OpenID hydra dex
F… Now follow step run, Get level=error msg=“An error occurred” debug=“No CSRF value available in the session cookie” description=“The request is not allowed” error=request_forbidden hint=“You are not allowed to perform this action.”
If you run same broswer and restart docker or clear cookie, do many way. Just try broswer private mode.
Try dex docker or binary failed, it’s be pass.
Hydra docker-compose
1、get https://github.com/ory/hydra
docker-compose -f quickstart.yml -f quickstart-postgres.yml up --build
注意 quickstart.yml
run docker on host or run binary on host. hydra 5 minutes demo “IP Used” is 127.0.0.1
version: '3'
services:
hydra:
image: oryd/hydra:latest
ports:
- "4444:4444" # Public port
- "4445:4445" # Admin port
- "5555:5555" # Port for hydra token user
command:
serve all --dangerous-force-http
environment:
- URLS_SELF_ISSUER=http://127.0.0.1:4444
- URLS_CONSENT=http://127.0.0.1:3000/consent
- URLS_LOGIN=http://127.0.0.1:3000/login
- URLS_LOGOUT=http://127.0.0.1:3000/logout
- DSN=memory
- SECRETS_SYSTEM=youReallyNeedToChangeThis
- OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
- OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis
restart: unless-stopped
consent:
environment:
- HYDRA_ADMIN_URL=http://hydra:4445
image: oryd/hydra-login-consent-node:latest
ports:
- "3000:3000"
restart: unless-stopped
run VM or real server is real ip. Ex: 192.168.99.100 (docker-machine)
version: '3'
services:
hydra:
image: oryd/hydra:latest
ports:
- "4444:4444" # Public port
- "4445:4445" # Admin port
- "5555:5555" # Port for hydra token user
command:
serve all --dangerous-force-http
environment:
- URLS_SELF_ISSUER=http://192.168.99.100:4444
- URLS_CONSENT=http://192.168.99.100:3000/consent
- URLS_LOGIN=http://192.168.99.100:3000/login
- URLS_LOGOUT=http://192.168.99.100:3000/logout
- DSN=memory
- SECRETS_SYSTEM=youReallyNeedToChangeThis
- OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
- OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis
restart: unless-stopped
consent:
environment:
- HYDRA_ADMIN_URL=http://hydra:4445
image: oryd/hydra-login-consent-node:latest
ports:
- "3000:3000"
restart: unless-stopped
If have cors problems. see https://github.com/ory/hydra/blob/master/quickstart-cors.yml
Check hydra OpenID startup or not 確認是否正常啟動
http://192.168.99.100:4444/.well-known/jwks.json
Create clients
Download hydra binary.
https://www.ory.sh/docs/next/hydra/install#download-binaries
https://github.com/ory/hydra/releases
https://github.com/ory/hydra/releases/tag/v1.0.0-rc.15
PS: Maybe version renew, so try to get best new.
hydra clients create --endpoint http://192.168.99.100:4445/ --id auth-code-client --secret secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope openid,offline --callbacks http://127.0.0.1:5555/callback
! new version use endpoint, different before auth-url and token-url, But I think you still can use old way… Maybe
! scope “openid,offline” next step must use same. So scope is definend by yourself.
Thanks https://dotblogs.com.tw/liguobao/2018/12/30/132746
Check clients 查看clients
hydra clients list --endpoint http://192.168.99.100:4445
Emu all step OpenID
Fllow website that run command pop website. If no pop, http://127.0.0.1:5555/
hydra token user --client-id auth-code-client --client-secret secret --endpoint http://192.168.99.100:4444 --port 5555 --scope openid,offline
This step will run server on port 5555
! here scope “openid,offline” must same before create.
Get userinfo. Copy Access Token replace string after Bearer
curl -X GET http://192.168.99.100:4444/userinfo -H 'Accept: application/json' -H 'Authorization: Bearer MmadDHs3VdWC7LZTIdBKUHyzgsWHe2XbzHpwjKrF7Rs.tXlg7rShEEbkcczNWJGS84sIvokTF6Ae7bhSQZfHMgA'
Get json
{"sid":"c7d5665b-76e7-475a-95a8-cc521352663b","sub":"foo@bar.com"}
Modify edit add userinfo info.
https://github.com/ory/hydra-login-consent-node/blob/master/routes/login.js
subject: ‘foo@bar.com’, -> subject: ‘foo@bar.com-success’,
This docker test
1. docker ps
2. get oryd/hydra-login-consent-node:v1.0.0-rc.10 containerid
3. docker exec -it containerid /bin/sh
4. vi bin/www change port 3000 - > 3001
5. vi routes/login.js subject: ‘foo@bar.com’, => subject: ‘foo@bar.com--success’,
5. node ./bin/www &
6. ps
7. kill old node (be exit container)
8. docker exec -it containerid /bin/sh
9. vi bin/www change port 3001 - > 3000
10. node ./bin/www &
11. kill old node (be exit container)
12. docker exec -it containerid /bin/sh
13. netstat -nlp (check port 3000)
====================
https://mileschou.github.io/auth-notes/src/hydra/user-login-and-consent-flow.html#oauth-2-0-%E8%88%87-open-id-connect
====================
https://dotblogs.com.tw/liguobao/2018/12/30/132746
OAUTH2_ISSUER_URL hydra所在的地址
OAUTH2_CONSENT_URL 授权页面地址
OAUTH2_LOGIN_URL 登录页面地址
XX应用请求授权
-> 跳转到OAUTH2_LOGIN_URL地址
-> 登录成功
->跳转到OAUTH2_CONSENT_URL授权页面
-> 授权成功
->回调XX应用地址并且返回相关授权code/token
-> XX应用使用code/token获取用户信息或者其他操作