Guillotina based identity provider for hydra

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ramon.nb from gravatar.com ramon.nb Avatar for vangheem from gravatar.com vangheem

Unverified details

These details have not been verified by PyPI
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

Author: Nathan Van Gheem

Project description

This addon aims to provide an identity provider through guillotina for hydra.

It also implements the login and consent flow for hydra.

Endpoints:

Trying it out

Tests require a hydra instance to be running with the following configuration:

  • OAUTH2_ISSUER_URL=http://localhost:4444

  • OAUTH2_CONSENT_URL=http://localhost:8080/@hydra-consent

  • OAUTH2_LOGIN_URL=http://localhost:8080/@hydra-login

  • DATABASE_URL=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable

  • SYSTEM_SECRET=youReallyNeedToChangeThis

  • OAUTH2_SHARE_ERROR_DEBUG=1

  • OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise

  • OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis

Then you need to configure guillotina:

auth_providers:
  hydra:
    configuration:
      client_id: auth-code-client
      client_secret: secret
      base_url: http://localhost:4444/
      authorize_url: http://localhost:4444/oauth2/auth
      access_token_url: http://localhost:4444/oauth2/token
    state: true
    scope: openid offline
hydra_db:
  dsn: postgres://hydra:secret@localhost:5432/hydra
  pool_size: 20
# hydra admin url should be internal, protected!
hydra_admin_url: http://localhost:4445/

To add an oauth client to hydra:

curl -XPUT http://localhost:4445/clients/auth-code-client -d '{
    "client_id": "auth-code-client",
    "client_name": "",
    "redirect_uris": [
        "http://localhost:8080/@callback/hydra"
    ],
    "grant_types": [
        "authorization_code",
        "refresh_token"
    ],
    "response_types": [
        "code",
        "id_token"
    ],
    "scope": "openid offline",
    "owner": "",
    "policy_uri": "",
    "allowed_cors_origins": [],
    "tos_uri": "",
    "client_uri": "",
    "logo_uri": "",
    "contacts": [],
    "client_secret_expires_at": 0,
    "subject_type": "public",
    "jwks": {
        "keys": null
    },
    "token_endpoint_auth_method": "client_secret_post",
    "userinfo_signed_response_alg": "none"
}'

See https://github.com/guillotinaweb/guillotina_hydraidp/blob/master/integration_tests.py for an example on using the flow.

This is just the API implementation. You will still need to implement the frontend!

Scope format

Use scopes to grant access to guillotina containers.

The format of scopes is: [container id]:[type]:[value].

For example, to give the user access to container cms as a user, the scope would be cms:role:guillotina.Member

Other examples: - cms:role:guillotina.Reader - cms:permission:guillotina.AccessContent

1.0.0 (2018-10-09)

  • initial

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ramon.nb from gravatar.com ramon.nb Avatar for vangheem from gravatar.com vangheem

Unverified details

These details have not been verified by PyPI
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

Author: Nathan Van Gheem


Release history Release notifications | RSS feed

1.0.3

1.0.2

1.0.1

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

guillotina_hydraidp-1.0.0.tar.gz (9.7 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page