ory-am / hydra
- вторник, 31 мая 2016 г. в 03:12:32
Go
Run your own low-latency, cloud native OAuth2 and OpenID Connect provider. Written in Google Go.
Hydra is being developed by german-based company Ory. Join our mailinglist to stay on top of new developments. There is also a Google Group and a Gitter Channel.
Hydra uses the security first OAuth2 and OpenID Connect SDK Fosite and Ladon for policy-based access control.
Table of Contents
At first, there was the monolith. The monolith worked well with the bespoke authentication module. Then, the web evolved into an elastic cloud that serves thousands of different user agents in every part of the world.
Hydra is driven by the need for a scalable, low-latency, in memory Access Control, OAuth2, and OpenID Connect layer that integrates with every identity provider you can imagine.
Hydra is available through Docker and relies on RethinkDB for persistence. Database drivers are extensible, in case you want to use RabbitMQ, MySQL, MongoDB, or some other database instead.
This section is a quickstart guide to working with Hydra. In-depth docs are available as well:
Starting the host is easiest with docker. The host process handles HTTP requests and is backed by a database. Read how to install docker on Linux, OSX or Windows. Hydra is available on Docker Hub.
The easiest way to start docker is without a database. Hydra will keep all changes in memory. But be aware! Restarting, scaling or stopping the container will make you lose all data:
$ docker run -d -p 4444:4444 oryam/hydra --name my-hydra
ec91228cb105db315553499c81918258f52cee9636ea2a4821bdb8226872f54b
The CLI client is available at gobuild.io.
There is currently no installer which adds the CLI to your path automatically. You have to set up the path yourself. If you do not understand what that means, ask on our Gitter channel.
If you wish to compile the CLI yourself, you need to install and set up Go and add $GOPATH/bin
to your $PATH
. Here is a comprehensive Go installation guide with screenshots.
To install the CLI from source, execute:
go get github.com/ory-am/hydra
go get github.com/Masterminds/glide
cd $GOPATH/src/github.com/ory-am/hydra
glide install
go install github.com/ory-am/hydra
hydra
Alternatively, you can use the CLI in Docker (not recommended):
$ docker exec -i -t <hydra-container-id> /bin/bash
# e.g. docker exec -i -t ec12 /bin/bash
root@ec91228cb105:/go/src/github.com/ory-am/hydra# hydra
Hydra is a twelve factor OAuth2 and OpenID Connect provider
Usage:
hydra [command]
[...]
Install the CLI and Docker Toolbox. Make sure you install Docker Compose. On OSX and Windows, open the Docker Quickstart Terminal. On Linux open any terminal.
We will use a dummy password as system secret: SYSTEM_SECRET=passwordtutorialpasswordtutorial
. Use a very secure secret in production.
On OSX and Windows using the Docker Quickstart Terminal.
$ go get github.com/ory-am/hydra
$ cd $GOPATH/src/github.com/ory-am/hydra
$ DOCKER_IP=$(docker-machine ip default) docker-compose build
WARNING: The SYSTEM_SECRET variable is not set. Defaulting to a blank string.
rethinkdb uses an image, skipping
Building hydra
[...]
$ SYSTEM_SECRET=passwordtutorialpasswordtutorial DOCKER_IP=$(docker-machine ip default) docker-compose up
Starting hydra_rethinkdb_1
Recreating hydra_hydra_1
Recreating hydra_consent_1
Attaching to hydra_rethinkdb_1, hydra_hydra_1, hydra_consent_1
[...]
On Linux.
$ go get github.com/ory-am/hydra
$ cd $GOPATH/src/github.com/ory-am/hydra
$ DOCKER_IP=localhost docker-compose build
WARNING: The SYSTEM_SECRET variable is not set. Defaulting to a blank string.
rethinkdb uses an image, skipping
Building hydra
[...]
$ SYSTEM_SECRET=passwordtutorialpasswordtutorial DOCKER_IP=tutorialpassword docker-compose up
Starting hydra_rethinkdb_1
Recreating hydra_hydra_1
Recreating hydra_consent_1
Attaching to hydra_rethinkdb_1, hydra_hydra_1, hydra_consent_1
[...]
mhydra | mtime="2016-05-17T18:09:28Z" level=warning msg="Generated system secret: MnjFP5eLIr60h?hLI1h-!<4(TlWjAHX7"
[...]
mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="Temporary root client created."
mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_id: d9227bd5-5d47-4557-957d-2fd3bee11035"
mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_secret: ,IvxGt02uNjv1ur9"
[...]
You have now a running hydra docker container! Additionally, a RethinkDB image was deployed and a consent app.
Hydra can be managed with the hydra cli client. The client hast to log on before it is allowed to do anything.
When hydra detects a new installation, a new temporary root client is created. The client credentials are printed by
docker compose up
:
mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_id: d9227bd5-5d47-4557-957d-2fd3bee11035"
mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_secret: ,IvxGt02uNjv1ur9"
The system secret is a global secret assigned to every hydra instance. It is used to encrypt data at rest. You can
set the system secret through the $SYSTEM_SECRET
environment variable. When no secret is set, hydra generates one:
time="2016-05-15T14:56:34Z" level=warning msg="Generated system secret: (.UL_&77zy8/v9<sUsWLKxLwuld?.82B"
Important note: Please be aware that logging passwords should never be done on a production server. Either prune the logs, set the required parameters, or replace the credentials with other ones.
Now you know which credentials you need to use. Next, we log in.
Note: If you are using docker toolbox, please use the ip address provided by docker-machine ip default
as cluster url host.
$ hydra connect
Cluster URL: https://localhost:4444
Client ID: d9227bd5-5d47-4557-957d-2fd3bee11035
Client Secret: ,IvxGt02uNjv1ur9
Done.
Great! You are now connected to Hydra and can start by creating a new client:
$ hydra clients create --skip-tls-verify
Warning: Skipping TLS Certificate Verification.
Client ID: c003830f-a090-4721-9463-92424270ce91
Client Secret: Z2pJ0>Tp7.ggn>EE&rhnOzdt1
Important note: Hydra is using self signed TLS certificates for HTTPS, if no certificate was provided. This should
never be done in production. To skip the TLS verification step on the client, provide the --skip-tls-verify
flag.
Why not issue an access token for your client?
$ hydra token client --skip-tls-verify
Warning: Skipping TLS Certificate Verification.
JLbnRS9GQmzUBT4x7ESNw0kj2wc0ffbMwOv3QQZW4eI.qkP-IQXn6guoFew8TvaMFUD-SnAyT8GmWuqGi3wuWXg
Let's try this with the authorize code grant!
$ hydra token user --skip-tls-verify
Warning: Skipping TLS Certificate Verification.
If your browser does not open automatically, navigate to: https://192.168.99.100:4444/oauth2/auth?client_id=d9227bd5-5d47-4557-957d-2fd3bee11035&response_type=code&scope=core+hydra&state=sbnwdelqzxyedwtqinxnolbr&nonce=sffievieeesltbjkwxyhycyq
Setting up callback listener on http://localhost:4445/callback
Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process.
Great! You installed hydra, connected the CLI, created a client and completed two authentication flows! Your next stop should be the Guide.
The Guide is available on GitBook.
The REST API is documented at Apiary.
The CLI help is verbose. To see it, run hydra -h
or hydra [command] -h
.
Unless you want to test Hydra against a database, developing with Hydra is as easy as:
go get github.com/ory-am/hydra
go get github.com/Masterminds/glide
cd $GOPATH/src/github.com/ory-am/hydra
glide install
go test ./...
go run main.go
If you want to run Hydra against RethinkDB, you can do so by using docker:
docker run --name some-rethink -d -p 8080:8080 -p 28015:28015 rethinkdb
# Linux
DATABASE_URL=rethinkdb://localhost:28015/hydra go run main.go
# Docker Terminal
DATABASE_URL=rethinkdb://$(docker-machine ip default):28015/hydra go run main.go
A list of extraordinary contributors and bug hunters.