ory / examples-archive Goto Github PK

THIS REPOSITORY IS NOT UP TO DATE. Different docker-based examples for ORY's services (Hydra, Keto, Oathkeeper).

License: Apache License 2.0

Makefile 16.55% Shell 45.97% Python 26.22% Dockerfile 11.25%

examples-archive's Introduction

ORY Ecosystem Deployment Examples

This repository contains deployment examples and templates for the ORY Ecosystem. This repository does not contain examples for the ORY Editor, but ORY Hydra, ORY Oathkeeper, and ORY Keto.

Overview
- Scripts
Examples
Apps
- Resource Server
- Consumer Application
Development

Overview

Each example typically consists of these parts:

docker-compose.yml: The definition for docker-compose.
supervisord.conf: Configuration for supervisord which runs multiple services at once in one Docker container.
config: Contains configuration items (typically JSON files) for OAuth 2.0 Clients, Access Control Policies, and so on.
Dockerfile: A customized Dockerfile that is capable of running supervisord as well as each service.

Please be aware that you can't run multiple examples at once as ports will clash. Use make rm-<example-name> to kill and remove the containers of a running example before starting up another one.

Scripts

We wrote several helper scripts capable of:

Substituting environment variables in JSON files
Retrying statements on failure
Importing JSON files to the respective services (ORY Hydra, ORY Keto, ORY Oathkeeper)

You will encounter several environment variables in each docker-compose.yml file. These are either used for the services directly (e.g. HYDRA_DATABASE_URL) or are used for variable substitution in the configuration files (e.g. HYDRA_SUBJECT_PREFIX).

Typically, environment variables are prefixed with the service name they are used for - so HYDRA_DATABASE_URL is the DATABASE_URL environment variable for ORY Hydra. We use variable substitution in the supervisord.conf file to achieve that.

Examples

This repository provides several examples. Each example is documented in detail in the example's README.

Full Stack: This example sets up all ORY services, the exemplary User Login and Consent Application, the exemplary OAuth 2.0 Consumer Application, and an exemplary Resource Server as well as example policies and OAuth 2.0 Clients.
Basic ORY Hydra setup: This example sets up ORY Hydra and our exemplary User Login and Consent Application. It is the minimal required set up for ORY Hydra which you can use to start experimenting.
Backwards-compatible template: This example provides a Docker Image that offers a backwards compatible (for versions 0.11.0 / 0.10.0) experience by combining ORY Oathkeeper, ORY Keto, and ORY Hydra in the same Docker Image.

Apps

This repository contains two exemplary applications, both written in NodeJS with Express. The idea here is to show you the different ways you can authorize requests on both sides (consumer, resource server) and shows the difference in approaches of protecting your services with ORY Keto, ORY Oathkeeper, ORY Hydra, or any combination of the three.

The application's code has been documented, and we encourage you to read it. Please note that almost all SDKs used (like Passport.js) are built on open standards such as OAuth 2.0. If you do not write applications in NodeJS you will be able to find SDKs with similar functionality in other languages.

Please note that the code is making use of some ES6 features, such as arrow functions, as well as async/await. Additionally, don't be fooled by ~100 Lines of Code. We packed everything in one file so you have a better time navigating the source code. The most interesting files will be the ones contained in the routes directory. All other files are either boilerplate ExpressJS or HTML views, with minimal changes to the ExpressJS middleware in each respective ./app.js file.

Resource Server

A resource server is an application that, for example, exposes a CRUD API for modifying blog articles. Resource servers are usually protected - you don't want a hacker to be able to delete all your blog articles - and require valid credentials (authentication) as well as a certain permission (e.g. alice is allowed to modify this article) in order to execute the action.

There are different types of credentials (Cookie, JSON Web Token, OAuth 2.0 Access Token, ...) that can be used to protect a resource server. Therefore, the resource server has several different routes:

/introspect: This route requires that an OAuth 2.0 Access Token is included in the HTTP header (Authorization: bearer <token>) and uses the OAuth 2.0 Token Introspection flow to validate the token.
/oathkeeper: This route also accepts a bearer token (Authorization: bearer <token>) but this time it has to be a JSON Web Token signed by ORY Oathkeeper.
/warden/: This route uses the ORY Keto Warden API to check if a request is allowed to perform the request. It consists of two subroutes:
- /warden/access-token: This endpoint requires an OAuth 2.0 Access Token in the HTTP header (Authorization: bearer <token>) and checks if the token's subject is allowed to perform the requested action using ORY Keto.
- /warden/subject: This endpoint requires HTTP Basic Auth (Authorization: basic ...) and checks if the provided credentials match the username/password pairs (peter:password1, bob:password2) and if so, asks the ORY Keto Warden API if the user (e.g. peter, bob, alice) is allowed to perform the action.

Consumer Application

The consumer application is a web server that fetches data from the backend ("resource server") and displays it. In this particular case, the application makes requests to different Resource Server endpoints.

The consumer application has several routes (e.g. /articles/secure-backend-with-oauth2-token-introspection) which use different endpoints at the Resource Server. The idea here is to show you the different ways you can authorize requests on both sides (consumer, resource server).

Some endpoints in the consumer application require a valid OAuth 2.0 Access Token from the user. When accessing one of those endpoints, you will be redirected to ORY Hydra and asked to login in and grant the application the required scopes. Make sure to select all scopes or the examples might not work.

Development

In case you wish to develop one of the projects and test them out with the examples here, first build the docker images for each project:

docker build -t oryd/hydra:dev $GOPATH/src/github.com/ory/hydra/
docker build -t oryd/oathkeeper:dev $GOPATH/src/github.com/ory/oathkeeper/
docker build -t oryd/keto:dev $GOPATH/src/github.com/ory/keto/

then run Docker Compose in the example you would wish to test and set the version tags to dev:

$ cd some/example
$ LOGIN_CONSENT_VERSION=v1.0.0-beta.2 HYDRA_VERSION=dev KETO_VERSION=dev OATHKEEPER_VERSION=dev docker-compose up --build -d

examples-archive's People

Contributors

Stargazers

Watchers

Forkers

zepatrik renesugar cpwc iacobucc milesduke-keysight carlosescura cbioley aditi707 saqibhussain44 zxldev johnfernandes jmcoelloidonia pink-lucifer addisonbair-da duyunqiang easen pecigonzalo zecarlos94 sridhar1996 ranjanpupul pks-os archbobo haf larrymai ataex derekbar90 pnminh agileinsider jitendraky zkenstein tacurran derrickmehaffy remotezygote alexdee2007 quantonganh franbuehler jimmya vinckr lelpel vahpetr petterlarsen gtrevg chessbyte shanesweeney bytemedirk reveel-systems churcho jesseclarknd thanhgit obernardovieira p000 cotocisternas findepi kidim antoniogoulao agrohs zapclinic djahayu-com gelminas luis-daikoads khanittha-primo xavisavvy leuvaapurv shubhamtotade paarth-go naorpenso ranatieto tantalon crivera305 drosi94 mikeerickson yozhef petermatula verdantfire samdb knxp34 fernandomatsuo-moduscreate therealtoxicdev mambax7 graemerocher simonkoeck phenobarbital jdsmithit apoclyps rushriva isabella232

examples-archive's Issues

secure backend with Token Introspection is not working

When attempting to access /articles/secure-backend-with-oauth2-token-introspection with a valid token, the following error is presented:gist

Token works on other endpoints just fine.
Image attached

The logfile:
GET /articles/secure-backend-with-oauth2-token-introspection 304 462.220 ms - -

start-full-stack does not bootstrap properly on Windows 10 (CR/LF issue)

Configuration: Docker for Windows 10, git bash, gnu make.exe

After running "make start-full-stack", the docker containers build and start running, but the various curl commands return no records for clients, rules, or policies.

The docker log for the configurator container shows that various scripts in the scripts folder fail to run owing to carriage-returns injected by git.

The resolution is fairly simple -- add a .gitattributes file to disable CR/LF translation:

# Never do crlf translation of bash scripts
*.sh -crlf

I can submit a PR with this change, if desired.

Add OAuth2 consumer and Resource Provider to examples

Update example to rc.8 of hydra

Please use issues only to raise potential bugs or request features. For everything else ask
the ORY Community or join the ORY Chat.

If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub
and send us an email to [email protected] instead.

full stack examples return Forbidden on last step

I did

docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
make start-full-stack

Following curls worked without errors by returning some JSON

$ curl http://localhost:4445/clients
$ curl http://localhost:4456/rules
$ curl http://localhost:4466/policies

 hydra token user --client-id example-auth-code --client-secret secret --endpoint http://localhost:4444 --port 5555

opens safari and every works fine to end page with introspection

But when I open http://127.0.0.1:4477 there are 4 example links. First 3 links fail in same way.

They ask for login then they ask for consent and then they print "Forbidden"

URL looks like http://localhost:4477/auth/callback?code=SBOIQzPSKeMy3GmtzcCOV3H0cTBfRuYzY7zlZlNvPwA.Sm5hL36-kRH2Vq9w1DYfG9BYLdkFM5UwVEW5GViAI60&scope=offline%20openid%20articles.read&state=Z2VgU7vQAmSTIsBSsGI7DrV9

Secure backend with ORY Oathkeeper is not working

When attempting to access /articles/secure-backend-with-ory-oathkeeper with a valid access token, the following error occurs:

<!DOCTYPE html>
<html>
    <head>
        <title></title>
    </head>
    <body>
        <h1>invalid signature</h1>
        <h2>401</h2>
        <pre>UnauthorizedError: invalid signature
    at /usr/src/app/node_modules/express-jwt/lib/index.js:102:22
    at Object.module.exports [as verify] (/usr/src/app/node_modules/jsonwebtoken/verify.js:102:12)
    at verifyToken (/usr/src/app/node_modules/express-jwt/lib/index.js:100:13)
    at fn (/usr/src/app/node_modules/async/lib/async.js:746:34)
    at /usr/src/app/node_modules/async/lib/async.js:1213:16
    at /usr/src/app/node_modules/async/lib/async.js:166:37
    at /usr/src/app/node_modules/async/lib/async.js:706:43
    at /usr/src/app/node_modules/async/lib/async.js:167:37
    at Immediate.&lt;anonymous&gt; (/usr/src/app/node_modules/async/lib/async.js:1206:34)
    at runCallback (timers.js:696:18)</pre>
    </body>
</html>

Oathkeeper api error

After using the command make start-full-stack oathkeeper api docker container keeps restarting with the following error in the logs:

time="2018-06-18T05:16:06Z" level=fatal msg="Unable to initialize the ID Token signing algorithm" error="The secret set in CREDENTIALS_ISSUER_ID_TOKEN_HS256_SECRET must be 32 characters long."

Fullstack example is out of date and fails

Import fails:
Invalid command in: scripts/services/oathkeeper.sh
configurator_1 | configure stdout | + oathkeeper rules import --endpoint http://oathkeeper-api:4456/ /config/oathkeeper/rules/resource-server.json
configurator_1 | configure stdout | Usage:
configurator_1 | oathkeeper rules [flags]
configurator_1 | oathkeeper rules [command]

configurator_1 | Deleting roles in /config/keto/roles/*.json...
configurator_1 | + keto engines acp ory roles delete --endpoint http://keto:4466/ exact '[{' '"id":"admin",' '"members":' '[' '"[email protected]",' '"[email protected]"' ']' '}]'
keto_1 | time="2020-04-05T13:34:46Z" level=info msg="started handling request" method=DELETE remote="172.21.0.11:33650" request="/engines/acp/ory/exact/roles/%5B%7B"
postgresd_1 | ERROR: relation "rego_data" does not exist at character 13
postgresd_1 | STATEMENT: DELETE FROM rego_data WHERE pkey=$1 AND collection=$2
keto_1 | time="2020-04-05T13:34:46Z" level=error msg="An error occurred while handling a request" code=500 debug= details="map[]" error="ERROR: relation "rego_data" does not exist (SQLSTATE 42P01)" reason=
request-id= status=500 writer=JSON
keto_1 | time="2020-04-05T13:34:46Z" level=info msg="completed handling request" measure#keto.latency=1080400 method=DELETE remote="172.21.0.11:33650" request="/engines/acp/ory/exact/roles/%5B%7B" status=500
text_status="Internal Server Error" took=1.0804ms
configurator_1 | Unable to delete ORY Access Control Policy Role: [DELETE /engines/acp/ory/{flavor}/roles/{id}][500] deleteOryAccessControlPolicyRoleInternalServerError &{Code:0 Details:[] Message: Reason: Request:
Status:}
configurator_1 | configure stdout | Unable to delete ORY Access Control Policy Role: [DELETE /engines/acp/ory/{flavor}/roles/{id}][500] deleteOryAccessControlPolicyRoleInternalServerError &{Code:0 Details:[] Message: Reason: Request: Status:}

keto-migrate_1 | Config file not found because "Config File ".keto" Not Found in "[/]""
keto-migrate_1 | time="2020-04-05T13:34:19Z" level=info msg="Establishing connection with SQL database backend" dsn="postgres://:@postgresd:5432/accesscontroldb?sslmode=disable"
keto-migrate_1 | time="2020-04-05T13:34:19Z" level=info msg="Successfully connected to SQL database backend" dsn="postgres://:@postgresd:5432/accesscontroldb?sslmode=disable"
keto-migrate_1 | time="2020-04-05T13:34:19Z" level=info msg="Applying storage SQL migrations..."
keto-migrate_1 | panic: runtime error: invalid memory address or nil pointer dereference
keto-migrate_1 | [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xc82a20]
keto-migrate_1 |
keto-migrate_1 | goroutine 1 [running]:
keto-migrate_1 | github.com/jmoiron/sqlx.(*DB).DriverName(...)
keto-migrate_1 | /go/pkg/mod/github.com/jmoiron/[email protected]/sqlx.go:261
keto-migrate_1 | github.com/ory/keto/storage.(*SQLManager).CreateSchemas(0xc00000e038, 0xc00049d3e0, 0x1d, 0xc0004e20d0, 0x1)
keto-migrate_1 | /home/ory/storage/manager_sql.go:76 +0x60
keto-migrate_1 | github.com/ory/x/sqlcon.MigratorSQLCmd.func1(0xc0000b62c0, 0xc000412550, 0x1, 0x1)
keto-migrate_1 | /go/pkg/mod/github.com/ory/[email protected]/sqlcon/migrate.go:71 +0x390
keto-migrate_1 | github.com/spf13/cobra.(*Command).execute(0xc0000b62c0, 0xc000412510, 0x1, 0x1, 0xc0000b62c0, 0xc000412510)
keto-migrate_1 | /go/pkg/mod/github.com/spf13/[email protected]/command.go:842 +0x2aa
keto-migrate_1 | github.com/spf13/cobra.(*Command).ExecuteC(0x175e0a0, 0xf397c5, 0x9, 0x0)
keto-migrate_1 | /go/pkg/mod/github.com/spf13/[email protected]/command.go:943 +0x317
keto-migrate_1 | github.com/spf13/cobra.(*Command).Execute(...)
keto-migrate_1 | /go/pkg/mod/github.com/spf13/[email protected]/command.go:883
keto-migrate_1 | github.com/ory/keto/cmd.Execute()
keto-migrate_1 | /home/ory/cmd/root.go:52 +0x31
keto-migrate_1 | main.main()
keto-migrate_1 | /home/ory/main.go:25 +0x5a
full-stack_keto-migrate_1 exited with code 2

Update Full Stack Example - Version Ory OS.10

With Ory OS.10 is necessary to modify oathkeeper resource server rule(https://github.com/ory/examples/blob/master/full-stack/config/oathkeeper/rules/resource-server.json) in order to use the correct authorizer(Ory Keto): line "handler": "keto_warden" should be replaced with line "handler": "keto_engine_acp_ory".

It is also necessary to modify oathkeeper-proxy environment in docker-compose.yml(https://github.com/ory/examples/blob/master/full-stack/docker-compose.yml) to set the correct Ory Keto flag. Line AUTHORIZER_KETO_WARDEN_KETO_URL=http://keto:4466 should be replaced with line AUTHORIZER_KETO_URL=http://keto:4466.

Pull Request ory/examples#26 addresses this and other issues.

Typo in full-stack example

The following envvar ends with ; rather than :

https://github.com/ory/examples/blob/ec98eb2b1af5d0b83388eec2be00b9f643c1afbd/full-stack/docker-compose.yml#L173

Full Stack example: Cannot read property ‘match’ of undefined

Full Stack example is giving me an error, right off the bat (which is not cool ^^)

Steps to reproduce:

make start-full-stack
hydra token user --client-id example-auth-code --client-secret secret --endpoint http://localhost:4444 --port 5555
Browse http://localhost:5555 and click the Authorize link

Stack trace:

TypeError: Cannot read property ‘match’ of undefined
    at normalize (/usr/src/app/node_modules/url-join/lib/url-join.js:11:21)
    at /usr/src/app/node_modules/url-join/lib/url-join.js:70:12
    at get (/usr/src/app/services/hydra.js:8:16)
    at Object.getLoginRequest (/usr/src/app/services/hydra.js:49:12)
    at /usr/src/app/routes/login.js:17:9
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/src/app/node_modules/express/lib/router/route.js:131:13)
    at csrf (/usr/src/app/node_modules/csurf/index.js:117:5)
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/src/app/node_modules/express/lib/router/route.js:131:13)

hydra.exe error while loading shared libraries ( hydra from src at win32 )

I've successfully compiled hydra at Win32 system by using git-bash console. I used this steps to compile the hydra

go get -d -u github.com/ory/hydra cd $(go env GOPATH)/src/github.com/ory/hydra HYDRA_LATEST=$(git describe --abbrev=0 --tags) git checkout $HYDRA_LATEST GO111MODULE=on go install \ -ldflags "-X github.com/ory/hydra/cmd.Version=$HYDRA_LATEST -X github.com/ory/hydra/cmd.BuildTime=TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ' -X github.com/ory/hydra/cmd.GitHash=git rev-parse HEAD" \ github.com/ory/hydra

after that
`
$ git checkout master
Already on 'master'
Your branch is behind 'origin/master' by 98 commits, and can be fast-forwarded.
(use "git pull" to update your local branch)

then when I executed the hydra.exe it gave me this error
`
x@x MINGW32 ~/go/src/github.com/ory/hydra (master)
$ which hydra.exe
/d/Users/S54034/go/bin/hydra.exe

x@x MINGW32 ~/go/src/github.com/ory/hydra (master)
$ hydra.exe help
D:/Users/S54034/go/bin/hydra.exe: error while loading shared libraries: : cannot open shared object file: No such file or directory

x@x MINGW32 ~/go/src/github.com/ory/hydra (master)
$ hydra.exe
D:/Users/S54034/go/bin/hydra.exe: error while loading shared libraries: : cannot open shared object file: No such file or directory

Authorize application: 500 Internal server error

make start-full-stack
hydra token user --client-id example-auth-code --client-secret secret --endpoint http://localhost:4444 --port 5555
Authorize application

Error
    at /usr/src/app/services/hydra.js:21:33
    at process._tickCallback (internal/process/next_tick.js:68:7)

identity provider logs:

> [email protected] start /usr/src/app
> node ./bin/www

An error occurred while making a HTTP request:  { error:
   'Error 404 - The requested route does not exist. Make sure you are using the right path, domain, and port.' }
GET /login?login_challenge=7d1971da088f4bff9ae62f98c39bbff6 500 489.029 ms - 213

hydra logs:

time="2019-12-04T04:04:04Z" level=info msg="started handling request" method=GET remote="192.168.48.13:32878" request=/oauth2/auth/requests/login/0ffed3bdd4dc4a20a8159e1ff1470cb7
time="2019-12-04T04:04:04Z" level=info msg="completed handling request" measure#hydra/admin: http://localhost:4444/.latency=1019600 method=GET remote="192.168.48.13:32878" request=/oauth2/auth/requests/login/0ffed3bdd4dc4a20a8159e1ff1470cb7 status=404 text_status="Not Found" took=1.0196ms

hydra-migrate: unknown migration in database

make start-full-stack
docker logs full-stack_hydra-migrate_1

Applying `jwk` SQL migrations...
Applied 0 `jwk` SQL migrations.
Applying `client` SQL migrations...
An error occurred while running the migrations: could not apply client SQL migrations: Could not migrate sql schema, applied 0 Migrations: Unable to create migration plan because of 13: unknown migration in database

Remove `-preview` images once 1.0.0 lands on docker hub

Link is broken

https://ory-am.gitbooks.io/hydra/content/tutorial.html