6.6 KiB

Raw Blame History

Werther

Werther is an identity provider for ORY Hydra that is an OAuth2 provider.

Important! The current version is compatible with ORY Hydra v1.0.0-rc.12 or higher.

Build

go install ./...

Development

Assume that your IP is set as $MY_HOST. The instruction will use 4444 TCP port for OAuth2 Provider Hydra, 3000 TCP port for Login Provider Werther, and 8080 TCP port for a callback. Tokens will be expired in ten minutes.

Create a network:
```
docker network create hydra-net
```

Run ORY Hydra:

docker run --network hydra-net -d --restart always --name hydra                                          \
    -p 4444:4444                                                                                         \
    -p 4445:4445                                                                                         \
    -e OAUTH2_EXPOSE_INTERNAL_ERRORS=true                                                                \
    -e LOG_LEVEL=debug                                                                                   \
    -e TTL_ACCESS_TOKEN=10m                                                                              \
    -e TTL_ID_TOKEN=10m                                                                                  \
    -e SERVE_PUBLIC_CORS_ENABLED=true                                                                    \
    -e SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=http://$MY_HOST:8080                                            \
    -e SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS=true                                                          \
    -e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES=profile,email,phone                                     \
    -e WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=name,family_name,given_name,nickname,email,phone_number \
    -e URLS_SELF_ISSUER=http://localhost:4444                                                            \
    -e URLS_SELF_PUBLIC=http://localhost:4444                                                            \
    -e URLS_LOGIN=http://$MY_HOST:3000/auth/login                                                        \
    -e URLS_CONSENT=http://$MY_HOST:3000/auth/consent                                                    \
    -e URLS_LOGOUT=http://$MY_HOST:3000/auth/logout                                                      \
    -e DSN=memory                                                                                        \
    oryd/hydra:v1.0.0-rc.12 serve all --dangerous-force-http

You can learn additional properties with help command:

docker run -it --rm oryd/hydra:v1.0.0-rc.12 serve --help

docker run -it --rm --network hydra-net                                 \
      -e HYDRA_ADMIN_URL=http://hydra:4445                              \
      oryd/hydra:$HYDRA_VERSION clients create                          \
      --skip-tls-verify                                                 \
      --id test-client                                                  \
      --secret test-secret                                              \
      --response-types id_token,token,"id_token token"                  \
      --grant-types implicit                                            \
      --scope openid,profile,email                                      \
      --callbacks http://$MY_HOST:8080                                  \
      --post-logout-callbacks http://$MY_HOST:8080/post-logout-callback

Run Werther:

docker run --network hydra-net -d --restart always --name werther -p 3000:8080      \
      -e WERTHER_IDENTP_HYDRA_URL=http://hydra:4445                                  \
      -e WERTHER_LDAP_ENDPOINTS=icdc0.icore.local:389,icdc1.icore.local:389         \
      -e WERTHER_LDAP_BINDDN=<BINDDN>                                               \
      -e WERTHER_LDAP_BINDPW=<BINDDN_PASSWORD>                                      \
      -e WERTHER_LDAP_BASEDN="DC=icore,DC=local"                                    \
      -e WERTHER_LDAP_ROLE_BASEDN="OU=AppRoles,OU=Domain Groups,DC=icore,DC=local"  \
      hub.das.i-core.ru/p/base-werther

For all options see option help:

docker run -it --rm hub.das.i-core.ru/p/base-werther -help

Start an authentication process in a browser to get an access token:

open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678

Start an authentication process in a browser to get an access token and id token:

open http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=id_token%20token&scope=openid%20profile%20email&state=12345678&nonce=87654321

Get user info:

http get "http://$MY_HOST:4444/userinfo" "Authorization: Bearer <ACCESS_TOKEN>"

For example, you can get the next output:

HTTP/1.1 200 OK
Content-Length: 218
Content-Type: application/json
Date: Tue, 31 Jul 2018 17:17:51 GMT
Vary: Origin

{
    "email": "klepa@i-core.ru",
    "family_name": "Lepa",
    "given_name": "Konstantin",
    "http://i-core.ru/claims/roles": {
        "HeraldTest1": [
            "user"
        ]
    },
    "name": "Konstantin Lepa",
    "sub": "CN=Konstantin Lepa,OU=Domain Users,DC=icore,DC=local"
}

Look for details in OpenID Connect Core 1.0.

Re-get a token by httpie:

http --session u1 -F -v get \
      "http://$MY_HOST:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile&state=12345678&prompt=none" \
      "Cookie:<COOKIES_FROM_WERTHER_DOMAIN>"

Delete a user's session from a browser:

open "http://$MY_HOST:4444/oauth2/auth/sessions/login/revoke"

Log a user out from a browser:

open http://$MY_HOST:4444/oauth2/sessions/logout?id_token_hint=<id_token>&post_logout_redirect_uri=http://$MY_HOST:8080/post-logout-callback&state=87654321

After a successful logout, a user will be redirected to the page "http://$MY_HOST:8080/post-logout-callback?state=87654321".

(Optional) Sniff TCP packets between Hydra and Werther

docker run -it --rm --net=container:hydra nicolaka/netshoot tcpdump -i eth0 -A -nn port 4444

6.6 KiB Raw Blame History

Werther

Build

Development

6.6 KiB

Raw Blame History