Skip to content

raolak/ory-reference-compose

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build base components

Clone and build individual components:

Hydra

mkdir -p $GOPATH/src/github.com/ory/hydra
cd $GOPATH/src/github.com/ory/hydra
git clone https://github.com/ory/hydra.git .
git checkout v1.10.3
docker build -t ory-hydra:v1.10.3 -f .docker/Dockerfile-build .

Keto

mkdir -p $GOPATH/src/github.com/ory/keto
cd $GOPATH/src/github.com/ory/keto
git clone https://github.com/ory/keto.git .
git checkout v0.6.0-alpha.3
docker build -t ory-keto:v0.6.0-alpha.3 -f .docker/Dockerfile-build .

Kratos

mkdir -p $GOPATH/src/github.com/ory/kratos
cd $GOPATH/src/github.com/ory/kratos
git clone https://github.com/ory/kratos.git .
git checkout v0.7.1-alpha.1
docker build -t ory-kratos:v0.7.1-alpha.1 -f .docker/Dockerfile-build .

Oathkeeper

Right now, Oathkeeper is the only component not providing Docker based build:

mkdir -p $GOPATH/src/github.com/ory/oathkeeper
cd $GOPATH/src/github.com/ory/oathkeeper
git clone https://github.com/ory/oathkeeper.git .
git checkout v0.38.14-beta.1
make .bin/packr2
./.bin/packr2
CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build
docker build -t ory-oathkeeper:v0.38.14-beta.1 .
rm oathkeeper
./.bin/packr2 clean

Build additional components required by the Compose setup

Kratos self service UI

This is an example browser facing application implementing login, registration, verification and link recovery flows:

mkdir -p $GOPATH/src/github.com/ory/kratos-selfservice-ui-node
cd $GOPATH/src/github.com/ory/kratos-selfservice-ui-node
git clone https://github.com/ory/kratos-selfservice-ui-node.git .
git checkout v0.7.1-alpha.1
docker build -t ory-kratos-selfservice-ui-node:v0.7.1-alpha.1 .

Mailslurper

Kratos always sends emails and mailslurper is a thin SMTP server used by the Compose:

mkdir -p $GOPATH/src/github.com/ory/mailslurper
cd $GOPATH/src/github.com/ory/mailslurper
git clone https://github.com/ory/mailslurper.git .
git checkout master
docker build -t ory-mailslurper:master -f Dockerfile-smtps .

Run

cd compose/
docker run --rm -ti ory-oathkeeper:v0.38.14-beta.1 credentials generate --alg RS256 > configs/oathkeeper/jwks.json
docker-compose -f compose.yml up

Test individual components

Hydra

Create an OAuth 2.0 Client:

docker-compose -f compose.yml exec hydra \
    hydra clients create \
    --endpoint http://127.0.0.1:4445/ \
    --id my-client \
    --secret secret \
    -g client_credentials

List clients:

docker-compose -f compose.yml exec hydra \
    hydra clients list \
    --endpoint http://127.0.0.1:4445/

Perform credentials grant:

docker-compose -f compose.yml exec hydra \
    hydra token client \
    --endpoint http://127.0.0.1:4444/ \
    --client-id my-client \
    --client-secret secret \
    --scope openid,offline

Copy the output access token and introspect:

docker-compose -f compose.yml exec hydra \
    hydra token introspect \
    --endpoint http://127.0.0.1:4445/ ...access token goes here...

Keto

The namespaces are defined in the compose/configs/keto/keto.yml file.

Create a relation tuple:

curl -XPUT --data '{
  "namespace": "default-namespace",
  "object": "blog_posts:my-first-blog-post",
  "relation": "delete",
  "subject": "alice"
}' http://localhost:4467/relation-tuples

Check if the tuple has been created:

curl http://localhost:4466/relation-tuples?namespace=default-namespace

Check if user Alice is allowed to delete the blog post:

curl -XPOST --data '{
  "namespace": "default-namespace",
  "object": "blog_posts:my-first-blog-post",
  "relation": "delete",
  "subject": "alice"
}' http://localhost:4466/check

Kratos

Verify that Kratos is up:

curl --silent http://localhost:4433/health/alive | jq '.'

The result should be:

{
  "status": "ok"
}

Now, open http://127.0.0.1:4455/dashboard in the browser. You should see the following self service app UI:

Self service Kratos UI

Register an account and sign in.

Self service Kratos UI signed in user

Oathkeeper

The rules are defined in compose/configs/oathkeeper/rules.json file. The allow-anonymous-with-header-mutator rule allows an unauthenticated access to the http://127.0.0.1:4455/anything/header URL. Here we validate that:

curl -X GET http://127.0.0.1:4455/anything/header

Gives:

{
  "args": {},
  "data": "",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0",
    "X-Amzn-Trace-Id": "Root=1-5f91f003-273d759c25c50cdd24be33c6",
    "X-User": "guest"
  },
  "json": null,
  "method": "GET",
  "origin": "172.22.0.1, 92.209.32.233",
  "url": "https://httpbin.org/anything/header/anything/header"
}

The deny-anonymous rule disallows anonymous access to the http://127.0.0.1:4455/anything/deny URL.

curl --silent -H "Accept: application/json" -X GET http://127.0.0.1:4455/anything/deny | jq '.'

Returns:

{
  "error": {
    "code": 403,
    "status": "Forbidden",
    "message": "Access credentials are not sufficient to access this resource"
  }
}

Scenario

This scenario combines hydra, keto and oathkeeper together to build an end to end example where oathkeeper provides a rule protecting an endpoint using OAuth2 token and a keto permission. This is a first iteration and requires quite some switching between the terminal and a browser.

Create an OpenID Client

docker-compose -f compose.yml exec hydra \
    hydra clients create \
    --endpoint http://127.0.0.1:4445 \
    --id scenario-client \
    --secret secret \
    --grant-types authorization_code,refresh_token \
    --response-types code,id_token \
    --scope openid,offline \
    --callbacks http://127.0.0.1:5555/callback

List Clients

docker-compose -f compose.yml exec hydra \
    hydra clients list \
    --endpoint http://127.0.0.1:4445

Request a user token

docker-compose -f compose.yml exec hydra \
    hydra token user \
    --client-id scenario-client \
    --client-secret secret \
    --endpoint http://127.0.0.1:4444/ \
    --port 5555 \
    --scope openid,offline

This will require navigating to http://127.0.0.1:5555 in the browser.

Exemplary OAuth 2.0 Consumer

Click Authorize application link. The result is an empty page with a URL containing a login_challenge parameter.

Authorize application

Copy the login_challenge value from the URL and proceed:

export login_challenge=...
curl --silent -XPUT http://localhost:4445/oauth2/auth/requests/login/accept?login_challenge=${login_challenge} -d '{
  "acr": "lol",
  "remember": false,
  "remember_for": 0,
  "subject": "scenario"
}' | jq '.'

The result is a JSON value similar to:

{
  "redirect_to": "http://127.0.0.1:4444/oauth2/auth?audience=&client_id=scenario-client&login_verifier=fce3f73081244383a41b1776f0e8b259&max_age=0&nonce=ukpogmszferrybsixvvnmdyk&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=zxzwdotymvehgmolwfujojsd"
}

Copy the value of redirect_to and navigate to that URL in the browser. You will be redirected to the consent_challenge.

Consent challenge

Copy the value of the consent_challenge and proceed:

export consent_challenge=...
curl --silent -XPUT http://localhost:4445/oauth2/auth/requests/consent/accept?consent_challenge=${consent_challenge} -d '{
  "grant_access_token_audience": [
    "scenario-client"
  ],
  "grant_scope": [
    "openid", "offline"
  ],
  "handled_at": "2020-10-23T20:49:00Z",
  "remember": false,
  "remember_for": 0,
  "session": {
    "id_token": {
      "first_name": "Ha",
      "last_name": "Hahah"
    }
  }
}' | jq '.'

The session.id_token property is how the additional claims can be passed to the ID token via user info. This behaviour is documented here: https://www.ory.sh/hydra/docs/concepts/openid-connect-oidc#userinfo. This is the basic primitive for integrating Kratos and Hydra.

The result will be another JSON like this:

{
  "redirect_to": "http://127.0.0.1:4444/oauth2/auth?audience=&client_id=scenario-client&consent_verifier=154fc48c8aec46c79c8d0a27c1b7aab4&max_age=0&nonce=ukpogmszferrybsixvvnmdyk&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=zxzwdotymvehgmolwfujojsd"
}

Again, copy the URL and navigate to it in the browser. You will now see the page with access token, refresh token and ID token.

Tokens

Copy the value of the access token and run the final steps.

Create the keto policy

curl -XPUT --data '{
  "namespace": "default-namespace",
  "object": "token:and:keto",
  "relation": "get",
  "subject": "scenario"
}' http://localhost:4467/relation-tuples

And validate the token - make sure you put the token in the command instead of ...access_token...:

curl -H "Authorization: Bearer ...access_token..." http://127.0.0.1:4455/anything/token-and-keto

The result is similar to:

{
  "args": {},
  "data": "",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Authorization": "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzoxZjViOWYwMS0xZTk4LTQ0M2QtOGVjYi01M2RlYjI2NWYxZWIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsic2NlbmFyaW8tY2xpZW50Il0sImNsaWVudF9pZCI6InNjZW5hcmlvLWNsaWVudCIsImV4cCI6MTYwMzQ5NTgyNSwiZXh0Ijp7fSwiaWF0IjoxNjAzNDkyMjI0LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjQ0NDQvIiwianRpIjoiMWMyMjYxMWQtOWRhNS00NmIwLWJkN2MtYzM3ZDk5ODhjOWIxIiwibmJmIjoxNjAzNDkyMjI0LCJzY3AiOlsib3BlbmlkIiwib2ZmbGluZSJdLCJzdWIiOiJzY2VuYXJpbyJ9.aaadR9WL-kAT7TFM9ra-loA6MOYJSgb_RqwgxDjKLMmQ3Cj16_jC3Pi7zKEgfwCS6npb_6mACFRkwCE9Ih5cApuiKjbQXd2pZNrGacywqYmHFD1H_lDT6z2wxEnVJFYDtaCPcufn7YsN0HbRyCNGAXX_eAJoMbp0pa0J8q3penukAEviphRztIzAV6gMrN45G8YM9DWjLsxw44luW2rbRH6F78AdugZkL78JYqIeSwn5Tu93XJ34buPzsdjaMOiyEV9xABgtLTfV3joOneT-yJYTAPj8CCGpxB3LCMTSvBzjiIN7eqcPcw84Kg6zE-cqWfnc3xyQojiFvypOdB-sJKI79n5D3mUdfAmx1fW_-6BoBDw2_nVaFHMS_yLyr9q5vK2FrOj7Cw6VeeoLbZYVREPM6QAdR7Jrleo-mheDS4XixThmmmRqTcduatYRXedTADoh57ICzSVOEJOZ0HP5o4OjUeTrXrm9yn7voxNbR6y-wrLdZZJ7SsQ498NrE72qKzZp-O8UmPWuKOeXt4MBPIVlmYmrjjQ0WseS_4yg3u6rvk80mb5EVaS8cN8dhuzIkHtv0OyOqccqWNVW57VdMza7reN2b0pd-JOmJayZHuO6tcEYsscjtxCZfIteoDiPEXXvKdAGG_8vdo0f53B7wRcEZTDKqqYTitY16G9qh8A",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0",
    "X-Amzn-Trace-Id": "Root=1-5f935a2e-044927e62c7ddc6b1038475f"
  },
  "json": null,
  "method": "GET",
  "origin": "172.22.0.1, 92.209.32.233",
  "url": "https://httpbin.org/anything/token-and-keto/anything/token-and-keto"
}