepa", "given_name": "Konstantin", "http://i-core.ru/claims/roles": { "HeraldTest1": [ "user" ] }, "name": "Konstantin Lepa", "sub": "CN=Konstantin Lepa,OU=Domain Users,DC=icore,DC=local" }
Look for details in OpenID Connect Core 1.0.
-
Re-get a token by httpie:
http --session u1 -F -v get \ "http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile&state=12345678&prompt=none" \ "Cookie:<COOKIES_FROM_WERTHER_DOMAIN>"
-
Delete a user's session from a browser:
open "http://$MY_HOST:4444/oauth2/auth/sessions/login/revoke"
-
Log a user out from a browser:
open http://$MY_HOST:4444/oauth2/sessions/logout?id_token_hint=<id_token>&post_logout_redirect_uri=http://$MY_HOST:8080/post-logout-callback&state=87654321
After a successful logout, a user will be redirected to the page "http://$MY_HOST:8080/post-logout-callback?state=87654321".
-
(Optional) Sniff TCP packets between Hydra and Werther
docker run -it --rm --net=container:hydra nicolaka/netshoot tcpdump -i eth0 -A -nn port 4444