userfront 연동이력 맞춤

2026-02-03 13:37:24 +09:00
parent e20b61189c
commit 4f3d0759c3
24 changed files with 4092 additions and 175 deletions
--- a/docker/ory/oathkeeper/oathkeeper.yml
+++ b/docker/ory/oathkeeper/oathkeeper.yml
@@ -26,6 +26,23 @@ authenticators:
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
+  oauth2_introspection:
+    enabled: true
+    config:
+      introspection_url: http://hydra:4444/oauth2/introspect
+      pre_authorization:
+        enabled: true
+        client_id: ${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
+        client_secret: ${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
+        token_url: http://hydra:4444/oauth2/token
+  jwt:
+    enabled: true
+    config:
+      jwks_urls:
+        - http://hydra:4444/.well-known/jwks.json
+      trusted_issuers:
+        - http://hydra:4444/
+      scope_strategy: none

 authorizers:
  allow:
--- a/docker/ory/oathkeeper/rules.draft.json
+++ b/docker/ory/oathkeeper/rules.draft.json
@@ -86,30 +86,20 @@
    "mutators": [{ "handler": "noop" }]
  },
  {
-    "id": "rp-template-browser",
-    "description": "RP proxy (browser session). TODO: match.url/upstream.url을 실제 RP로 좁혀야 함.",
+    "id": "rp-host-template",
+    "description": "RP 호스트 기반 템플릿. redirect_uri의 host를 기준으로 매칭합니다.",
    "match": {
-      "url": "http://<.*>/rp/<.*>",
+      "url": "<.*>://rp.example.com/<.*>",
      "methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
    },
    "upstream": {
      "url": "http://rp_upstream:8080"
    },
-    "authenticators": [{ "handler": "cookie_session" }],
-    "authorizer": { "handler": "allow" },
-    "mutators": [{ "handler": "noop" }]
-  },
-  {
-    "id": "rp-template-bearer",
-    "description": "RP proxy (bearer). TODO: oauth2_introspection 또는 jwt 활성화 필요.",
-    "match": {
-      "url": "http://<.*>/rp-api/<.*>",
-      "methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
-    },
-    "upstream": {
-      "url": "http://rp_upstream:8080"
-    },
-    "authenticators": [{ "handler": "oauth2_introspection" }],
+    "authenticators": [
+      { "handler": "cookie_session" },
+      { "handler": "oauth2_introspection" },
+      { "handler": "jwt" }
+    ],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
  }
--- a/docker/ory/vector/vector.toml
+++ b/docker/ory/vector/vector.toml
@@ -46,7 +46,10 @@
    .action = parsed.action ?? ""
    .target = parsed.target ?? ""
    .rule_id = parsed.rule_id ?? get(parsed, ["rule", "id"]) ?? ""
-    .client_id = parsed.client_id ?? get(parsed, ["client", "id"]) ?? ""
+    parsed_url = {}
+    if request_url != "" { parsed_url = parse_url(request_url) ?? {} }
+    query_params = get(parsed_url, ["query"]) ?? {}
+    .client_id = parsed.client_id ?? get(parsed, ["client", "id"]) ?? get(query_params, ["client_id"]) ?? get(query_params, ["clientId"]) ?? ""
    .parent_session_id = parsed.parent_session_id ?? get(parsed, ["extra", "parent_session_id"]) ?? ""
    .host = parsed.host ?? request_host ?? ""
    .scheme = parsed.scheme ?? request_scheme ?? ""