Skip to content

Auth playground with openssl, nodejs, hydra and oathkeeper.

License

Notifications You must be signed in to change notification settings

akornatskyy/auth-playground

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Auth Playground

Tools: openssl, nodejs, hydra v1.10.2, oathkeeper v0.38.11-beta.1

Setup Hydra

export HYDRA_ADMIN_URL=http://localhost:4445
export DSN=postgres://postgres:@localhost:5432/hydra?sslmode=disable

hydra migrate sql -y $DSN

Generate password.

export SECRETS_SYSTEM=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
echo $SECRETS_SYSTEM

Start admin server.

hydra serve admin --dangerous-force-http

Setup Client Credentials Flow

export HYDRA_ADMIN_URL=http://localhost:4445
export CLIENT_SECRET=change-me-now

# https://www.ory.sh/hydra/docs/next/cli/hydra-clients-create
hydra clients create --id my-client --secret $CLIENT_SECRET \
  -g client_credentials --token-endpoint-auth-method client_secret_post \
  --audience abc,xyz --scope read,write

Scenario #1: JWT token

Scenario #1: JWT token

Start Hydra, API and client.

# see: export DSN=... and SECRETS_SYSTEM=...
hydra serve public --dangerous-force-http -c jwt/hydra.yaml
node jwt/api.js
# see: export CLIENT_SECRET=...
node jwt/client.js

Scenario #2: opaque token

Scenario #2: opaque token

Start Hydra, Oathkeeper, API and client.

# see: export DSN=... and SECRETS_SYSTEM=...
hydra serve all --dangerous-force-http -c opaque/hydra.yaml
oathkeeper serve -c opaque/oathkeeper.yml
node opaque/api.js
# see: export CLIENT_SECRET=...
node opaque/client.js

Scenario# 3: keypair token

Scenario #3: keypair token

This scenario is very similar to #1 above, except it uses a signed JWT token to request access key.

Generate JWK key and copy content of the private key into file keypair/key.json (this file is read by the client application).

node keypairs/gen-key.js
hydra serve admin --dangerous-force-http

Note, at the time of this writing, Hydra CLI does not support jwks parameter.

Issue the following HTTP request.

POST /clients HTTP/1.1
Host: localhost:4445
Content-Type: application/json

{
    "client_id": "client-2",
    "grant_types": [
        "client_credentials"
    ],
    "scope": "read write",
    "audience": [
        "abc",
        "xyz"
    ],
    "jwks": {
        "keys": [
            {
                "use": "sig",
                "kty": "RSA",
                "kid": "xc4d2XSeF_iYDUCIdzsCujenHC6Gh6r_nwoZAhfplxM",
                "alg": "RS256",
                "n": "2gveXesJbXIPl1wclt1bhHf7zasb5TNEymtBKJZnAmZfeNGO-jcaRphAmRZQo33jYpl3Ww5KiEEvEzgoDuX72SXVOFKWUed90LdUAmeJbu7By6vHRo7eaRZ4hWA9dpqh5YRj4ZpKH7Hhvcik-aquZhW-SONOIPk54aRkJwOt1XJgUnHdM4Lp-1s-aEDn4KEpeXfSI1UP0txgRv8hcW4-KZDMXX4AuVdszKGj_4jX4p2YvuhGNBkRKs0Uw6vaYVTvYWBLKie87msu9qrwwsVG0SvxMx0ceJU2PspzIL9uT1COlIFANVIYJJBo41npFWpKVyocAdOe3wC2DoShxsINww",
                "e": "AQAB"
            }
        ]
    },
    "token_endpoint_auth_method": "private_key_jwt"
}

Start Hydra, API and client.

# see: export DSN=... and SECRETS_SYSTEM=...
hydra serve public --dangerous-force-http -c jwt/hydra.yaml
node jwt/api.js
node keypairs/client.js

Scenario# 4: mTLS

Scenario #4: mTLS

Generate a certificate authority (CA), client and server keys.

The CA is a private key (ca.key) and public key (wrapped up in a self-signed X.509 certificate) in the PEM format.

sh mtls/keys/gen-keys.sh

Start API and client.

node mtls/api.js
node mtls/client.js

Appendix

JWT Token Sample

{
  "aud": [
    "abc",
    "xyz"
  ],
  "exp": 1622988104,
  "iat": 1622988044,
  "iss": "http://localhost:4444/",
  "jti": "cb3f2165-a0cf-48df-9d8c-8656307856c5",
  "nbf": 1622988044,
  "scp": "read write",
  "sub": "my-client"
}

HTTP

Access Token

POST /oauth2/token HTTP/1.1
Host: localhost:4444
Content-Type: application/x-www-form-urlencoded
Content-Length: 115

grant_type=client_credentials&client_id=my-client&client_secret=change-me-now&scope=read%20write&audience=abc%20xyz

Jaeger

export TRACING_PROVIDER=jaeger
export TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=localhost:6831

Links

About

Auth playground with openssl, nodejs, hydra and oathkeeper.

Topics

Resources

License

Stars

Watchers

Forks