markus/next-ory
1
0
Fork 0
mirror of https://codeberg.org/MarkusThielker/next-ory.git synced 2025-07-01 04:29:18 +00:00
Code Releases Packages Activity

Initial commit

Browse source
This commit is contained in:
Markus Thielker 2024-05-03 05:10:11 +02:00
commit a74e7f3ebd
No known key found for this signature in database
84 changed files with 11089 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

40
docker/README.md Normal file
View file

@ -0,0 +1,40 @@
# Starting as a container
Starting this project in a container makes testing it really easy. \
```bash
# move to the environment you want to start (here development)
cd ory-dev
# use the example environment for development
cp .env.example .env
# execute the docker compose file
docker compose up -d
# test the consent flow
sh ./hydra-test-consent.sh
```
These commands will start up multiple containers in the background.
Then continue with starting the authentication UI development server as described in the authentication README.
## Services and Ports
As mentioned above, the docker command starts multiple container which interact with each other.
Here you see a list of all services and their exposed ports.
These ports are only exposed to the host machine.
If you start up the environment on a remote server, you will need to tunnel the ports.
| Service | Port (Public) | Description |
|----------------|---------------|---------------------------------------------------------------------------|
| Console | 4411 (✗) | Admin dashboard for Kratos data management (soon) |
| Authentication | 3000 (✗) | User interface for authentication and account management (no docker yet) |
| ORY Kratos | 4433 (✗) | User management system handling users and self-service flows (Public API) |
| ORY Kratos | 4434 (✗) | User management system handling users and self-service flows (Admin API) |
| Mailslurper | 4436 (✗) | Mock mailing server (Dashboard) |
| Mailslurper | 4437 (✗) | Mock mailing server (API) |
| ORY Hydra | 4444 (✗) | OAuth2 and OIDC server connected to Kratos (Public API) |
| ORY Hydra | 4445 (✗) | OAuth2 and OIDC server connected to Kratos (Admin API) |
| ORY Hydra | 5555 (✗) | Hydra test application to test the consent flow |
| Postgres DB | 4455 (✗) | Postgres database for storing user data |

2
docker/ory-dev/.env Normal file
View file

@ -0,0 +1,2 @@
# The URL of ORY Hydras admin API
HYDRA_ADMIN_API=http://hydra:4445

2
docker/ory-dev/.env.example Normal file
View file

@ -0,0 +1,2 @@
# The URL of ORY Hydras admin API
HYDRA_ADMIN_API=http://hydra:4445

1
docker/ory-dev/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
postgres-data/

114
docker/ory-dev/docker-compose.yaml Normal file
View file

@ -0,0 +1,114 @@
services:
ory-kratos-migrate:
container_name: ory-kratos-migrate
image: oryd/kratos:v1.1.0
restart: on-failure
volumes:
- ./ory/kratos:/etc/config/kratos
- ory-kratos-data:/home/ory
- ory-kratos-data:/var/lib/sqlite
command: -c /etc/config/kratos/kratos.yaml migrate sql -e --yes
depends_on:
ory-postgres:
condition: service_healthy
networks:
- internal
ory-kratos:
container_name: ory-kratos
image: oryd/kratos:v1.1.0
restart: unless-stopped
ports:
- 127.0.0.1:4433:4433 # public
- 127.0.0.1:4434:4434 # admin
volumes:
- ./ory/kratos:/etc/config/kratos
- ory-kratos-data:/home/ory
- ory-kratos-data:/var/lib/sqlite
command: serve -c /etc/config/kratos/kratos.yaml --dev --watch-courier
depends_on:
ory-kratos-migrate:
condition: service_completed_successfully
networks:
- internal
ory-hydra-migrate:
container_name: ory-hydra-migrate
image: oryd/hydra:v2.2.0
restart: on-failure
volumes:
- ./ory/hydra:/etc/config/hydra
- ory-hydra-data:/home/ory
- ory-hydra-data:/var/lib/sqlite
command: migrate -c /etc/config/hydra/hydra.yaml sql -e --yes
depends_on:
ory-postgres:
condition: service_healthy
networks:
- internal
ory-hydra:
container_name: ory-hydra
image: oryd/hydra:v2.2.0
restart: unless-stopped
ports:
- 127.0.0.1:4444:4444 # public
- 127.0.0.1:4445:4445 # admin
- 127.0.0.1:5555:5555 # Port for hydra token user
volumes:
- ./ory/hydra:/etc/config/hydra
- ory-hydra-data:/home/ory
- ory-hydra-data:/var/lib/sqlite
command: serve -c /etc/config/hydra/hydra.yaml all --dev
depends_on:
ory-hydra-migrate:
condition: service_completed_successfully
networks:
- internal
ory-mailslurper:
container_name: ory-mailslurper
image: oryd/mailslurper:latest-smtps
restart: unless-stopped
ports:
- 127.0.0.1:4436:4436
- 127.0.0.1:4437:4437
networks:
- internal
ory-postgres:
container_name: ory-postgres
image: postgres:15.2
restart: unless-stopped
healthcheck:
test: [ "CMD-SHELL", "pg_isready" ]
interval: 10s
timeout: 5s
retries: 5
ports:
- 127.0.0.1:5432:5432
environment:
POSTGRES_DB: postgres
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
volumes:
- ory-postgres-data:/var/lib/postgresql/data
- ./postgres:/docker-entrypoint-initdb.d/
networks:
- internal
networks:
internal:
volumes:
ory-kratos-data:
ory-hydra-data:
ory-postgres-data:

25
docker/ory-dev/hydra-create-client.sh Normal file
View file

@ -0,0 +1,25 @@
# this script adds a new oath client using the
# Ory Hydra CLI and writes the client id and
# client secret to the command line.
read -r -p "Did you modify the script according to your needs? (y/N)? " answer
if [ answer != "y" && anser != "Y" ]; then
exit 0
fi
# it is likely you will have to set different redirect-uris
# depending on the application you are trying to connect.
code_client=$(docker compose exec ory-hydra \
hydra create client \
--endpoint http://localhost:4445 \
--grant-type authorization_code,refresh_token \
--response-type code,id_token \
--format json \
--scope openid --scope offline \
--redirect-uri http://localhost:8080/login/oauth2/code/hydra)
code_client_id=$(echo $code_client | jq -r '.client_id')
code_client_secret=$(echo $code_client | jq -r '.client_secret')
echo "Client ID:" $code_client_id
echo "Client Secret:" $code_client_secret

23
docker/ory-dev/hydra-test-consent.sh Normal file
View file

@ -0,0 +1,23 @@
# this script adds a new oath client using the
# Ory Hydra CLI and uses the client to start
# the Ory Hydra test application.
code_client=$(docker compose exec ory-hydra \
hydra create client \
--endpoint http://localhost:4445 \
--grant-type authorization_code,refresh_token \
--response-type code,id_token \
--format json \
--scope openid --scope offline \
--redirect-uri http://127.0.0.1:5555/callback)
code_client_id=$(echo $code_client | jq -r '.client_id')
code_client_secret=$(echo $code_client | jq -r '.client_secret')
docker compose exec ory-hydra \
hydra perform authorization-code \
--client-id $code_client_id \
--client-secret $code_client_secret \
--endpoint http://localhost:4444/ \
--port 5555 \
--scope openid --scope offline

88
docker/ory-dev/ory/hydra/hydra.yaml Normal file
View file

@ -0,0 +1,88 @@
#
# Documentation: https://www.ory.sh/docs/hydra/reference/configuration
# Configuration UI: https://www.ory.sh/docs/hydra/reference/configuration-editor
#
#
# Configure the Hydra logging
#
log:
level: info
format: text
leak_sensitive_values: true
#
# Configure the datasource. Alternative for development purposes is 'memory' (not persistent!)
#
dsn: postgres://postgres:postgres@ory-postgres:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
#
# Configure the base URLs for the public and admin API.
# The public URL is used in emails for verification links.
#
serve:
public:
cors:
enabled: true
debug: true
allowed_origins:
- http://localhost:3000
admin:
cors:
enabled: true
debug: true
allowed_origins:
- http://localhost:3000
cookies:
domain: http://localhost
same_site_mode: Lax
secure: false
paths:
session: /
names:
consent_csrf: ory_hydra_consent_csrf
session: ory_hydra_session
login_csrf: ory_hydra_login_csrf
urls:
consent: http://localhost:3000/flow/consent
login: http://localhost:3000/flow/login
logout: http://localhost:3000/flow/logout
post_logout_redirect: http://localhost:3000
identity_provider:
url: http://kratos:4434
self:
public: http://localhost:4444
admin: http://localhost:4445
issuer: http://localhost:4444
#
# Configure secrets and key rotation.
# Documentation: https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation
#
secrets:
system:
- youReallyNeedToChangeThis
#
# Configure the OAuth2 clients.
# Documentation: https://www.ory.sh/docs/hydra/next/clients
#
oidc:
subject_identifiers:
supported_types:
- pairwise
- public
pairwise:
salt: youReallyNeedToChangeThis

13
docker/ory-dev/ory/kratos/discord.data-mapper.jsonnet Normal file
View file

@ -0,0 +1,13 @@
local claims = std.extVar('claims');
{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,
[if 'nickname' in claims then 'username' else null]: claims.nickname,
[if 'nickname' in claims then 'name' else null]: claims.nickname,
},
metadata_public: claims,
},
}

43
docker/ory-dev/ory/kratos/identity.schema.json Normal file
View file

@ -0,0 +1,43 @@
{
"$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "User",
"type": "object",
"properties": {
"traits": {
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "Email",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
},
"webauthn": {
"identifier": true
}
},
"recovery": {
"via": "email"
},
"verification": {
"via": "email"
}
}
},
"name": {
"type": "string",
"title": "Name"
}
},
"required": [
"email",
"name"
],
"additionalProperties": false
}
}
}

135
docker/ory-dev/ory/kratos/kratos.yaml Normal file
View file

@ -0,0 +1,135 @@
#
# Documentation: https://www.ory.sh/docs/kratos/reference/configuration
# Configuration UI: https://www.ory.sh/docs/kratos/reference/configuration-editor
#
#
# Configure the Kratos logging
#
log:
level: info
format: text
leak_sensitive_values: true
#
# Configure the datasource. Alternative for development purposes is 'memory' (not persistent!)
#
dsn: postgres://postgres:postgres@ory-postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
#
# Configure the base URLs for the public and admin API.
# The public URL is used in emails for verification links.
#
serve:
public:
base_url: http://localhost:4433
cors:
enabled: true
allowed_origins:
- http://localhost:3000
admin:
base_url: http://localhost:4434
#
# Configure the session cookie.
#
cookies:
domain: http://localhost
path: /
same_site: Lax
#
# Configure the self-service flows.session.
# Probably most interesting are ui urls, return urls and hooks.session.
# You can also activate authentication methods.
#
selfservice:
default_browser_return_url: http://localhost:3000
allowed_return_urls:
- http://localhost:3000
methods:
password:
enabled: true
totp:
enabled: true
config:
issuer: ORY Template
lookup_secret:
enabled: true
flows:
error:
ui_url: http://localhost:3000/flow/error
settings:
required_aal: highest_available
ui_url: http://localhost:3000
recovery:
enabled: true
ui_url: http://localhost:3000/flow/recovery
verification:
enabled: true
ui_url: http://localhost:3000/flow/verification
login:
ui_url: http://localhost:3000/flow/login
lifespan: 10m
after:
hooks:
- hook: require_verified_address
registration:
lifespan: 10m
ui_url: http://localhost:3000/flow/registration
# after:
# default_browser_return_url: http://localhost:3000
# password:
# hooks:
# - hook: session # automatically sign-in after registration
#
# Configure connection to hydra for oauth2 and oidc.
# If set, the login and registration flows will handle the Ory OAuth 2.0 & OpenID `login_challenge` query parameter to serve as an OpenID Connect Provider.
#
oauth2_provider:
override_return_to: false
url: http://ory-hydra:4445
#
# Configure secrets and key rotation.
# Documentation: https://www.ory.sh/docs/kratos/guides/secret-key-rotation
#
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
#
# The delivered identity schema shows how to use the schema system.
# Documentation: https://www.ory.sh/docs/kratos/manage-identities/identity-schema
#
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/kratos/identity.schema.json
#
# Configure the mailing service.
# Documentation: https://www.ory.sh/docs/kratos/self-hosted/mail-courier-selfhosted
#
courier:
smtp:
connection_uri: smtps://test:test@ory-mailslurper:1025/?skip_ssl_verify=true

11
docker/ory-dev/ory/kratos/twitch.data-mapper.jsonnet Normal file
View file

@ -0,0 +1,11 @@
local claims = std.extVar('claims');
{
identity: {
traits: {
[if 'email' in claims && claims.email_verified then 'email' else null]: claims.email
},
metadata_public: claims,
},
}

5
docker/ory-dev/postgres/init.sql Normal file
View file

@ -0,0 +1,5 @@
CREATE DATABASE kratos;
GRANT ALL PRIVILEGES ON DATABASE kratos TO postgres;
CREATE DATABASE hydra;
GRANT ALL PRIVILEGES ON DATABASE hydra TO postgres;