神刀安全网

Run your own OAuth2/OpenID Connect provider

Run your own OAuth2/OpenID Connect provider

Run your own OAuth2/OpenID Connect provider Run your own OAuth2/OpenID Connect provider Run your own OAuth2/OpenID Connect provider Run your own OAuth2/OpenID Connect provider

Hydra is being developed by german-based company Ory . Join our mailinglist to stay on top of new developments.

Table of Contents

  • What is Hydra?
    • Feature Overview
  • Quickstart
    • Installation
    • Run the example
  • Documentation
    • Guide
    • REST API Documentation
    • CLI Documentation
    • Develop

What is Hydra?

At first, there was the monolith. The monolith worked well with the bespoke authentication module. Then, the web evolved into an elastic cloud that serves thousands of different user agents in every part of the world.

Hydra is driven by the need for a scalable in memory OAuth2 and OpenID Connect layer, that integrates with every Identity Provider you can imagine.

Hydra is available through Docker .

Feature Overview

  1. Availability: Hydra uses pub/sub to have the latest data available in memory. The in-memory architecture allows for heavy duty workloads.
  2. Scalability: Hydra scales effortlessly on every platform you can imagine, including Heroku, Cloud Foundry, Docker, Google Container Engine and many more.
  3. Integration: Hydra wraps your existing stack like a blanket and keeps it safe. Hydra uses cryptographic tokens for authenticate users and request their consent, no APIs required. The deprecated php-3.0 authentication service your intern wrote? It works with that too, don’t worry. We wrote an example with React to show you how this could look like: React.js Identity Provider Example App .
  4. Security: Hydra leverages the security first OAuth2 framework Fosite , encrypts important data at rest, and supports HTTP over TLS (https) out of the box.
  5. Ease of use: Developers and Operators are human. Therefore, Hydra is easy to install and manage. Hydra does not care if you use React, Angular, or Cocoa for your user interface. To support you even further, there are APIs available for cryptographic key management, social log on, policy based access control, policy management, and two factor authentication (tbd) Hydra is packaged using Docker .
  6. Open Source: Hydra is licensed Apache Version 2.0
  7. Professional: Hydra implements peer reviewed open standards published by The Internet Engineering Task Force (IETF®) and the OpenID Foundation and under supervision of the LMU Teaching and Research Unit Programming and Modelling Languages . No funny business.
  8. Real Time: Operation is a lot easier with real time monitoring. Because Hydra leverages RethinkDB, you get real time monitoring for free: Run your own OAuth2/OpenID Connect provider

Quickstart

This section is a quickstart guide to working with Hydra. In-depth docs are available as well:

  • The documentation is available on GitBook .
  • The REST API documentation is available at Apiary .

Installation

Starting the hostis easiest with docker. The host process handles HTTP requests and is backed by a database. Read how to install docker on Linux , OSX or Windows . Hydra is available on Docker Hub .

The easiest way to start docker is without a database. Hydra will keep all changes in memory. But be aware! Restarting, scaling or stopping the container will make you lose all data :

$ docker run -d -p 4444:4444 oryam/hydra --name my-hydra ec91228cb105db315553499c81918258f52cee9636ea2a4821bdb8226872f54b 

The CLI clientis available at gobuild.io or through thereleases tab.

There is currently no installer which adds the client to your path automatically. You have to set up the path yourself. If you do not understand what that means, ask on our Gitter channel .

If you wish to compile the CLI yourself, you need to install and set up Go and add $GOPATH/bin to your $PATH . Here is a comprehensive Go installation guide with screenshots.

go install github.com/ory-am/hydra hydra 

Alternatively, you can use the CLI in Docker (not recommended):

$ docker exec -i -t <hydra-container-id> /bin/bash # e.g. docker exec -i -t ec /bin/bash  root@ec91228cb105:/go/src/github.com/ory-am/hydra# hydra Hydra is a twelve factor OAuth2 and OpenID Connect provider  Usage:   hydra [command]  [...] 

Run the example

Run your own OAuth2/OpenID Connect provider

Install theCLI and Docker Toolbox. Make sure you install Docker Compose. On OSX and Windows, open the Docker Quickstart Terminal. On Linux open any terminal.

We will use a dummy password as system secret: SYSTEM_SECRET=passwordtutorialpasswordtutorial . Use a very secure secret in production.

On OSX and Windowsusing the Docker Quickstart Terminal.

$ go get github.com/ory-am/hydra $ cd $GOPATH/src/github.com/ory-am/hydra $ DOCKER_IP=$(docker-machine ip default) docker-compose build WARNING: The SYSTEM_SECRET variable is not set. Defaulting to a blank string. rethinkdb uses an image, skipping Building hydra [...] $ SYSTEM_SECRET=passwordtutorialpasswordtutorial DOCKER_IP=$(docker-machine ip default) docker-compose up Starting hydra_rethinkdb_1 Recreating hydra_hydra_1 Recreating hydra_consent_1 Attaching to hydra_rethinkdb_1, hydra_hydra_1, hydra_consent_1 [...] 

On Linux.

$ go get github.com/ory-am/hydra $ cd $GOPATH/src/github.com/ory-am/hydra $ DOCKER_IP=localhost docker-compose build WARNING: The SYSTEM_SECRET variable is not set. Defaulting to a blank string. rethinkdb uses an image, skipping Building hydra [...] $ SYSTEM_SECRET=passwordtutorialpasswordtutorial DOCKER_IP=tutorialpassword docker-compose up Starting hydra_rethinkdb_1 Recreating hydra_hydra_1 Recreating hydra_consent_1 Attaching to hydra_rethinkdb_1, hydra_hydra_1, hydra_consent_1 [...] mhydra   | mtime="2016-05-17T18:09:28Z" level=warning msg="Generated system secret: MnjFP5eLIr60h?hLI1h-!<4(TlWjAHX7" [...] mhydra   | mtime="2016-05-17T18:09:29Z" level=warning msg="Temporary root client created." mhydra   | mtime="2016-05-17T18:09:29Z" level=warning msg="client_id: d9227bd5-5d47-4557-957d-2fd3bee11035" mhydra   | mtime="2016-05-17T18:09:29Z" level=warning msg="client_secret: ,IvxGt02uNjv1ur9" [...] 

You have now a running hydra docker container! Additionally, a RethinkDB image was deployed and a consent app.

Hydra can be managed with the hydra cli client. The client hast to log on before it is allowed to do anything. When hydra detects a new installation, a new temporary root client is created. The client credentials are printed by docker compose up :

mhydra   | mtime="2016-05-17T18:09:29Z" level=warning msg="client_id: d9227bd5-5d47-4557-957d-2fd3bee11035" mhydra   | mtime="2016-05-17T18:09:29Z" level=warning msg="client_secret: ,IvxGt02uNjv1ur9" 

The system secret is a global secret assigned to every hydra instance. It is used to encrypt data at rest. You can set the system secret through the $SYSTEM_SECRET environment variable. When no secret is set, hydra generates one:

time="2016-05-15T14:56:34Z" level=warning msg="Generated system secret: (.UL_&77zy8/v9<sUsWLKxLwuld?.82B" 

Important note:Please be aware that logging passwords should never be done on a production server. Either prune the logs, set the required parameters, or replace the credentials with other ones.

Now you know which credentials you need to use. Next, we log in.

Note:If you are using docker toolbox, please use the ip address provided by docker-machine ip default as cluster url host.

$ hydra connect Cluster URL: https://localhost:4444 Client ID: d9227bd5-5d47-4557-957d-2fd3bee11035 Client Secret: ,IvxGt02uNjv1ur9 Done. 

Great! You are now connected to Hydra and can start by creating a new client:

$ hydra clients create --skip-tls-verify Warning: Skipping TLS Certificate Verification. Client ID: c003830f-a090-4721-9463-92424270ce91 Client Secret: Z2pJ0>Tp7.ggn>EE&rhnOzdt1 

Important note:Hydra is using self signed TLS certificates for HTTPS, if no certificate was provided. This should never be done in production. To skip the TLS verification step on the client, provide the --skip-tls-verify flag.

Why not issue an access token for your client?

$ hydra token client --skip-tls-verify Warning: Skipping TLS Certificate Verification. JLbnRS9GQmzUBT4x7ESNw0kj2wc0ffbMwOv3QQZW4eI.qkP-IQXn6guoFew8TvaMFUD-SnAyT8GmWuqGi3wuWXg 

Let’s try this with the authorize code grant!

$ hydra token user --skip-tls-verify Warning: Skipping TLS Certificate Verification. If your browser does not open automatically, navigate to: https://192.168.99.100:4444/oauth2/auth?client_id=d9227bd5-5d47-4557-957d-2fd3bee11035&response_type=code&scope=core+hydra&state=sbnwdelqzxyedwtqinxnolbr&nonce=sffievieeesltbjkwxyhycyq Setting up callback listener on http://localhost:4445/callback Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process. 

Run your own OAuth2/OpenID Connect provider

Great! You installed hydra, connected the CLI, created a client and completed two authentication flows! Your next stop should be theGuide.

Documentation

Guide

The Guide is available on GitBook .

REST API Documentation

The REST API is documented at Apiary .

CLI Documentation

The CLI help is verbose. To see it, run hydra -h or hydra [command] -h .

Develop

Unless you want to test Hydra against a database, developing with Hydra is as easy as:

go get github.com/ory-am/hydra go get github.com/Masterminds/glide cd $GOPATH/src/github.com/ory-am/hydra glide install go test ./... go run main.go 

If you want to run Hydra against RethinkDB, you can do so by using docker:

docker run --name some-rethink -d -p 8080:8080 -p 28015:28015 rethinkdb  # Linux DATABASE_URL=rethinkdb://localhost:28015/hydra go run main.go  # Docker Terminal DATABASE_URL=rethinkdb://$(docker-machine ip default):28015/hydra go run main.go 

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Run your own OAuth2/OpenID Connect provider

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址