첫 커밋: 로컬 프로젝트 업로드

baron-sso/deploy/templates/ory/kratos/kratos.yml.template

@@ -0,0 +1,102 @@
+version: v26.2.0
+
+dsn: ${KRATOS_DSN}
+
+serve:
+    public:
+        base_url: http://localhost:4433/
+        cors:
+            enabled: true
+            allowed_origins:
+                - http://backend:{{BACKEND_PORT}}
+                - http://localhost:{{USERFRONT_PORT}}
+    admin:
+        base_url: http://localhost:4434/
+
+session:
+    cookie:
+        domain: ${KRATOS_SESSION_COOKIE_DOMAIN}
+        same_site: Lax
+        path: /
+
+selfservice:
+    default_browser_return_url: http://localhost:{{USERFRONT_PORT}}/
+    allowed_return_urls:
+        - http://localhost:{{USERFRONT_PORT}}
+        - http://localhost:{{USERFRONT_PORT}}/
+        - http://localhost:{{USERFRONT_PORT}}/ko
+        - http://localhost:{{USERFRONT_PORT}}/ko/
+        - http://localhost:{{USERFRONT_PORT}}/en
+        - http://localhost:{{USERFRONT_PORT}}/en/
+        - http://localhost:{{USERFRONT_PORT}}/auth/callback
+        - http://localhost:{{USERFRONT_PORT}}/ko/auth/callback
+        - http://localhost:{{USERFRONT_PORT}}/en/auth/callback
+
+    methods:
+        password:
+            enabled: true
+        link:
+            enabled: true
+        code:
+            enabled: true
+            passwordless_enabled: true
+
+    flows:
+        error:
+            ui_url: http://localhost:{{USERFRONT_PORT}}/error
+        settings:
+            ui_url: http://localhost:{{USERFRONT_PORT}}/error?error=settings_disabled
+            privileged_session_max_age: 15m
+        recovery:
+            ui_url: http://localhost:{{USERFRONT_PORT}}/recovery
+            use: code
+        verification:
+            ui_url: http://localhost:{{USERFRONT_PORT}}/verification
+            use: code
+        logout:
+            after:
+                default_browser_return_url: http://localhost:{{USERFRONT_PORT}}/login
+        login:
+            ui_url: http://localhost:{{USERFRONT_PORT}}/login
+            lifespan: 10m
+        registration:
+            ui_url: http://localhost:{{USERFRONT_PORT}}/registration
+            lifespan: 10m
+
+log:
+    level: debug
+    format: text
+    leak_sensitive_values: true
+
+secrets:
+    cookie:
+        - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+    cipher:
+        - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+ciphers:
+    algorithm: xchacha20-poly1305
+
+hashers:
+    algorithm: bcrypt
+    bcrypt:
+        cost: 8
+
+identity:
+    default_schema_id: default
+    schemas:
+        - id: default
+          url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+    template_override_path: /etc/config/kratos/courier-templates
+    delivery_strategy: http
+    http:
+        request_config:
+            url: http://backend:{{BACKEND_PORT}}/api/v1/auth/webhooks/kratos-courier
+            method: POST
+            body: file:///etc/config/kratos/courier-http.jsonnet
+            headers:
+                Content-Type: application/json
+    smtp:
+        connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

baron-sso/deploy/templates/ory/oathkeeper/rules.json

@@ -0,0 +1,159 @@
+[
+  {
+    "id": "public-health",
+    "description": "공개 헬스체크",
+    "match": {
+      "url": "<.*>://<[^/]+>/health",
+      "methods": ["GET"]
+    },
+    "upstream": {
+      "url": "http://backend:{{BACKEND_PORT}}"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "public-preflight",
+    "description": "CORS preflight",
+    "match": {
+      "url": "<.*>://<[^/]+>/api/v1/<.*>",
+      "methods": ["OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://backend:{{BACKEND_PORT}}"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "public-auth",
+    "description": "인증/회원가입 등 공개 엔드포인트",
+    "match": {
+      "url": "<.*>://<[^/]+>/api/v1/auth/<.*>",
+      "methods": ["GET", "POST", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://backend:{{BACKEND_PORT}}"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "backend-command",
+    "description": "Command 요청은 Backend로 전달 (Audit 강제)",
+    "match": {
+      "url": "<.*>://<[^/]+>/api/v1/<.*>",
+      "methods": ["POST", "PUT", "PATCH", "DELETE"]
+    },
+    "upstream": {
+      "url": "http://backend:{{BACKEND_PORT}}"
+    },
+    "authenticators": [{ "handler": "cookie_session" }],
+    "authorizer": { "handler": "remote_json" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "backend-query",
+    "description": "Backend Query (admin/dev 포함)",
+    "match": {
+      "url": "<.*>://<[^/]+>/api/v1/<.*>",
+      "methods": ["GET"]
+    },
+    "upstream": {
+      "url": "http://backend:{{BACKEND_PORT}}"
+    },
+    "authenticators": [{ "handler": "cookie_session" }],
+    "authorizer": { "handler": "remote_json" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-well-known",
+    "description": "Hydra OIDC Discovery & JWKS",
+    "match": {
+      "url": "<.*>://<[^/]+>/.well-known/<.*>",
+      "methods": ["GET", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-well-known-oidc",
+    "description": "Hydra OIDC Discovery & JWKS (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<[^/]+>/oidc/.well-known/<.*>",
+      "methods": ["GET", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-oauth2",
+    "description": "Hydra OAuth2 Endpoints",
+    "match": {
+      "url": "<.*>://<[^/]+>/oauth2/<.*>",
+      "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-oauth2-oidc",
+    "description": "Hydra OAuth2 Endpoints (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<[^/]+>/oidc/oauth2/<.*>",
+      "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-userinfo",
+    "description": "Hydra Userinfo",
+    "match": {
+      "url": "<.*>://<[^/]+>/userinfo",
+      "methods": ["GET", "POST", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-userinfo-oidc",
+    "description": "Hydra Userinfo (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<[^/]+>/oidc/userinfo",
+      "methods": ["GET", "POST", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  }
+]