Integrating Hydra and Kratos

.dockerignore

@@ -1 +1,2 @@
-node_modules/
+node_modules/
+lib

README.md

@@ -30,14 +30,21 @@ This application can be configured using two environment variables:
 - `BASE_URL` (optional): The base url of this app. If served e.g. behind a proxy or via
   GitHub pages this would be the path, e.g. `https://mywebsite.com/kratos-selfservice-ui-node/`.
   **Must be absolute!**
+- `COOKIE_SECRET` (optional): This secret is used to encrypt cookies which are used as part of the ORY Hydra
+   integration.
 - `TLS_CERT_PATH` (optional): Path to certificate file. Should be set up together with `TLS_KEY_PATH` to enable HTTPS.
 - `TLS_KEY_PATH` (optional): Path to key file Should be set up together with `TLS_CERT_PATH` to enable HTTPS.
 
+  If you want to also use hydra and connect an app via OAuth2, set these env-variables:
+  - `HYDRA_ADMIN_URL` should point to hydra's admin port including scheme (e.g. https://hydra.example.com:445)
+
+  If you want to test hydra without the use of kratos for user-management, rather have a look at the [hydra-login-consent-node][https://github.com/ory/hydra-login-consent-node].
+
 ### Network Setup
 
 This application works in two set ups:
 
-- Standalone with ORY Kratos
+- Standalone with ORY Kratos (plus optionally ORY Hydra)
 - With the ORY Oathkeeper Reverse Proxy
 
 #### Standalone using cookies

contrib/hydra/README.md

@@ -0,0 +1,35 @@
+# ORY Kratos as Login Provider for ORY Hydra
+
+**Warning: ** this is a preliminary example and will properly be implemented in ORY Kratos directly.
+
+For now, to run this example execute:
+
+```shell script
+$ docker-compose up --build
+```
+
+Next, create an OAuth2 Client
+
+```shell script
+$ docker-compose exec hydra \
+    hydra clients create \
+    --endpoint http://127.0.0.1:4445 \
+    --id auth-code-client \
+    --secret secret \
+    --grant-types authorization_code,refresh_token \
+    --response-types code,id_token \
+    --scope openid,offline \
+    --callbacks http://127.0.0.1:5555/callback
+```
+
+and perform an OAuth2 Authorize Code Flow
+
+```shell script
+$ docker-compose exec hydra \
+    hydra token user \
+    --client-id auth-code-client \
+    --client-secret secret \
+    --endpoint http://127.0.0.1:4444/ \
+    --port 5555 \
+    --scope openid,offline
+```

contrib/hydra/docker-compose.yml

@@ -0,0 +1,130 @@
+# This docker-compose file sets up ORY Kratos, ORY Hydra, and this app in a network and configures
+# in such a way that ORY Kratos is the Login Provider for ORY Hydra.
+
+version: '3.7'
+
+services:
+  postgresd:
+    image: postgres:9.6
+    ports:
+      - "5432:5432"
+    environment:
+      - POSTGRES_USER=pguser
+      - POSTGRES_PASSWORD=secret
+      - POSTGRES_MULTIPLE_DATABASES=kratos,hydra
+    volumes:
+      - ./pg-init:/docker-entrypoint-initdb.d
+    networks:
+      - intranet
+
+  hydra-migrate:
+    image: oryd/hydra:v1.6.0-alpine
+    depends_on:
+      - postgresd
+    environment:
+      - DSN=postgres://pguser:secret@postgresd:5432/hydra?sslmode=disable
+    command:
+      migrate sql -e --yes
+    restart: on-failure
+    networks:
+      - intranet
+
+  hydra:
+    image: oryd/hydra:v1.6.0-alpine
+    depends_on:
+      - hydra-migrate
+    ports:
+      - "4444:4444" # Public port
+      - "4445:4445" # Admin port
+      - "5555:5555" # Port for hydra token user
+    command:
+      serve all --dangerous-force-http
+    restart: on-failure # TODO figure out why we need this (incorporate health check into hydra migrate command?)
+    environment:
+      - LOG_LEAK_SENSITIVE_VALUES=true
+      - URLS_SELF_ISSUER=http://127.0.0.1:4444
+      - URLS_SELF_PUBLIC=http://127.0.0.1:4444
+      - URLS_CONSENT=http://127.0.0.1:3000/auth/hydra/consent
+      - URLS_LOGIN=http://127.0.0.1:3000/auth/hydra/login
+      - URLS_LOGOUT=http://127.0.0.1:3000/logout
+      - SECRETS_SYSTEM=youReallyNeedToChangeThis
+      - OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
+      - OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
+      - DSN=postgres://pguser:secret@postgresd:5432/hydra?sslmode=disable
+    networks:
+      - intranet
+
+  kratos-selfservice-ui-node:
+    build:
+      context: ../..
+      dockerfile: Dockerfile
+    environment:
+      - HYDRA_ADMIN_URL=http://hydra:4445
+      - KRATOS_PUBLIC_URL=http://kratos:4433/
+      - KRATOS_ADMIN_URL=http://kratos:4434/
+      - SECURITY_MODE=standalone
+    ports:
+      - "3000:3000"
+    networks:
+      - intranet
+
+  kratos-migrate:
+    image: oryd/kratos:v0.4.6-sqlite
+    environment:
+      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
+    volumes:
+      -
+        type: volume
+        source: kratos-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      -
+        type: bind
+        source: ./kratos
+        target: /etc/config/kratos
+    command:
+      -c /etc/config/kratos/.kratos.yml migrate sql -e --yes
+    restart: on-failure
+    networks:
+      - intranet
+
+  kratos:
+    depends_on:
+      - kratos-migrate
+    image: oryd/kratos:v0.4.6-sqlite
+    ports:
+      - "4433:4433" # public
+      - "4434:4434" # admin
+    restart: unless-stopped
+    environment:
+      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
+    command:
+      serve -c /etc/config/kratos/.kratos.yml --dev
+    volumes:
+      -
+        type: volume
+        source: kratos-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      -
+        type: bind
+        source: ./kratos
+        target: /etc/config/kratos
+    networks:
+      - intranet
+
+# Sending emails is not part of this demo, so this is commented out:
+#
+#  mailslurper:
+#    image: oryd/mailslurper:latest-smtps
+#    ports:
+#      - "4436:4436"
+#      - "4437:4437"
+#    networks:
+#      - intranet
+
+networks:
+  intranet:
+
+volumes:
+  kratos-sqlite:

contrib/hydra/kratos/.kratos.yml

@@ -0,0 +1,60 @@
+serve:
+  public:
+    base_url: http://127.0.0.1:3000/.ory/kratos/public/
+  admin:
+    base_url: http://kratos:4434/
+
+selfservice:
+  default_browser_return_url: http://127.0.0.1:3000/
+  whitelisted_return_urls:
+    - http://127.0.0.1:3000/
+    - http://127.0.0.1:3000/auth/hydra/login
+
+  strategies:
+    password:
+      enabled: true
+
+  flows:
+    settings:
+      ui_url: http://127.0.0.1:3000/settings
+
+    verification:
+      ui_url: http://127.0.0.1:3000/verification
+      enabled: false
+
+    recovery:
+      ui_url: http://127.0.0.1:3000/recovery
+      enabled: false
+
+    logout:
+      after:
+        default_browser_return_url: http://127.0.0.1:3000/auth/login
+
+    login:
+      ui_url: http://127.0.0.1:3000/auth/login
+
+    registration:
+      ui_url: http://127.0.0.1:3000/auth/registration
+      after:
+        password:
+          hooks:
+            -
+              hook: session
+
+log:
+  level: debug
+
+hashers:
+  argon2:
+    parallelism: 1
+    memory: 131072
+    iterations: 2
+    salt_length: 16
+    key_length: 16
+
+identity:
+  default_schema_url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

contrib/hydra/kratos/identity.schema.json

@@ -0,0 +1,31 @@
+{
+  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits":{
+      "type": "object",
+      "properties": {
+
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 3,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            }
+          }
+        }
+      },
+      "required": [
+        "email"
+      ]
+    }
+  },
+  "additionalProperties": false
+}

contrib/hydra/pg-init/pg-init.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+set -u
+
+function create_user_and_database() {
+	local database=$1
+	echo "  Creating user and database '$database'"
+	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+	    CREATE USER $database;
+	    CREATE DATABASE $database;
+	    GRANT ALL PRIVILEGES ON DATABASE $database TO $database;
+EOSQL
+}
+
+if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
+	echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
+	for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
+		create_user_and_database $db
+	done
+	echo "Multiple databases created"
+fi