每周开源项目分享-年轻人的第一个OAuth2.0 Server:hydra

年轻人的第一个OAuth2.0 Server:hydra

hydra 是什么呢?

OpenID Connect certified OAuth2 Server - cloud native, security-first, open source API security for your infrastructure. Written in Go. SDKs for any language.

讲人话的话就是一个OAuth2.0的服务端框架咯,开箱即用.

OAuth是撒? QQ互联知道么?微信授权登录知道么?

扩展阅读:理解OAuth 2.0:阮一峰

开源地址:https://github.com/ory/hydra

文档地址:https://www.ory.sh/docs/guides/master/hydra/

本文结束...

开始手把手教你跑hydra server

全程Docker部署,请自行准备相关环境.

准备PostgreSQL 数据库/MySQL数据库

hydra支持PostgreSQL/MySQL,任君选择.

官网指导教程使用的是PostgreSQL,下面我也抄过来了,同时提供MySQL的相关操作.

启动数据库啦!!!

哦,启动之前先创建一个docker 网络.

docker network create hydraguide

启动 PostgreSQL,如下

docker run \ --network hydraguide \ --name ory-hydra-example--postgres \ -e POSTGRES_USER=hydra \ -e POSTGRES_PASSWORD=secret \ -e POSTGRES_DB=hydra \ -d postgres:9.6

或者启动MySQL

docker run -p 3306:3306 \ --network hydraguide \ --name hydra-mysql --restart=always \ -v ~/docker-data/hydra-mysql/data/:/var/lib/mysql \ -e MYSQL_ROOT_PASSWORD=123 -d mysql:5.7

启动好了自行验证一下数据库是不是正确启动和能连接上去了.

准备hydra相关环境变量 # The system secret can only be set against a fresh database. Key rotation is currently not supported. This # secret is used to encrypt the database and needs to be set to the same value every time the process (re-)starts. # You can use /dev/urandom to generate a secret. But make sure that the secret must be the same anytime you define it. # You could, for example, store the value somewhere. $ export SYSTEM_SECRET=$(export LC_CTYPE=C; cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) # # Alternatively you can obviously just set a secret: # $ export SYSTEM_SECRET=this_needs_to_be_the_same_always_and_also_very_$3cuR3-._ # The database url points us at the postgres instance. This could also be an ephermal in-memory database (`export DATABASE_URL=memory`) # or a MySQL URI. $ export DATABASE_URL=postgres://hydra:secret@ory-hydra-example--postgres:5432/hydra?sslmode=disable # MySQL的配置,host.docker.internal为宿主机IP,mysql容器的内部IP或者hydra-mysql也可以用 $ export DATABASE_URL=mysql://root:123@tcp(host.docker.internal/mysql容器的内部IP/hydra-mysql:3306)/hydra?parseTime=true

SYSTEM_SECRET 是hydra启动时加密数据库使用的,Mac/Linux直接使用上面的方法设置即可,windows环境下设置一下环境变量?大概是这样.

DATABASE_URL 是数据库连接配置,postgres和mysql 二选一即可.

执行迁移数据库脚本

hydra自带的,直接执行即可.

docker run -it --rm \ --network hydraguide \ oryd/hydra:v1.0.0-beta.5 \ migrate sql $DATABASE_URL

正常执行的话,应该如下:

Applying `client` SQL migrations... Applied 0 `client` SQL migrations. Applying `oauth2` SQL migrations... Applied 0 `oauth2` SQL migrations. Applying `jwk` SQL migrations... Applied 0 `jwk` SQL migrations. Applying `consent` SQL migrations... Applied 0 `consent` SQL migrations. Migration successful! Applied a total of 0 SQL migrations. Migration successful!

数据库好了,我们现在可以开始搞服务端了.

启动hydra 服务端 docker run -d \ --name ory-hydra-example--hydra \ --network hydraguide \ -p 9000:4444 \ -e SYSTEM_SECRET=$SYSTEM_SECRET \ -e DATABASE_URL=$DATABASE_URL \ -e OAUTH2_ISSUER_URL=https://localhost:9000/ \ -e OAUTH2_CONSENT_URL=http://localhost:9020/consent \ -e OAUTH2_LOGIN_URL=http://localhost:9020/login \ oryd/hydra:v1.0.0-beta.5 serve

这里我们留意几个传入给容器的环境变量.

OAUTH2_ISSUER_URL hydra所在的地址

OAUTH2_CONSENT_URL 授权页面地址

OAUTH2_LOGIN_URL 登录页面地址

假装大家都了解OAuth2.0的流程的情况下,其实这里就流程基本就是:

XX应用请求授权

-> 跳转到OAUTH2_LOGIN_URL地址

-> 登录成功

->跳转到OAUTH2_CONSENT_URL授权页面

-> 授权成功

->回调XX应用地址并且返回相关授权code/token

-> XX应用使用code/token获取用户信息或者其他操作

启动之后看一下logs是不是hydra是不是正常启动.

常见问题:"Could not fetch private signing key for OpenID Connect - did you forget to run "hydra migrate sql" or forget to set the SYSTEM_SECRET?" error="unexpected end of JSON input"

确认一下SYSTEM_SECRET有没有正常设置呀,实在不行直接在docker run的时候带入.

正常启动的话,日志如下:

Thank you for using ORY Hydra! Take security seriously and subscribe to the ORY newsletter. Stay on top of new patches and security insights. >> Subscribe now: << time="2018-08-09T10:23:50Z" level=info msg="Connected to SQL!" time="2018-08-09T10:23:50Z" level=info msg="JSON Web Key Set hydra.openid.id-token does not exist yet, generating new key pair..." time="2018-08-09T10:23:51Z" level=info msg="Setting up Prometheus middleware" time="2018-08-09T10:23:51Z" level=info msg="Transmission of telemetry data is enabled, to learn more go to: https://www.ory.sh/docs/guides/latest/telemetry/" time="2018-08-09T10:23:51Z" level=info msg="Detected local environment, skipping telemetry commit" time="2018-08-09T10:23:51Z" level=info msg="Detected local environment, skipping telemetry commit" time="2018-08-09T10:23:51Z" level=info msg="JSON Web Key Set hydra.https-tls does not exist yet, generating new key pair..." time="2018-08-09T10:23:55Z" level=info msg="Setting up http server on :4444"

这时候去访问:https://localhost:9000/.well-known/jwks.json

理论上是能正常输出结果的.