Clone and build individual components:
mkdir -p $GOPATH/src/github.com/ory/hydra
cd $GOPATH/src/github.com/ory/hydra
git clone https://github.com/ory/hydra.git .
git checkout v1.10.3
docker build -t ory-hydra:v1.10.3 -f .docker/Dockerfile-build .mkdir -p $GOPATH/src/github.com/ory/keto
cd $GOPATH/src/github.com/ory/keto
git clone https://github.com/ory/keto.git .
git checkout v0.6.0-alpha.3
docker build -t ory-keto:v0.6.0-alpha.3 -f .docker/Dockerfile-build .mkdir -p $GOPATH/src/github.com/ory/kratos
cd $GOPATH/src/github.com/ory/kratos
git clone https://github.com/ory/kratos.git .
git checkout v0.7.1-alpha.1
docker build -t ory-kratos:v0.7.1-alpha.1 -f .docker/Dockerfile-build .Right now, Oathkeeper is the only component not providing Docker based build:
mkdir -p $GOPATH/src/github.com/ory/oathkeeper
cd $GOPATH/src/github.com/ory/oathkeeper
git clone https://github.com/ory/oathkeeper.git .
git checkout v0.38.14-beta.1
make .bin/packr2
./.bin/packr2
CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build
docker build -t ory-oathkeeper:v0.38.14-beta.1 .
rm oathkeeper
./.bin/packr2 cleanThis is an example browser facing application implementing login, registration, verification and link recovery flows:
mkdir -p $GOPATH/src/github.com/ory/kratos-selfservice-ui-node
cd $GOPATH/src/github.com/ory/kratos-selfservice-ui-node
git clone https://github.com/ory/kratos-selfservice-ui-node.git .
git checkout v0.7.1-alpha.1
docker build -t ory-kratos-selfservice-ui-node:v0.7.1-alpha.1 .Kratos always sends emails and mailslurper is a thin SMTP server used by the Compose:
mkdir -p $GOPATH/src/github.com/ory/mailslurper
cd $GOPATH/src/github.com/ory/mailslurper
git clone https://github.com/ory/mailslurper.git .
git checkout master
docker build -t ory-mailslurper:master -f Dockerfile-smtps .
cd compose/
docker run --rm -ti ory-oathkeeper:v0.38.14-beta.1 credentials generate --alg RS256 > configs/oathkeeper/jwks.json
docker-compose -f compose.yml upCreate an OAuth 2.0 Client:
docker-compose -f compose.yml exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445/ \
--id my-client \
--secret secret \
-g client_credentialsList clients:
docker-compose -f compose.yml exec hydra \
hydra clients list \
--endpoint http://127.0.0.1:4445/Perform credentials grant:
docker-compose -f compose.yml exec hydra \
hydra token client \
--endpoint http://127.0.0.1:4444/ \
--client-id my-client \
--client-secret secret \
--scope openid,offlineCopy the output access token and introspect:
docker-compose -f compose.yml exec hydra \
hydra token introspect \
--endpoint http://127.0.0.1:4445/ ...access token goes here...The namespaces are defined in the compose/configs/keto/keto.yml file.
Create a relation tuple:
curl -XPUT --data '{
"namespace": "default-namespace",
"object": "blog_posts:my-first-blog-post",
"relation": "delete",
"subject": "alice"
}' http://localhost:4467/relation-tuplesCheck if the tuple has been created:
curl http://localhost:4466/relation-tuples?namespace=default-namespaceCheck if user Alice is allowed to delete the blog post:
curl -XPOST --data '{
"namespace": "default-namespace",
"object": "blog_posts:my-first-blog-post",
"relation": "delete",
"subject": "alice"
}' http://localhost:4466/checkVerify that Kratos is up:
curl --silent http://localhost:4433/health/alive | jq '.'The result should be:
{
"status": "ok"
}Now, open http://127.0.0.1:4455/dashboard in the browser. You should see the following self service app UI:
Register an account and sign in.
The rules are defined in compose/configs/oathkeeper/rules.json file. The allow-anonymous-with-header-mutator rule allows an unauthenticated access to the http://127.0.0.1:4455/anything/header URL. Here we validate that:
curl -X GET http://127.0.0.1:4455/anything/headerGives:
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip",
"Host": "httpbin.org",
"User-Agent": "curl/7.54.0",
"X-Amzn-Trace-Id": "Root=1-5f91f003-273d759c25c50cdd24be33c6",
"X-User": "guest"
},
"json": null,
"method": "GET",
"origin": "172.22.0.1, 92.209.32.233",
"url": "https://httpbin.org/anything/header/anything/header"
}The deny-anonymous rule disallows anonymous access to the http://127.0.0.1:4455/anything/deny URL.
curl --silent -H "Accept: application/json" -X GET http://127.0.0.1:4455/anything/deny | jq '.'Returns:
{
"error": {
"code": 403,
"status": "Forbidden",
"message": "Access credentials are not sufficient to access this resource"
}
}This scenario combines hydra, keto and oathkeeper together to build an end to end example where oathkeeper provides a rule protecting an endpoint using OAuth2 token and a keto permission. This is a first iteration and requires quite some switching between the terminal and a browser.
docker-compose -f compose.yml exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id scenario-client \
--secret secret \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,offline \
--callbacks http://127.0.0.1:5555/callbackdocker-compose -f compose.yml exec hydra \
hydra clients list \
--endpoint http://127.0.0.1:4445docker-compose -f compose.yml exec hydra \
hydra token user \
--client-id scenario-client \
--client-secret secret \
--endpoint http://127.0.0.1:4444/ \
--port 5555 \
--scope openid,offlineThis will require navigating to http://127.0.0.1:5555 in the browser.
Click Authorize application link. The result is an empty page with a URL containing a login_challenge parameter.
Copy the login_challenge value from the URL and proceed:
export login_challenge=...curl --silent -XPUT http://localhost:4445/oauth2/auth/requests/login/accept?login_challenge=${login_challenge} -d '{
"acr": "lol",
"remember": false,
"remember_for": 0,
"subject": "scenario"
}' | jq '.'The result is a JSON value similar to:
{
"redirect_to": "http://127.0.0.1:4444/oauth2/auth?audience=&client_id=scenario-client&login_verifier=fce3f73081244383a41b1776f0e8b259&max_age=0&nonce=ukpogmszferrybsixvvnmdyk&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=zxzwdotymvehgmolwfujojsd"
}Copy the value of redirect_to and navigate to that URL in the browser. You will be redirected to the consent_challenge.
Copy the value of the consent_challenge and proceed:
export consent_challenge=...curl --silent -XPUT http://localhost:4445/oauth2/auth/requests/consent/accept?consent_challenge=${consent_challenge} -d '{
"grant_access_token_audience": [
"scenario-client"
],
"grant_scope": [
"openid", "offline"
],
"handled_at": "2020-10-23T20:49:00Z",
"remember": false,
"remember_for": 0,
"session": {
"id_token": {
"first_name": "Ha",
"last_name": "Hahah"
}
}
}' | jq '.'The session.id_token property is how the additional claims can be passed to the ID token via user info. This behaviour is documented here: https://www.ory.sh/hydra/docs/concepts/openid-connect-oidc#userinfo. This is the basic primitive for integrating Kratos and Hydra.
The result will be another JSON like this:
{
"redirect_to": "http://127.0.0.1:4444/oauth2/auth?audience=&client_id=scenario-client&consent_verifier=154fc48c8aec46c79c8d0a27c1b7aab4&max_age=0&nonce=ukpogmszferrybsixvvnmdyk&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=zxzwdotymvehgmolwfujojsd"
}Again, copy the URL and navigate to it in the browser. You will now see the page with access token, refresh token and ID token.
Copy the value of the access token and run the final steps.
curl -XPUT --data '{
"namespace": "default-namespace",
"object": "token:and:keto",
"relation": "get",
"subject": "scenario"
}' http://localhost:4467/relation-tuplesAnd validate the token - make sure you put the token in the command instead of ...access_token...:
curl -H "Authorization: Bearer ...access_token..." http://127.0.0.1:4455/anything/token-and-ketoThe result is similar to:
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip",
"Authorization": "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzoxZjViOWYwMS0xZTk4LTQ0M2QtOGVjYi01M2RlYjI2NWYxZWIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsic2NlbmFyaW8tY2xpZW50Il0sImNsaWVudF9pZCI6InNjZW5hcmlvLWNsaWVudCIsImV4cCI6MTYwMzQ5NTgyNSwiZXh0Ijp7fSwiaWF0IjoxNjAzNDkyMjI0LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjQ0NDQvIiwianRpIjoiMWMyMjYxMWQtOWRhNS00NmIwLWJkN2MtYzM3ZDk5ODhjOWIxIiwibmJmIjoxNjAzNDkyMjI0LCJzY3AiOlsib3BlbmlkIiwib2ZmbGluZSJdLCJzdWIiOiJzY2VuYXJpbyJ9.aaadR9WL-kAT7TFM9ra-loA6MOYJSgb_RqwgxDjKLMmQ3Cj16_jC3Pi7zKEgfwCS6npb_6mACFRkwCE9Ih5cApuiKjbQXd2pZNrGacywqYmHFD1H_lDT6z2wxEnVJFYDtaCPcufn7YsN0HbRyCNGAXX_eAJoMbp0pa0J8q3penukAEviphRztIzAV6gMrN45G8YM9DWjLsxw44luW2rbRH6F78AdugZkL78JYqIeSwn5Tu93XJ34buPzsdjaMOiyEV9xABgtLTfV3joOneT-yJYTAPj8CCGpxB3LCMTSvBzjiIN7eqcPcw84Kg6zE-cqWfnc3xyQojiFvypOdB-sJKI79n5D3mUdfAmx1fW_-6BoBDw2_nVaFHMS_yLyr9q5vK2FrOj7Cw6VeeoLbZYVREPM6QAdR7Jrleo-mheDS4XixThmmmRqTcduatYRXedTADoh57ICzSVOEJOZ0HP5o4OjUeTrXrm9yn7voxNbR6y-wrLdZZJ7SsQ498NrE72qKzZp-O8UmPWuKOeXt4MBPIVlmYmrjjQ0WseS_4yg3u6rvk80mb5EVaS8cN8dhuzIkHtv0OyOqccqWNVW57VdMza7reN2b0pd-JOmJayZHuO6tcEYsscjtxCZfIteoDiPEXXvKdAGG_8vdo0f53B7wRcEZTDKqqYTitY16G9qh8A",
"Host": "httpbin.org",
"User-Agent": "curl/7.54.0",
"X-Amzn-Trace-Id": "Root=1-5f935a2e-044927e62c7ddc6b1038475f"
},
"json": null,
"method": "GET",
"origin": "172.22.0.1, 92.209.32.233",
"url": "https://httpbin.org/anything/token-and-keto/anything/token-and-keto"
}