feat: support password method

canonical · Apr 23, 2024 · f8842f0 · f8842f0
1 parent 7315b9d
commit f8842f0
Show file tree

Hide file tree

Showing 13 changed files with 970 additions and 16 deletions.
diff --git a/idp-docker/docker-compose.yaml b/idp-docker/docker-compose.yaml
@@ -0,0 +1,98 @@
+version: '0.1'
+services:
+  kratos-migrate:
+    image: 'oryd/kratos:v1.1.0'
+    environment:
+      - 'DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc'
+    volumes:
+      - type: volume
+        source: kratos-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      - type: bind
+        source: ./kratos.yaml
+        target: /etc/config/kratos/kratos.yml
+      - type: bind
+        source: ./microsoft-schema.jsonnet
+        target: /etc/config/kratos/microsoft_schema.jsonnet
+      - type: bind
+        source: ./identity.schema.json
+        target: /etc/config/kratos/identity.schema.json
+    command: '-c /etc/config/kratos/kratos.yml migrate sql -e --yes'
+    restart: on-failure
+    networks:
+      - intranet
+  kratos:
+    depends_on:
+      - kratos-migrate
+    image: 'oryd/kratos:v1.1.0'
+    ports:
+      - '4433:4433'
+      - '4434:4434'
+    restart: unless-stopped
+    environment:
+      - 'DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true'
+      - LOG_LEVEL=debug
+    command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
+    volumes:
+      - type: volume
+        source: kratos-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      - './kratos.yaml:/etc/config/kratos/kratos.yml'
+      - './microsoft-schema.jsonnet:/etc/config/kratos/microsoft_schema.jsonnet'
+      - './identity.schema.json:/etc/config/kratos/identity.schema.json'
+      - './identity.json:/etc/config/kratos/identity.json'
+    networks:
+      - intranet
+  mailslurper:
+    image: 'oryd/mailslurper:latest-smtps'
+    ports:
+      - '4436:4436'
+      - '4437:4437'
+    networks:
+      - intranet
+  hydra-migrate:
+    image: 'oryd/hydra:v2.2.0'
+    environment:
+      - 'DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true'
+    command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
+    volumes:
+      - type: volume
+        source: hydra-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      - type: bind
+        source: ./hydra.yaml
+        target: /etc/config/hydra/hydra.yml
+    restart: on-failure
+    networks:
+      - intranet
+  hydra:
+    image: 'oryd/hydra:v2.2.0'
+    ports:
+      - '4444:4444'
+      - '4445:4445'
+    command: serve -c /etc/config/hydra/hydra.yml all --dev
+    volumes:
+      - './hydra.yaml:/etc/config/hydra/hydra.yml'
+      - type: volume
+        source: hydra-sqlite
+        target: /var/lib/sqlite
+        read_only: false
+      - type: bind
+        source: ./hydra.yaml
+        target: /etc/config/hydra/hydra.yml
+    environment:
+      - 'DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true'
+      - LOG_LEVEL=info
+    restart: unless-stopped
+    depends_on:
+      - hydra-migrate
+    networks:
+      - intranet
+networks:
+  intranet: null
+volumes:
+  kratos-sqlite: null
+  hydra-sqlite: null
diff --git a/idp-docker/hydra.yaml b/idp-docker/hydra.yaml
@@ -0,0 +1,32 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+  admin:
+    cors:
+      enabled: true
+      allowed_origins:
+        - "*"
+  public:
+    cors:
+      enabled: true
+      allowed_origins:
+        - "*"
+
+log:
+  leak_sensitive_values: true
+  level: info
+
+oauth2:
+  expose_internal_errors: true
+
+urls:
+  self:
+    issuer: http://hydra:4444
+    public: http://localhost:4444
+  consent: http://localhost:4455/ui/consent
+  login: http://localhost:4455/ui/login
+  error: http://localhost:4455/ui/oidc_error
+
+secrets:
+  system:
+    - my-secret-system
diff --git a/idp-docker/identity.json b/idp-docker/identity.json
@@ -0,0 +1,15 @@
+{
+    "traits": {
+      "email": "test@example.com",
+      "name": "Test",
+      "surname": "Example"
+    },
+    "schema_id": "default",
+    "credentials": {
+      "password": {
+        "config": {
+          "password": "mQ#v9fwHc0@8"
+        }
+      }
+    }
+  }
diff --git a/idp-docker/identity.schema.json b/idp-docker/identity.schema.json
@@ -0,0 +1,43 @@
+{
+    "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "title": "Person",
+    "type": "object",
+    "properties": {
+      "traits": {
+        "type": "object",
+        "properties": {
+          "email": {
+            "type": "string",
+            "format": "email",
+            "title": "E-Mail",
+            "minLength": 3,
+            "ory.sh/kratos": {
+              "credentials": {
+                "password": {
+                  "identifier": true
+                },
+                "totp": {
+                   "account_name": true
+                 }
+              },
+              "verification": {
+                "via": "email"
+              },
+              "recovery": {
+                "via": "email"
+              }
+            }
+          },
+          "name": {
+            "type": "string"
+            },
+          "surname": {
+            "type": "string"
+            }
+          }
+        },
+        "additionalProperties": true
+      }
+    }
+
diff --git a/idp-docker/kratos.yaml b/idp-docker/kratos.yaml
@@ -0,0 +1,93 @@
+version: v1.1.0
+
+log:
+   level: debug
+   format: text
+   leak_sensitive_values: true
+dsn: memory
+serve:
+ public:
+   base_url: http://localhost:4433/
+   cors:
+     enabled: true
+ admin:
+   base_url: http://kratos:4434/
+
+identity:
+   default_schema_id: default
+   schemas:
+       - id: default
+         url: file:///etc/config/kratos/identity.schema.json
+selfservice:
+   default_browser_return_url:
+       http://localhost:4455/
+   allowed_return_urls:
+     - http://localhost:4455
+     - http://localhost:8080
+   flows:
+       error:
+           ui_url: http://localhost:4455/ui/error
+       login:
+           ui_url: http://localhost:4455/ui/login
+#           after:
+#               password:
+#                 hooks:
+#                 - hook: require_verified_address
+      #  registration:
+      #      enabled: True
+      #      ui_url: http://localhost:4455/registration
+      #      after:
+      #         oidc:
+      #             hooks:
+      #             - hook: session
+      #          password:
+      #              hooks:
+      #                - hook: session
+      #  settings:
+      #      ui_url: http://localhost:4455/settings
+      #      # Sessions older than 10m requires the user to sign in again before the password is changed
+      #      privileged_session_max_age: 10m
+      #  recovery:
+      #    enabled: true
+      #    ui_url: http://localhost:4455/recovery
+      #  verification:
+      #    enabled: true
+      #    ui_url: http://localhost:4455/verification
+      #    use: link
+   methods:
+      #  lookup_secret:
+      #    enabled: true
+      #  totp:
+      #    enabled: true
+      #    config:
+      #      issuer: GoogleAuthenticator
+      password:
+          enabled: true
+      #  profile:
+      #      enabled: true
+      oidc:
+          config:
+              providers:
+              - id: "microsoft_cccca7a7a3666c2bc336a09713596333b5d02fbc"
+                client_id: "bf7ca934-18d9-4726-b0b0-a0d0ac7105f9"
+                provider: "microsoft"
+                client_secret: "CHANGE-ME"
+                microsoft_tenant: "8de88d99-6d0f-44d7-a8a5-925b012e5940"
+                mapper_url: "file:///etc/config/kratos/microsoft_schema.jsonnet"
+                scope: ["profile", "email", "address", "phone"]
+          enabled: True
+oauth2_provider:
+  url: "http://hydra:4445"
+session:
+  whoami:
+    required_aal: highest_available
+courier:
+   smtp:
+       connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+#   templates:
+#       recovery:
+#         valid:
+#           email:
+#             subject: file://path/to/subject.gotmpl
+#             template:
+#               html: file://path/to/body.html.gotmpl
diff --git a/idp-docker/microsoft-schema.jsonnet b/idp-docker/microsoft-schema.jsonnet
@@ -0,0 +1,28 @@
+local claims = {
+ email_verified: false,
+} + std.extVar('claims');
+
+
+{
+ identity: {
+   traits: {
+     [if 'email' in claims then 'email' else null]: claims.email,
+     [if 'name' in claims then 'name' else null]: claims.name,
+     [if 'given_name' in claims then 'given_name' else null]: claims.given_name,
+     [if 'family_name' in claims then 'family_name' else null]: claims.family_name,
+     [if 'last_name' in claims then 'last_name' else null]: claims.last_name,
+     [if 'middle_name' in claims then 'middle_name' else null]: claims.middle_name,
+     [if 'nickname' in claims then 'nickname' else null]: claims.nickname,
+     [if 'profile' in claims then 'profile' else null]: claims.profile,
+     [if 'picture' in claims then 'picture' else null]: claims.picture,
+     [if 'website' in claims then 'website' else null]: claims.website,
+     [if 'gender' in claims then 'gender' else null]: claims.gender,
+     [if 'birthdate' in claims then 'birthdate' else null]: claims.birthdate,
+     [if 'zoneinfo' in claims then 'zoneinfo' else null]: claims.zoneinfo,
+     [if 'locale' in claims then 'locale' else null]: claims.locale,
+     [if 'phone_number' in claims && claims.phone_number_verified then 'phone_number' else null]: claims.phone_number,
+     [if 'locale' in claims then 'locale' else null]: claims.locale,
+     [if 'team' in claims then 'team' else null]: claims.team,
+   },
+ },
+}
diff --git a/pkg/kratos/handlers.go b/pkg/kratos/handlers.go
@@ -36,6 +36,7 @@ func (a *API) handleCreateFlow(w http.ResponseWriter, r *http.Request) {
 	// call will return an empty response
 	// TODO: We need to send a different content-type to CreateBrowserLoginFlow in order
 	// to avoid this bug.
+	a.logger.Debugf("Created flow: %v", loginChallenge)
 	session, _, _ := a.service.CheckSession(context.Background(), r.Cookies())
 	if session != nil {
 		redirectTo, cookies, err := a.service.AcceptLoginRequest(context.Background(), session.Identity.Id, loginChallenge)
@@ -125,7 +126,9 @@ func (a *API) handleUpdateFlow(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 	flowId := q.Get("flow")
 
-	body, err := a.service.ParseLoginFlowMethodBody(r)
+	// TODO: Identify oidc/password flow
+	// body, err := a.service.ParseLoginFlowMethodBody(r)
+	body, err := a.service.ParsePasswordLoginFlowMethodBody(r)
 	if err != nil {
 		a.logger.Errorf("Error when parsing request body: %v\n", err)
 		http.Error(w, "Failed to parse login flow", http.StatusInternalServerError)
@@ -156,6 +159,9 @@ func (a *API) handleUpdateFlow(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Failed to update login flow", http.StatusInternalServerError)
 		return
 	}
+	if err == nil {
+		a.logger.Debugf("Login flow updated: %v", flowId)
+	}
 
 	resp, err := json.Marshal(flow)
 	if err != nil {

diff --git a/pkg/kratos/interfaces.go b/pkg/kratos/interfaces.go
@@ -32,4 +32,5 @@ type ServiceInterface interface {
 	CheckAllowedProvider(context.Context, *kClient.LoginFlow, *kClient.UpdateLoginFlowBody) (bool, error)
 	FilterFlowProviderList(context.Context, *kClient.LoginFlow) (*kClient.LoginFlow, error)
 	ParseLoginFlowMethodBody(*http.Request) (*kClient.UpdateLoginFlowBody, error)
+	ParsePasswordLoginFlowMethodBody(*http.Request) (*kClient.UpdateLoginFlowBody, error)
 }