Hydra基于断头台的身份提供程序
guillotina-hydraidp的Python项目详细描述
这个插件旨在通过断头台提供身份提供者 为海德拉。
它还实现了hydra的登录和同意流。
端点:
- GET /@users
- POST /@users {‘id’, ‘username’, ‘password’, ‘phone’, ‘email’, ‘data’, ‘allowed_scopes’}
- DELETE /@users/{userid}
- GET /@users/{userid}
- GET /@hydra-login
- POST /@hydra-login
- GET /@hydra-consent
- POST /@hydra-consent
- POST /@hydra-join
- GET /@hydra-user
- PATCH /@hydra-user
配置
配置取决于前端登录实现。使用应用程序 它呈现html,并且可以是auth端点,从而使流更加简单。
请参阅repo和integration测试流中的angular app示例,了解如何 它可以工作。
测试需要使用以下配置运行Hydra实例:
- OAUTH2_ISSUER_URL=http://localhost:4444
- OAUTH2_CONSENT_URL=http://localhost:8080/@hydra-consent
- OAUTH2_LOGIN_URL=http://localhost:8080/@hydra-login
- DATABASE_URL=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable
- SYSTEM_SECRET=youReallyNeedToChangeThis
- OAUTH2_SHARE_ERROR_DEBUG=1
- OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
- OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis
然后需要配置断头台:
auth_providers: hydra: configuration: client_id: auth-code-client client_secret: secret base_url: http://localhost:4444/ authorize_url: http://localhost:4444/oauth2/auth access_token_url: http://localhost:4444/oauth2/token state: true scope: openid offline hydra: db: dsn: postgres://hydra:secret@localhost:5432/hydra pool_size: 20 # hydra admin url should be internal, protected! admin_url: http://localhost:4445/ allow_registration: false recaptcha_private_key: null recaptcha_public_key: null
要将OAuth客户端添加到Hydra,请执行以下操作:
curl -XPUT http://localhost:4445/clients/auth-code-client -d '{ "client_id": "auth-code-client", "client_name": "", "redirect_uris": [ "http://localhost:8080/@callback/hydra" ], "grant_types": [ "authorization_code", "refresh_token" ], "response_types": [ "code", "id_token" ], "scope": "openid offline", "owner": "", "policy_uri": "", "allowed_cors_origins": [], "tos_uri": "", "client_uri": "", "logo_uri": "", "contacts": [], "client_secret_expires_at": 0, "subject_type": "public", "jwks": { "keys": null }, "token_endpoint_auth_method": "client_secret_post", "userinfo_signed_response_alg": "none" }'
见https://github.com/guillotinaweb/guillotina_hydraidp/blob/master/integration_tests.py 例如使用流。
这只是api实现。你仍然需要实现前端!
范围格式
使用作用域授予对断头台容器的访问权限。
作用域的格式为:[container id]:[type]:[value]。
例如,要让用户以用户身份访问containercms,作用域将是cms:role:guillotina.member
其他示例: -cms:role:guillotina.reader -cms:权限:guillotina.accesscontent
开发前端
开始持久层:
docker-compose up redis postgres hydra-migrate hydra hydra-proxy
启动IDP:
virtualenv . source bin/activate g -c config-pg.yaml
开始ngapp:
cd loginapp ng serve
打开浏览器:
http://localhost:4200
1.0.3(2018-10-27)
- 添加事件 [血淋淋的]
1.0.2(2018-10-25)
- 加入rsa发布密钥 [血淋淋的]
1.0.1(2018-10-22)
- 能够作为常规登录端点工作 [范希姆]
- 提供角度登录应用程序 [血淋淋的]
1.0.0(2018-10-09)
- 首字母