Merge commit '1406c20959678870fe01564147613b24806697a2'

2026-02-03 14:27:21 +09:00
parent d09abab5a2 1406c20959
commit 3868f5967e
25 changed files with 4683 additions and 277 deletions
--- a/docker/ory/clickhouse/init.sql
+++ b/docker/ory/clickhouse/init.sql
@@ -7,13 +7,23 @@ CREATE TABLE IF NOT EXISTS ory.oathkeeper_access_logs (
  path String DEFAULT '',
  status UInt16 DEFAULT 0,
  latency_ms UInt32 DEFAULT 0,
+  client_id String DEFAULT '',
  rp String DEFAULT '',
  action String DEFAULT '',
  target String DEFAULT '',
+  rule_id String DEFAULT '',
+  host String DEFAULT '',
+  scheme String DEFAULT '',
+  query String DEFAULT '',
+  upstream_url String DEFAULT '',
  subject String DEFAULT '',
+  parent_session_id String DEFAULT '',
  client_ip String DEFAULT '',
  user_agent String DEFAULT '',
+  referer String DEFAULT '',
  decision String DEFAULT '',
+  bytes_in UInt64 DEFAULT 0,
+  bytes_out UInt64 DEFAULT 0,
  trace_id String DEFAULT '',
  span_id String DEFAULT '',
  raw String DEFAULT ''
--- a/docker/ory/oathkeeper/oathkeeper.yml
+++ b/docker/ory/oathkeeper/oathkeeper.yml
@@ -26,6 +26,23 @@ authenticators:
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
+  oauth2_introspection:
+    enabled: true
+    config:
+      introspection_url: http://hydra:4444/oauth2/introspect
+      pre_authorization:
+        enabled: true
+        client_id: ${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
+        client_secret: ${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
+        token_url: http://hydra:4444/oauth2/token
+  jwt:
+    enabled: true
+    config:
+      jwks_urls:
+        - http://hydra:4444/.well-known/jwks.json
+      trusted_issuers:
+        - http://hydra:4444/
+      scope_strategy: none

 authorizers:
  allow:
--- a/docker/ory/oathkeeper/rules.draft.json
+++ b/docker/ory/oathkeeper/rules.draft.json
@@ -84,5 +84,23 @@
    "authenticators": [{ "handler": "noop" }],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "rp-host-template",
+    "description": "RP 호스트 기반 템플릿. redirect_uri의 host를 기준으로 매칭합니다.",
+    "match": {
+      "url": "<.*>://rp.example.com/<.*>",
+      "methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://rp_upstream:8080"
+    },
+    "authenticators": [
+      { "handler": "cookie_session" },
+      { "handler": "oauth2_introspection" },
+      { "handler": "jwt" }
+    ],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
  }
 ]
--- a/docker/ory/vector/vector.toml
+++ b/docker/ory/vector/vector.toml
@@ -15,6 +15,9 @@
    request_method = get(parsed, ["request", "method"]) ?? ""
    request_path = get(parsed, ["request", "path"]) ?? ""
    request_url = get(parsed, ["request", "url"]) ?? ""
+    request_host = get(parsed, ["request", "host"]) ?? ""
+    request_scheme = get(parsed, ["request", "scheme"]) ?? ""
+    request_query = get(parsed, ["request", "query"]) ?? ""
    .method = parsed.method ?? parsed.http_method ?? request_method ?? ""
    .path = parsed.path ?? parsed.http_path ?? request_path ?? request_url ?? ""
    response_status = get(parsed, ["response", "status"]) ?? 0
@@ -27,6 +30,7 @@
    .user_agent = parsed.user_agent
    if is_null(.user_agent) { .user_agent = get(headers, ["User-Agent"]) }
    if is_null(.user_agent) { .user_agent = "" }
+    .referer = get(headers, ["Referer"]) ?? ""

    .decision = parsed.decision
    if is_null(.decision) { .decision = parsed.result }
@@ -38,9 +42,21 @@
    .span_id = parsed.span_id
    if is_null(.span_id) { .span_id = "" }

-    .rp = ""
-    .action = ""
-    .target = ""
+    .rp = parsed.rp ?? ""
+    .action = parsed.action ?? ""
+    .target = parsed.target ?? ""
+    .rule_id = parsed.rule_id ?? get(parsed, ["rule", "id"]) ?? ""
+    parsed_url = {}
+    if request_url != "" { parsed_url = parse_url(request_url) ?? {} }
+    query_params = get(parsed_url, ["query"]) ?? {}
+    .client_id = parsed.client_id ?? get(parsed, ["client", "id"]) ?? get(query_params, ["client_id"]) ?? get(query_params, ["clientId"]) ?? ""
+    .parent_session_id = parsed.parent_session_id ?? get(parsed, ["extra", "parent_session_id"]) ?? ""
+    .host = parsed.host ?? request_host ?? ""
+    .scheme = parsed.scheme ?? request_scheme ?? ""
+    .query = parsed.query ?? request_query ?? ""
+    .upstream_url = parsed.upstream_url ?? get(parsed, ["upstream", "url"]) ?? ""
+    .bytes_in = to_int(parsed.bytes_in ?? parsed.request_bytes ?? 0) ?? 0
+    .bytes_out = to_int(parsed.bytes_out ?? parsed.response_bytes ?? 0) ?? 0
  '''

 [sinks.clickhouse]