Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c5b79c95ca |
23
.env.dist
23
.env.dist
@ -1,23 +0,0 @@
|
|||||||
TRACING_PROVIDER=jaeger
|
|
||||||
TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=http://jaeger:5778/sampling
|
|
||||||
TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=jaeger:6831
|
|
||||||
TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=const
|
|
||||||
TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=1
|
|
||||||
LOG_LEAK_SENSITIVE_VALUES=true
|
|
||||||
URLS_SELF_ISSUER=http://127.0.0.1:4444
|
|
||||||
|
|
||||||
#URLS_CONSENT=http://hydra-login-consent-node.service.consul:3000/consent
|
|
||||||
#URLS_LOGIN=http://hydra-login-consent-node.service.consul:3000/login
|
|
||||||
#URLS_LOGOUT=http://hydra-login-consent-node.service.consul:3000/logout
|
|
||||||
|
|
||||||
URLS_CONSENT=http://127.0.0.1:3000/consent
|
|
||||||
URLS_LOGIN=http://127.0.0.1:3000/login
|
|
||||||
URLS_LOGOUT=http://127.0.0.1:3000/logout
|
|
||||||
|
|
||||||
STRATEGIES_ACCESS_TOKEN=jwt
|
|
||||||
SECRETS_SYSTEM=dUjs9EV7BuyXUcckKBVrYOdacsggIkna
|
|
||||||
OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public
|
|
||||||
OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=dUjs9EV7BuyXUcckKBVrYOdacsggIkna
|
|
||||||
SERVE_COOKIES_SAME_SITE_MODE=None
|
|
||||||
SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=true
|
|
||||||
DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
|
|
||||||
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +0,0 @@
|
|||||||
.env
|
|
||||||
49
Makefile
49
Makefile
@ -1,49 +0,0 @@
|
|||||||
|
|
||||||
.PHONY: help
|
|
||||||
.DEFAULT_GOAL := help
|
|
||||||
|
|
||||||
# Uppercase vars for internal use.
|
|
||||||
UC = $(shell echo '$1' | tr '[:lower:]' '[:upper:]')
|
|
||||||
LOG_ERROR = @printf "\n>> \e[0;31m$1\e[0;00m\n\n"
|
|
||||||
LOG_WARN = @printf "\n>> \e[0;33m$1\e[0;00m\n\n"
|
|
||||||
LOG_INFO = @printf "\n>> \e[0;34m$1\e[0;00m\n\n"
|
|
||||||
LOG_SUCCESS = @printf "\n>> \e[0;36m$1\e[0;00m\n\n"
|
|
||||||
LOG_SUBLINE = @printf " \e[0;34m$1\e[0;00m\n\n"
|
|
||||||
HYDRA_COMMAND = docker-compose -p kraken -f docker-compose.yml exec hydra
|
|
||||||
|
|
||||||
help:
|
|
||||||
@perl -nle'print $& if m{^[a-zA-Z_-]+:.*?## .*$$}' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-10s\033[0m %s\n", $$1, $$2}'
|
|
||||||
|
|
||||||
up: ## Docker: start compose stack
|
|
||||||
$(call LOG_INFO,Up (daemon))
|
|
||||||
docker-compose -p kraken up -d
|
|
||||||
|
|
||||||
stop: ## Docker: stop compose stack
|
|
||||||
$(call LOG_INFO,Stop docker stack)
|
|
||||||
docker-compose -p kraken stop
|
|
||||||
|
|
||||||
ps: ## Docker: show containers
|
|
||||||
$(call LOG_INFO, Docker containers)
|
|
||||||
docker-compose -p kraken ps
|
|
||||||
|
|
||||||
logs: ## Docker: show logs
|
|
||||||
docker-compose -p kraken logs -f
|
|
||||||
|
|
||||||
generate_keys: ## Generowanie kluczy klienckich
|
|
||||||
${HYDRA_COMMAND} hydra clients create \
|
|
||||||
--endpoint http://127.0.0.1:4445 \
|
|
||||||
--id auth-code-client \
|
|
||||||
--secret secret \
|
|
||||||
--grant-types authorization_code,refresh_token \
|
|
||||||
--response-types code,id_token \
|
|
||||||
--scope openid,offline \
|
|
||||||
--callbacks http://127.0.0.1:5555/callback
|
|
||||||
|
|
||||||
|
|
||||||
token_flow: ## Generowanie kluczy klienckich
|
|
||||||
${HYDRA_COMMAND} hydra token user \
|
|
||||||
--client-id auth-code-client \
|
|
||||||
--client-secret secret \
|
|
||||||
--endpoint http://127.0.0.1:4444/ \
|
|
||||||
--port 5555 \
|
|
||||||
--scope openid,offline
|
|
||||||
30
README.md
30
README.md
@ -1,29 +1,23 @@
|
|||||||
# KrakenD api gateway playground
|
# KrakenD api gateway playground
|
||||||
|
|
||||||
## etap2 (JWT)
|
Poszczególne etapy pracy i poznawania krakend w osobnych brancz'ach.
|
||||||
|
|
||||||
Tutaj już będzie deko więcej roboty. Backend z etapu1, czyli prosty nie zabezpieczony serwer REST.
|
Całość oparta do docker.
|
||||||
|
|
||||||
Do naszej infrastruktury dodajemy usługę [Hydra](https://www.ory.sh/hydra/docs/), która jest dostawcą protokołu **OAuth2** oraz **OpenID** aby zabezpieczyć nasze api za pomocą [JWT](https://jwt.io/).
|
- etap1 (podstawka)
|
||||||
|
|
||||||
W poprzednim przykładzie (etap1) KrakenD posłóżył nam do sekwencji zapytań do api i jednej odpowiedzi
|
Proste zmokowane api oraz krakend config-watcher (restertujący usługę po zmianie pliku konfiguracyjnego). Fajny patent wykorzystujący [Reflex](https://github.com/cespare/reflex).
|
||||||
W tym etapie wprowadzimy nowy request zabezpieczony tokenem JWT:
|
|
||||||
|
|
||||||
|
Sekwencyjne proxy w KrakenD:
|
||||||
|
|
||||||
```mermaid
|
```mermaid
|
||||||
sequenceDiagram
|
sequenceDiagram
|
||||||
Użytkownik->>KrakenD: /jwt_access <br/>[Authorizaion: Bearer token]
|
Użytkownik->>KrakenD: /sequential/{id}
|
||||||
KrakenD->>Hydra: .well-known/jwks.json
|
KrakenD->>Backend: /users/{id}.json
|
||||||
Hydra-->>KrakenD: jwk
|
|
||||||
KrakenD-->>KrakenD: validator <br/>[issuer]
|
|
||||||
KrakenD->>Backend: /users/1.json
|
|
||||||
Backend-->>KrakenD: response_0
|
Backend-->>KrakenD: response_0
|
||||||
|
KrakenD->>Backend: /projects/{response_0.user_id}.json
|
||||||
|
Backend-->>KrakenD: response_1
|
||||||
|
KrakenD-->>KrakenD: merge response[]
|
||||||
KrakenD->>+Użytkownik: Response
|
KrakenD->>+Użytkownik: Response
|
||||||
```
|
```
|
||||||
|
|
||||||
Flow jest typowo testowy, na razie nie ma revoke jwt, a samo pobranie tokenu należy zrobić za pomocą pliku `Makefile`.
|
|
||||||
|
|
||||||
|
|
||||||
Przykład wykorzystania KrakenD do zabezpieczenia bakendu za pomocą JWT:
|
|
||||||
|
|
||||||
[](https://asciinema.org/a/Py3dbR2m5Jt3FdhGI7eINtpdu)
|
|
||||||
|
|
||||||
|
|||||||
@ -14,46 +14,6 @@ services:
|
|||||||
ports:
|
ports:
|
||||||
- "8000:8080"
|
- "8000:8080"
|
||||||
|
|
||||||
hydra-migrate:
|
|
||||||
image: oryd/hydra:v1.8.5
|
|
||||||
environment:
|
|
||||||
- DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
|
|
||||||
command:
|
|
||||||
migrate sql -e --yes
|
|
||||||
restart: on-failure
|
|
||||||
|
|
||||||
postgresd:
|
|
||||||
image: postgres:9.6
|
|
||||||
ports:
|
|
||||||
- "5432:5432"
|
|
||||||
environment:
|
|
||||||
- POSTGRES_USER=hydra
|
|
||||||
- POSTGRES_PASSWORD=secret
|
|
||||||
- POSTGRES_DB=hydra
|
|
||||||
|
|
||||||
hydra:
|
|
||||||
image: oryd/hydra:v1.8.5
|
|
||||||
ports:
|
|
||||||
- "4444:4444" # Public port
|
|
||||||
- "4445:4445" # Admin port
|
|
||||||
- "5555:5555" # Port for hydra token user
|
|
||||||
command:
|
|
||||||
serve all --dangerous-force-http
|
|
||||||
env_file: ./.env
|
|
||||||
restart: unless-stopped
|
|
||||||
depends_on:
|
|
||||||
- hydra-migrate
|
|
||||||
|
|
||||||
consent:
|
|
||||||
#image: oryd/hydra-login-consent-node:latest
|
|
||||||
image: paramah/consent:latest
|
|
||||||
environment:
|
|
||||||
- HYDRA_ADMIN_URL=http://hydra:4445
|
|
||||||
- BASE_URL=http://consent.service.consul:3000
|
|
||||||
ports:
|
|
||||||
- "3000:3000"
|
|
||||||
restart: unless-stopped
|
|
||||||
|
|
||||||
kraken:
|
kraken:
|
||||||
image: devopsfaith/krakend:config-watcher
|
image: devopsfaith/krakend:config-watcher
|
||||||
volumes:
|
volumes:
|
||||||
|
|||||||
@ -73,23 +73,6 @@
|
|||||||
"sequential": true
|
"sequential": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
|
||||||
{
|
|
||||||
"endpoint": "/jwt_access",
|
|
||||||
"backend": [
|
|
||||||
{
|
|
||||||
"url_pattern": "/users/1.json"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"extra_config": {
|
|
||||||
"github.com/devopsfaith/krakend-jose/validator": {
|
|
||||||
"alg": "RS256",
|
|
||||||
"issuer": "http://127.0.0.1:4444/",
|
|
||||||
"jwk-url": "http://hydra:4444/.well-known/jwks.json",
|
|
||||||
"disable_jwk_security": true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
Reference in New Issue
Block a user