Skip to main content

Guillotina based identity provider for hydra

Project description

This addon aims to provide an identity provider through guillotina for hydra.

It also implements the login and consent flow for hydra.

Endpoints:

Configuring

Configuration depends on your frontend login implementation. Using an application that renders html and can be the auth endpoint as well makes the flow more simple.

See the angular app example in the repo and integration test flow to see how it can work.

Tests require a hydra instance to be running with the following configuration:

  • OAUTH2_ISSUER_URL=http://localhost:4444

  • OAUTH2_CONSENT_URL=http://localhost:8080/@hydra-consent

  • OAUTH2_LOGIN_URL=http://localhost:8080/@hydra-login

  • DATABASE_URL=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable

  • SYSTEM_SECRET=youReallyNeedToChangeThis

  • OAUTH2_SHARE_ERROR_DEBUG=1

  • OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise

  • OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis

Then you need to configure guillotina:

auth_providers:
  hydra:
    configuration:
      client_id: auth-code-client
      client_secret: secret
      base_url: http://localhost:4444/
      authorize_url: http://localhost:4444/oauth2/auth
      access_token_url: http://localhost:4444/oauth2/token
    state: true
    scope: openid offline
hydra:
  db:
    dsn: postgres://hydra:secret@localhost:5432/hydra
    pool_size: 20
  # hydra admin url should be internal, protected!
  admin_url: http://localhost:4445/
  allow_registration: false
recaptcha_private_key: null
recaptcha_public_key: null

To add an oauth client to hydra:

curl -XPUT http://localhost:4445/clients/auth-code-client -d '{
    "client_id": "auth-code-client",
    "client_name": "",
    "redirect_uris": [
        "http://localhost:8080/@callback/hydra"
    ],
    "grant_types": [
        "authorization_code",
        "refresh_token"
    ],
    "response_types": [
        "code",
        "id_token"
    ],
    "scope": "openid offline",
    "owner": "",
    "policy_uri": "",
    "allowed_cors_origins": [],
    "tos_uri": "",
    "client_uri": "",
    "logo_uri": "",
    "contacts": [],
    "client_secret_expires_at": 0,
    "subject_type": "public",
    "jwks": {
        "keys": null
    },
    "token_endpoint_auth_method": "client_secret_post",
    "userinfo_signed_response_alg": "none"
}'

See https://github.com/guillotinaweb/guillotina_hydraidp/blob/master/integration_tests.py for an example on using the flow.

This is just the API implementation. You will still need to implement the frontend!

Scope format

Use scopes to grant access to guillotina containers.

The format of scopes is: [container id]:[type]:[value].

For example, to give the user access to container cms as a user, the scope would be cms:role:guillotina.Member

Other examples: - cms:role:guillotina.Reader - cms:permission:guillotina.AccessContent

Develop Frontend

Start persistent layers:

docker-compose up redis postgres hydra-migrate hydra hydra-proxy

Start idp:

virtualenv .
source bin/activate
g -c config-pg.yaml

Start ngapp:

cd loginapp
ng serve

Open browser:

http://localhost:4200

1.0.3 (2018-10-27)

  • Adding events [bloodbare]

1.0.2 (2018-10-25)

  • Join RSA pub key [bloodbare]

1.0.1 (2018-10-22)

  • be able to work as a regular login endpoint [vangheem]

  • provide angular login app [bloodbare]

1.0.0 (2018-10-09)

  • initial

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

guillotina_hydraidp-1.0.3.tar.gz (15.0 kB view details)

Uploaded Source

File details

Details for the file guillotina_hydraidp-1.0.3.tar.gz.

File metadata

  • Download URL: guillotina_hydraidp-1.0.3.tar.gz
  • Upload date:
  • Size: 15.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.11.0 pkginfo/1.4.2 requests/2.19.1 setuptools/40.0.0 requests-toolbelt/0.8.0 tqdm/4.23.4 CPython/3.7.0

File hashes

Hashes for guillotina_hydraidp-1.0.3.tar.gz
Algorithm Hash digest
SHA256 0d1194ae32ee085bf62d487dfabb51439b83ec7d95fa324f84377d8e2e2e2afb
MD5 7db874460b18c1e34dd9d002d4a62c25
BLAKE2b-256 a0f8b20f02fc6c0fd299de930a8ef7b35c5c01dcf8365f2ca5a838bbf065e227

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page