Ory based authorization

.github/workflows/main.yml

@@ -4,7 +4,7 @@ name: Main
 # Run in master and dev branches and in all pull requests to those branches
 on:
   push:
-    branches: [ master, dev ]
+    branches: [ master, dev, feature/* ]
   pull_request: {}
 
 env:

gradle.properties

@@ -16,7 +16,7 @@ thymeleaf_version=3.1.2.RELEASE
 spring_session_version=2021.2.0
 gatling_version=3.8.4
 mapstruct_version=1.5.5.Final
-jackson_version=2.16.1
+jackson_version=2.15.0
 javax_xml_bind_version=2.3.3
 javax_jaxb_core_version=2.3.0.1
 javax_jaxb_runtime_version=2.3.8

radar-auth/src/main/java/org/radarbase/auth/token/RadarToken.kt

@@ -98,7 +98,7 @@ interface RadarToken {
      * @return true if the client credentials flow was certainly used, false otherwise.
      */
     val isClientCredentials: Boolean
-        get() = grantType == CLIENT_CREDENTIALS
+        get() = grantType == CLIENT_CREDENTIALS || (subject != null && subject == clientId)
 
     fun copyWithRoles(roles: Set<AuthorityReference>): RadarToken
 

src/main/docker/etc/config/kratos/kratos.yml

@@ -2,12 +2,12 @@ dsn: memory
 
 serve:
   public:
-    base_url: http://127.0.0.1:4433/
+    base_url: http://localhost:4433/
   admin:
     base_url: http://kratos:4434/
 
 selfservice:
-  default_browser_return_url: http://127.0.0.1:3000/
+  default_browser_return_url: http://localhost:3000/
   allowed_return_urls:
     - "http://127.0.0.1:3000/"
     - "http://127.0.0.1:8080/"
@@ -19,23 +19,6 @@ selfservice:
   methods:
     password:
       enabled: true
-    #    oidc:
-    #      config:
-    #        providers:
-    #          # social sign-in for google. This needs to be tied to a google account. values below were added by bastiaan
-    #          - id: google_d292689d # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET! current google callback: http://127.0.0.1:4433/self-service/methods/oidc/callback/google_d292689d
-    #            provider: google
-    #            client_id: 922854293804-r3fhl9tom6uutcq5c8fm4592l1t6s3mh.apps.googleusercontent.com # Replace this with the Client ID
-    #            client_secret: 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 # Replace this with the Client secret
-    #            issuer_url: https://accounts.google.com # Replace this with the providers issuer URL
-    #            mapper_url: "base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZSwKfSArIHN0ZC5leHRWYXIoJ2NsYWltcycpOwoKewogIGlkZW50aXR5OiB7CiAgICB0cmFpdHM6IHsKICAgICAgW2lmICdlbWFpbCcgaW4gY2xhaW1zICYmIGNsYWltcy5lbWFpbF92ZXJpZmllZCB0aGVuICdlbWFpbCcgZWxzZSBudWxsXTogY2xhaW1zLmVtYWlsLAogICAgfSwKICB9LAp9"
-    #            # currently: GitHub example from: https://www.ory.sh/docs/kratos/social-signin/data-mapping
-    #            # Alternatively, use an URL:
-    #            # mapper_url: https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17
-    #            scope:
-    #              - email
-    #            # supported scopes can be found in your providers dev docs
-    #      enabled: true
     totp:
       config:
         issuer: Kratos
@@ -45,34 +28,34 @@ selfservice:
 
   flows:
     error:
-      ui_url: http://127.0.0.1:3000/error
+      ui_url: http://localhost:3000/error
 
     settings:
-      ui_url: http://127.0.0.1:3000/settings
-
+      ui_url: http://localhost:3000/settings
+  
     recovery:
       enabled: true
-      ui_url: http://127.0.0.1:3000/recovery
-      use: link
+      ui_url: http://localhost:3000/recovery
+      use: code
 
     verification:
       # our current flow necessitates that users reset their password after they activate an account in managementportal,
       # this works as verification
-      ui_url: http://127.0.0.1:3000/verification
+      ui_url: http://localhost:3000/verification
       enabled: true
-      use: link
+      use: code
       after:
-        default_browser_return_url: http://127.0.0.1:3000
+        default_browser_return_url: http://localhost:3000/consent
 
     logout:
       after:
-        default_browser_return_url: http://127.0.0.1:3000/login
+        default_browser_return_url: http://localhost:3000/login
 
     login:
-      ui_url: http://127.0.0.1:3000/login
+      ui_url: http://localhost:3000/login
 
     registration:
-      ui_url: http://127.0.0.1:3000/registration
+      ui_url: http://localhost:3000/registration
       after:
         password:
           hooks:
@@ -104,3 +87,6 @@ courier:
   smtp:
     connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true&disable_starttls=true
     from_address: [email protected]
+
+oauth2_provider:
+  url: http://hydra:4445

src/main/docker/etc/config/kratos/webhook_body.jsonnet

@@ -0,0 +1,5 @@
+function(ctx) {
+    identity: if std.objectHas(ctx, "identity") then ctx.identity else null,
+    payload: if std.objectHas(ctx, "flow") && std.objectHas(ctx.flow, "transient_payload") then ctx.flow.transient_payload else null,
+    cookies: ctx.request_cookies
+}

src/main/docker/etc/postgres/init-user-db.sh

@@ -0,0 +1,34 @@
+#! /bin/bash
+
+ set -e
+ set -u
+ export PGPASSWORD="$POSTGRES_PASSWORD"
+ export PGUSER="$POSTGRES_USER"
+
+ function create_user_and_database() {
+   export PGPASSWORD="$POSTGRES_PASSWORD"
+   export PGUSER="$POSTGRES_USER"
+   local database=$1
+   local database_exist=$(psql -U $PGUSER -tAc "SELECT 1 FROM pg_database WHERE datname='$database';")
+   if [[ "$database_exist" == 1 ]]; then
+     echo "Database $database already exists"
+   else
+     echo "Database $database does not exist"
+     echo "  Creating database '$database' for user '$PGUSER'"
+
+     psql -U $PGUSER -v ON_ERROR_STOP=1 <<-EOSQL
+     CREATE DATABASE "$database";
+     GRANT ALL PRIVILEGES ON DATABASE $database TO $PGUSER;
+EOSQL
+   fi
+ }
+
+ if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
+   echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
+   #waiting for postgres
+   for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
+     create_user_and_database $db
+   done
+   echo "Databases created"
+ fi
+

src/main/docker/managementportal.yml

@@ -14,6 +14,9 @@ services:
             - MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL=http://kratos:4433
             - MANAGEMENTPORTAL_IDENTITYSERVER_LOGINURL=http://localhost:3000
             - MANAGEMENTPORTAL_IDENTITYSERVER_SERVERADMINURL=http://kratos:4434
+            - MANAGEMENTPORTAL_AUTHSERVER_SERVERURL=http://hydra:4444
+            - MANAGEMENTPORTAL_AUTHSERVER_LOGINURL=http://localhost:4444
+            - MANAGEMENTPORTAL_AUTHSERVER_SERVERADMINURL=http://hydra:4445
             - JHIPSTER_SLEEP=10 # gives time for the database to boot before the application
             - JAVA_OPTS=-Xmx512m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 #enables remote debugging
         ports:

src/main/docker/non_managementportal/docker-compose.yml

@@ -13,6 +13,9 @@ networks:
     driver: bridge
     internal: true
 
+volumes:
+    pgdata:
+
 services:
   managementportal-postgresql:
     extends:
@@ -22,10 +25,10 @@ services:
       - db
       - default
 
-  kratos-selfservice-ui-node:
+  radar-self-enrolment-ui:
     extends:
       file: ../ory_stack.yml
-      service: kratos-selfservice-ui-node
+      service: radar-self-enrolment-ui
     networks:
       - ory
       - default
@@ -46,10 +49,10 @@ services:
     networks:
       - ory
 
-  postgresd-kratos:
+  postgresd-ory:
     extends:
       file: ../ory_stack.yml
-      service: postgresd-kratos
+      service: postgresd-ory
     networks:
       - ory
 
@@ -60,3 +63,19 @@ services:
     networks:
       - ory
       - default
+
+  hydra-migrate:
+    extends:
+      file: ../ory_stack.yml
+      service: hydra-migrate
+    networks:
+      - ory
+
+  hydra:
+    extends:
+      file: ../ory_stack.yml
+      service: hydra
+    networks:
+      - ory
+      - default
+

src/main/docker/ory_stack.yml

@@ -1,18 +1,15 @@
 version: '3.8'
 
+volumes:
+  pgdata:
+
 services:
-    kratos-selfservice-ui-node:
-        image:
-            oryd/kratos-selfservice-ui-node
+    radar-self-enrolment-ui:
+        image: ghcr.io/radar-base/radar-self-enrolment-ui:dev
         environment:
-            - LOG_LEAK_SENSITIVE_VALUES=true
-            - KRATOS_PUBLIC_URL=http://kratos:4433
-            - KRATOS_ADMIN_URL=http://kratos:4434
-            - SECURITY_MODE=standalone
-            - KRATOS_BROWSER_URL=http://127.0.0.1:4433
-            - COOKIE_SECRET=unsafe_cookie_secret
-            - CSRF_COOKIE_NAME=radar
-            - CSRF_COOKIE_SECRET=unsafe_csrf_cookie_secret
+            - ORY_SDK_URL=http://kratos:4433
+            - HYDRA_ADMIN_URL=http://hydra:4445
+            - HYDRA_PUBLIC_URL=http://hydra:4444
         ports:
             - "3000:3000"
         volumes:
@@ -27,7 +24,18 @@ services:
         - "4434:4434" # admin, should be closed in production
       restart: unless-stopped
       environment:
-        - DSN=postgres://kratos:secret@postgresd-kratos/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+        - DSN=postgres://ory:secret@postgresd-ory/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+        - SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS_0_HOOK=web_hook
+        - SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS_0_CONFIG_METHOD=POST
+        - SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS_0_CONFIG_URL=http://managementportal:8080/managementportal/api/kratos/subjects
+        - SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS_0_CONFIG_BODY=/etc/config/kratos/webhook_body.jsonnet
+        - SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS_0_CONFIG_RESPONSE_IGNORE=true
+        - SELFSERVICE_FLOWS_REGISTRATION_AFTER_PASSWORD_HOOKS_1_HOOK=session
+        - SELFSERVICE_FLOWS_VERIFICATION_AFTER_HOOKS_0_HOOK=web_hook
+        - SELFSERVICE_FLOWS_VERIFICATION_AFTER_HOOKS_0_CONFIG_METHOD=POST
+        - SELFSERVICE_FLOWS_VERIFICATION_AFTER_HOOKS_0_CONFIG_URL=http://managementportal:8080/managementportal/api/kratos/subjects/activate
+        - SELFSERVICE_FLOWS_VERIFICATION_AFTER_HOOKS_0_CONFIG_BODY=/etc/config/kratos/webhook_body.jsonnet
+        - SELFSERVICE_FLOWS_VERIFICATION_AFTER_HOOKS_0_CONFIG_RESPONSE_IGNORE=true
       command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
       volumes:
         - type: bind
@@ -38,23 +46,64 @@ services:
         image:
             oryd/kratos:v1.0.0
         environment:
-            - DSN=postgres://kratos:secret@postgresd-kratos/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+            - DSN=postgres://ory:secret@postgresd-ory/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
         volumes:
             - type: bind
               source: ./etc/config/kratos
               target: /etc/config/kratos
         command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
         restart: on-failure
 
-    postgresd-kratos:
+    postgresd-ory:
         image: postgres:11.8
         environment:
-            - POSTGRES_USER=kratos
+            - POSTGRES_USER=ory
             - POSTGRES_PASSWORD=secret
-            - POSTGRES_DB=kratos
+            - POSTGRES_MULTIPLE_DATABASES=kratos,hydra
+        volumes:
+            - pgdata:/var/lib/postgresql/data
+            - ./etc/postgres/init-user-db.sh:/docker-entrypoint-initdb.d/init-user-db.sh
 
     mailslurper:
         image: oryd/mailslurper:latest-smtps
         ports:
             - "4436:4436"
             - "4437:4437"
+
+    hydra-migrate:
+        image: oryd/hydra:v2.2.0
+        environment:
+          - DSN=postgres://ory:secret@postgresd-ory/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
+        command: migrate sql -e --yes
+        restart: on-failure
+
+    hydra:
+        image: oryd/hydra:v2.2.0
+        depends_on:
+          - hydra-migrate
+        ports:
+          - "4444:4444" # Public port
+          - "4445:4445" # Admin port
+          - "5555:5555" # Port for hydra token user
+        command:
+          serve all --dev
+        restart: on-failure # TODO figure out why we need this (incorporate health check into hydra migrate command?)
+        environment:
+          - DSN=postgres://ory:secret@postgresd-ory/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
+          - LOG_LEAK_SENSITIVE_VALUES=true
+          - URLS_SELF_ISSUER=http://localhost:4444
+          - URLS_SELF_PUBLIC=http://localhost:4444
+          - URLS_CONSENT=http://localhost:3000/consent
+          - URLS_LOGIN=http://localhost:3000/login
+          - URLS_LOGOUT=http://localhost:3000/logout
+          - URLS_IDENTITY_PROVIDER_PUBLICURL=http://localhost:4433
+          - URLS_IDENTITY_PROVIDER_URL=http://localhost:4434
+          - SECRETS_SYSTEM=youReallyNeedToChangeThis
+          - OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
+          - OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
+          - STRATEGIES_ACCESS_TOKEN=jwt
+          - STRATEGIES_JWT_SCOPE_CLAIM=both
+          - SERVE_PUBLIC_CORS_ENABLED=true
+          - SERVE_ADMIN_CORS_ENABLED=true
+          - OAUTH2_ALLOWED_TOP_LEVEL_CLAIMS=scope,roles,authorities,sources,user_name
+          - OAUTH2_MIRROR_TOP_LEVEL_CLAIMS=false