added +- work version with oauthkeeper

2025-03-06 17:37:47 +03:00 · 2025-03-06 17:37:47 +03:00 · f2efc502e9
commit f2efc502e9
parent 120085977b
10 changed files with 127 additions and 95 deletions
--- a/8
+++ b/8
@ -0,0 +1,8 @@
+FROM golang:1.23-alpine
+
+WORKDIR /app
+COPY . .
+RUN go mod tidy
+
+RUN go build -o app ./cmd
+CMD ["./app"]
--- a/test/srv_test.go
+++ b/test/srv_test.go
@ -1,31 +1,25 @@
-package test
+package main

 import (
 	"context"
 	"fmt"
 	"github.com/gofiber/fiber/v2"
-	"github.com/ory/client-go"
-	"ory-kratos-docker/middleware"
+	"log"
 	"os/signal"
 	"syscall"
-	"testing"
 )

 func handler(c *fiber.Ctx) error {
 	return c.SendString("Hello, World!")
 }

-func Test_Srv(t *testing.T) {
+func main() {
 	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer stop()

-	c := client.NewConfiguration()
-	c.Servers = client.ServerConfigurations{{URL: "http://localhost:4433"}}
-	ory := client.NewAPIClient(c)
-
 	app := fiber.New()

-	app.Use(middleware.KratosMiddleware(ory))
+	//app.Use(middleware.KratosMiddleware(ory))

 	app.Get("/", handler)
 	app.Get("/public", func(c *fiber.Ctx) error {
@ -35,9 +29,14 @@ func Test_Srv(t *testing.T) {
 		return c.SendString("private content")
 	})

+	app.Get("/check", func(c *fiber.Ctx) error {
+		sessionToken := c.Get("Cookie")
+		return c.Status(fiber.StatusOK).SendString(sessionToken)
+	})
+
 	go func() {
 		if err := app.Listen(":3000"); err != nil {
-			t.Fatalf("failed to start server: %v", err)
+			log.Fatalf("failed to start server: %v", err)
 		}
 	}()

--- a/config/oathkeeper.yml
+++ b/config/oathkeeper.yml
@ -1,29 +0,0 @@
-log:
-  level: debug
-
-serve:
-  proxy:
-    port: 4456
-  api:
-    port: 4457
-
-access_rules:
-  repositories:
-    - file:///etc/config/rules.json
-
-authenticators:
-  cookie_session:
-    enabled: true
-    config:
-      check_session_url: http://kratos:4433/sessions/whoami
-
-authorizers:
-  allow:
-    enabled: true
-
-mutators:
-  id_token:
-    enabled: true
-    config:
-      issuer_url: http://127.0.0.1:4456/
-      jwks_url: http://127.0.0.1:4456/.well-known/jwks.json
--- a/config/rules.json
+++ b/config/rules.json
@ -1,30 +0,0 @@
-[
-  {
-    "id": "public",
-    "match": {
-      "url": "http://localhost:3000/public<.*>",
-      "methods": ["GET"]
-    },
-    "authenticators": [],
-    "authorizer": {
-      "handler": "allow"
-    },
-    "mutators": []
-  },
-  {
-    "id": "private",
-    "match": {
-      "url": "http://localhost:3000/private<.*>",
-      "methods": ["GET"]
-    },
-    "authenticators": [
-      {
-        "handler": "cookie_session"
-      }
-    ],
-    "authorizer": {
-      "handler": "allow"
-    },
-    "mutators": []
-  }
-]
--- a/config_kratos/identity.schema.json
+++ b/config_kratos/identity.schema.json
--- a/config_kratos/kratos.yml
+++ b/config_kratos/kratos.yml
@ -11,9 +11,9 @@ serve:
    base_url: http://kratos:4434/

 selfservice:
-  default_browser_return_url: http://127.0.0.1:4455/welcome
+  default_browser_return_url: http://127.0.0.1:4457/welcome
  allowed_return_urls:
-    - http://127.0.0.1:4455
+    - http://127.0.0.1:4457
    - http://localhost:19006/Callback
    - exp://localhost:8081/--/Callback

@ -33,36 +33,36 @@ selfservice:

  flows:
    error:
-      ui_url: http://127.0.0.1:4455/error
+      ui_url: http://127.0.0.1:4457/error

    settings:
-      ui_url: http://127.0.0.1:4455/settings
+      ui_url: http://127.0.0.1:4457/settings
      privileged_session_max_age: 15m
      required_aal: highest_available

    recovery:
      enabled: true
-      ui_url: http://127.0.0.1:4455/recovery
+      ui_url: http://127.0.0.1:4457/recovery
      use: code

    verification:
      enabled: true
-      ui_url: http://127.0.0.1:4455/verification
+      ui_url: http://127.0.0.1:4457/verification
      use: code
      after:
-        default_browser_return_url: http://127.0.0.1:4455/welcome
+        default_browser_return_url: http://127.0.0.1:4457/welcome

    logout:
      after:
-        default_browser_return_url: http://127.0.0.1:4455/login
+        default_browser_return_url: http://127.0.0.1:4457/login

    login:
-      ui_url: http://127.0.0.1:4455/login
+      ui_url: http://127.0.0.1:4457/login
      lifespan: 10m

    registration:
      lifespan: 10m
-      ui_url: http://127.0.0.1:4455/registration
+      ui_url: http://127.0.0.1:4457/registration
      after:
        password:
          hooks:
@ -92,7 +92,7 @@ identity:
  default_schema_id: default
  schemas:
    - id: default
-      url: file:///etc/config/kratos/identity.schema.json
+      url: file:///etc/config_kratos/kratos/identity.schema.json

 courier:
  smtp:
--- a/config_oauthkeeper/jwks.json
+++ b/config_oauthkeeper/jwks.json
@ -0,0 +1,17 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "kid": "wGO2d4C5hnkUL5kzrurMz8Sdo-rH4GZvuHMx49rIhks",
+      "use": "sig",
+      "alg": "RS256",
+      "n": "30Z0_oDV7xP3qxwU2nUqeje7H0nD4v2rVqCCXqQUtltoggTpFd8L9e0JACXfK-HQp11haUNU5ANzbpat6yGOJKgPLr901IBeoWmkLINrCrR20wgDEf0But7dV97x6_M1zT5hlawbTlMhGIVApvPqSKAeSy8tbH9qSBdn-1yndY1KOjtQxLF6whfHLgawrfCTXSZaOa-6BnhlJtIJMXktkgARbNDO8d1TeO1OVQSOPn5ZKY89Ot-grC4_a_Iy6zQOnUXqCqn4N8Wr2Swsnt-VV7xfYjVScVbJO3VJIMjtZTEiZLi550AdNJt5LRymHUEv4mCfR0l7dpBu0Q4jN1jUMQ",
+      "e": "AQAB",
+      "p": "-XN4xrct2Chhcs_rPZfYyhW49FEYsqiWB4OmPmz7LmS3wMCSt4RIcs3XM7xqVssyZ06rQ9BImvGWOWXb8AqMal01k2jSJ8vJ9XzCw0KXL3mc2SYFv-cJB9CXVdPSwaalQwmUfM-R_CAhzgpH-GlRh_E_xe2KkAa2TrVCe4EueW8",
+      "q": "5SMPkS6Ed_2vMCifkowSNazuFhVOrJWMYgMJeNLi2m2kMQQMdDGDDlUX27-hSNEaOqhVmZkFMyIIPXszzKni_jQsv01MiPQKAIoQvkSPSV8WfltQ_M5gEPxsKDw-DRMHu4FO7dxtg9HecKRTe3gQAtYkESdfTYkQgrouIAw4fF8",
+      "dp": "VLNlxiu60FPdyutYmCBwRyYbGDJVLYza7JBCKZ49p-IhFr0M1G2BYCIOuY13miMC6VsoAi2-CYaQmMrCZH5gcVlW8Me93C9xUv7a7ww0Y7Vqkb08ZI3hXhrw1_7F6GVaZinhloOwsSiD8f9BstKoEX3URrPCwebVjmIzwdX6Xtc",
+      "dq": "TKVXtbabtQ90pGVSS1DzXmUEFvr1oCE-HiLp7jKMk4gNXh_-kndlYUvxeR42swbPAUQBrilTZfFCVF57y0Agn-uP9EXFDiKjnd6RDzQbwe0-tvGQu5_E3qmw_Bx6nSD6eywb3NDZCTkQcRlmm2xj3q8GzX4gEO2CSlhAyZOM6X0",
+      "qi": "bhwBlbJqQGb2aPCf03Xkx2OyaO7p4RdTwGq9IKgIipQkltUZCpQDI-Aat1zwfOf_qhIbMZGa4DoY3zatXVPbOt9F-y0HqIQytw7W2uKqJ903NQRcCq5GgbNDPuJHXbwgmOYQe1STTLVoQqeCb92wKEZkDLMl0pPnUoCTz4weZqE"
+    }
+  ]
+}
--- a/config_oauthkeeper/oathkeeper.yml
+++ b/config_oauthkeeper/oathkeeper.yml
@ -0,0 +1,31 @@
+log:
+  level: debug
+
+serve:
+  proxy:
+    port: 4455
+  api:
+    port: 4456
+
+access_rules:
+  repositories:
+    - file:///etc/config_oauthkeeper/rules.json
+
+authenticators:
+  cookie_session:
+    enabled: true
+    config:
+      check_session_url: http://tsrv:3000/check #todo
+
+authorizers:
+  allow:
+    enabled: true
+
+mutators:
+  id_token: #todo
+    enabled: true
+    config:
+      issuer_url: http://oathkeeper:4455/
+      jwks_url: file:///etc/config_oauthkeeper/jwks.json
+  noop:
+    enabled: true
--- a/config_oauthkeeper/rules.json
+++ b/config_oauthkeeper/rules.json
@ -0,0 +1,25 @@
+[
+  {
+    "id": "test",
+    "upstream": {
+      "url": "http://tsrv:3000"
+    },
+    "match": {
+      "url": "http://127.0.0.1:4455/public",
+      "methods": ["GET"]
+    },
+    "authenticators": [
+      {
+        "handler": "cookie_session"
+      }
+    ],
+    "authorizer": {
+      "handler": "allow"
+    },
+    "mutators": [
+      {
+        "handler": "noop"
+      }
+    ]
+  }
+]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -8,14 +8,14 @@ services:
      - "4433:4433"
      - "4434:4434"
    restart: unless-stopped
-    command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
+    command: serve -c /etc/config_kratos/kratos/kratos.yml --dev --watch-courier
    volumes:
-      - ./config:/etc/config/kratos:ro
+      - ./config_kratos:/etc/config_kratos/kratos:ro
      - ./migrations:/etc/migrations:ro
    environment:
      - DSN=postgres://kratos:kratos@db:5432/kratos?sslmode=disable
      - LOG_LEVEL=debug
-      - KRATOS_CONFIG_FILE=/etc/config/kratos/kratos.yml
+      - KRATOS_CONFIG_FILE=/etc/config_kratos/kratos/kratos.yml
    depends_on:
      - kratos-migrate
    networks:
@ -56,9 +56,9 @@ services:
    depends_on:
      - db
      - sql-migrate
-    command: migrate sql -e --yes --config /etc/config/kratos/kratos.yml
+    command: migrate sql -e --yes --config /etc/config_kratos/kratos/kratos.yml
    volumes:
-      - ./config:/etc/config/kratos:ro
+      - ./config_kratos:/etc/config_kratos/kratos:ro
    networks:
      - kratos_net

@ -72,9 +72,8 @@ services:

  kratos-ui:
    image: oryd/kratos-selfservice-ui-node:v1.3.1
-
    ports:
-      - "4455:4455"
+      - "4457:4455"
    environment:
      - KRATOS_PUBLIC_URL=http://kratos:4433/
      - KRATOS_BROWSER_URL=http://127.0.0.1:4433/
@ -86,7 +85,7 @@ services:
    depends_on:
      - kratos
    volumes:
-      - ./config:/etc/config/kratos:ro
+      - ./config_kratos:/etc/config_kratos/kratos:ro
    networks:
      - kratos_net

@ -94,20 +93,32 @@ services:
    image: oryd/oathkeeper:v0.40.6
    container_name: oathkeeper
    restart: unless-stopped
+    command: serve -c /etc/config_oauthkeeper/oathkeeper.yml
    ports:
+      - "4455:4455"
      - "4456:4456"
-      - "4457:4457"
-    environment:
-      - LOG_LEVEL=debug
-      - OATHKEEPER_CONFIG_FILE=/etc/config/oathkeeper.yml
    volumes:
-      - ./config/oathkeeper.yml:/etc/config/oathkeeper.yml:ro
-      - ./config/rules.json:/etc/config/rules.json:ro
+      - ./config_oauthkeeper/oathkeeper.yml:/etc/config_oauthkeeper/oathkeeper.yml
+      - ./config_oauthkeeper/rules.json:/etc/config_oauthkeeper/rules.json
+      - ./config_oauthkeeper/jwks.json:/etc/config_oauthkeeper/jwks.json
    depends_on:
      - kratos
    networks:
      - kratos_net

+  tsrv:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: tsrv
+    ports:
+      - "3000:3000"
+    networks:
+      - kratos_net
+    depends_on:
+      - kratos
+      - oathkeeper
+
 volumes:
  db_data:
 networks: