kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Merge pull request 'dev/ory-hydra2' (#150) from dev/ory-hydra2 into main

Browse Source 
Reviewed-on: ai-team/baron-sso#150
This commit is contained in:
김용연
2026-02-02 09:51:15 +09:00
parent 9e9c622600 f6e05596f2
commit 521e519c4b
16 changed files with 281 additions and 208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/cmd/server/main.go
View File

@@ -226,7 +226,7 @@ func main() {
auditHandler := handler.NewAuditHandler(auditRepo)
authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo)
adminHandler := handler.NewAdminHandler()
devHandler := handler.NewDevHandler()
devHandler := handler.NewDevHandler(redisService)
tenantHandler := handler.NewTenantHandler(db)
kratosAdminService := service.NewKratosAdminService()
oryAdminProvider := service.NewOryProvider()

42
backend/internal/handler/dev_handler.go
View File

@@ -12,11 +12,13 @@ import (
type DevHandler struct {
Hydra *service.HydraAdminService
Redis *service.RedisService
}
func NewDevHandler() *DevHandler {
func NewDevHandler(redis *service.RedisService) *DevHandler {
return &DevHandler{
Hydra: service.NewHydraAdminService(),
Redis: redis,
}
}
@@ -102,7 +104,7 @@ func (h *DevHandler) ListClients(c *fiber.Ctx) error {
items := make([]clientSummary, 0, len(clients))
for _, client := range clients {
items = append(items, mapClientSummary(client))
items = append(items, h.mapClientSummary(client))
}
return c.JSON(clientListResponse{
@@ -126,7 +128,7 @@ func (h *DevHandler) GetClient(c *fiber.Ctx) error {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
summary := mapClientSummary(*client)
summary := h.mapClientSummary(*client)
return c.JSON(clientDetailResponse{
Client: summary,
Endpoints: clientEndpoints{
@@ -165,7 +167,7 @@ func (h *DevHandler) UpdateClientStatus(c *fiber.Ctx) error {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
summary := mapClientSummary(*updated)
summary := h.mapClientSummary(*updated)
return c.JSON(clientDetailResponse{
Client: summary,
Endpoints: clientEndpoints{
@@ -251,9 +253,14 @@ func (h *DevHandler) CreateClient(c *fiber.Ctx) error {
}
created.Metadata["client_secret"] = created.ClientSecret
_, _ = h.Hydra.UpdateClient(c.Context(), created.ClientID, *created)
// Also store in Redis if available
if h.Redis != nil {
_ = h.Redis.Set("client_secret:"+created.ClientID, created.ClientSecret, 0)
}
}
summary := mapClientSummary(*created)
summary := h.mapClientSummary(*created)
return c.Status(fiber.StatusCreated).JSON(clientDetailResponse{
Client: summary,
Endpoints: clientEndpoints{
@@ -341,7 +348,7 @@ func (h *DevHandler) UpdateClient(c *fiber.Ctx) error {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
summary := mapClientSummary(*updatedClient)
summary := h.mapClientSummary(*updatedClient)
return c.JSON(clientDetailResponse{
Client: summary,
Endpoints: clientEndpoints{
@@ -367,6 +374,11 @@ func (h *DevHandler) DeleteClient(c *fiber.Ctx) error {
return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
}
// Clean up Redis
if h.Redis != nil {
_ = h.Redis.Delete("client_secret:" + clientID)
}
return c.SendStatus(fiber.StatusNoContent)
}
@@ -416,7 +428,7 @@ func (h *DevHandler) RevokeConsents(c *fiber.Ctx) error {
return c.SendStatus(fiber.StatusNoContent)
}
func mapClientSummary(client service.HydraClient) clientSummary {
func (h *DevHandler) mapClientSummary(client service.HydraClient) clientSummary {
status := "active"
if client.Metadata != nil {
if value, ok := client.Metadata["status"].(string); ok && strings.ToLower(value) == "inactive" {
@@ -436,6 +448,20 @@ func mapClientSummary(client service.HydraClient) clientSummary {
scopes := strings.Fields(client.Scope)
clientSecret := client.ClientSecret
// 1. Check Metadata (Legacy/Fallback)
if clientSecret == "" && client.Metadata != nil {
if val, ok := client.Metadata["client_secret"].(string); ok {
clientSecret = val
}
}
// 2. Check Redis (New)
if clientSecret == "" && h.Redis != nil {
if val, err := h.Redis.Get("client_secret:" + client.ClientID); err == nil && val != "" {
clientSecret = val
}
}
return clientSummary{
ID: client.ClientID,
Name: name,
@@ -443,7 +469,7 @@ func mapClientSummary(client service.HydraClient) clientSummary {
Status: status,
RedirectURIs: client.RedirectURIs,
Scopes: scopes,
ClientSecret: client.ClientSecret,
ClientSecret: clientSecret,
Metadata: client.Metadata,
}
}

1
compose.ory.yaml
View File

@@ -160,6 +160,7 @@ services:
- "4457:4455" # Proxy
environment:
- APP_ENV=${APP_ENV:-development}
- LOG_LEVEL=debug
volumes:
- ./docker/ory/oathkeeper:/etc/config/oathkeeper
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper

2
devfront/src/app/routes.tsx
View File

@@ -4,7 +4,6 @@ import ClientConsentsPage from "../features/clients/ClientConsentsPage";
import ClientDetailsPage from "../features/clients/ClientDetailsPage";
import ClientGeneralPage from "../features/clients/ClientGeneralPage";
import ClientsPage from "../features/clients/ClientsPage";
import { ClientFederationPage } from "../features/clients/routes/ClientFederationPage";
export const router = createBrowserRouter(
[
@@ -18,7 +17,6 @@ export const router = createBrowserRouter(
{ path: "clients/:id", element: <ClientDetailsPage /> },
{ path: "clients/:id/consents", element: <ClientConsentsPage /> },
{ path: "clients/:id/settings", element: <ClientGeneralPage /> },
{ path: "clients/:id/federation", element: <ClientFederationPage /> },
],
},
],

6
devfront/src/features/clients/ClientConsentsPage.tsx
View File

@@ -120,12 +120,6 @@ function ClientConsentsPage() {
>
Settings
</Link>
<Link
to={`/clients/${clientId}/federation`}
className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground"
>
Federation
</Link>
</div>
</header>

6
devfront/src/features/clients/ClientDetailsPage.tsx
View File

@@ -130,12 +130,6 @@ function ClientDetailsPage() {
>
Settings
</Link>
<Link
to={`/clients/${clientId}/federation`}
className="pb-3 text-sm font-bold text-muted-foreground hover:text-foreground"
>
Federation
</Link>
</div>
</div>

1
devfront/src/features/clients/ClientGeneralPage.tsx
View File

@@ -154,7 +154,6 @@ function ClientGeneralPage() {
<Link to={`/clients/${clientId}`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Connection</Link>
<Link to={`/clients/${clientId}/consents`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Consent &amp; Users</Link>
<span className="whitespace-nowrap border-b-2 border-primary pb-1 text-primary">Settings</span>
<Link to={`/clients/${clientId}/federation`} className="whitespace-nowrap border-b-2 border-transparent text-muted-foreground hover:text-foreground">Federation</Link>
</>
)}
</div>

7
docker-compose.yaml
View File

@@ -31,7 +31,12 @@ services:
ports:
- "${BACKEND_PORT:-3000}:3000"
depends_on:
- infra_check
postgres:
condition: service_healthy
redis:
condition: service_started
clickhouse:
condition: service_started
networks:
- baron_net
- ory-net

7
docker/ory/oathkeeper/entrypoint.sh
View File

@@ -24,7 +24,12 @@ if [ ! -f "$RULES_FILE" ]; then
echo "[oathkeeper] rules file not found: $RULES_FILE"
exit 1
fi
cp "$RULES_FILE" "$RULES_ACTIVE"
# Remove existing active rules file to prevent overwrite issues (File exists/Permission denied)
if [ -f "$RULES_ACTIVE" ]; then
rm -f "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to remove existing rules.active.json"
fi
cp -f "$RULES_FILE" "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to copy rules file. Using existing if present."
LOG_DIR="/var/log/oathkeeper"
LOG_FILE="${LOG_DIR}/access.log"

0
docker/ory/oathkeeper/oathkeeper.yml Normal file → Executable file
View File

100
docker/ory/oathkeeper/rules.active.json Normal file → Executable file
View File

@@ -1,92 +1,114 @@
[
{
"id": "public-health",
"description": "공개 헬스체크",
"description": "공개 헬스체크 (STAGE 도메인)",
"match": {
"url": "http://<.*>/health",
"url": "<.*>://sso-test.hmac.kr/health",
"methods": ["GET"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-preflight",
"description": "CORS preflight",
"description": "CORS preflight (STAGE 도메인)",
"match": {
"url": "http://<.*>/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["OPTIONS"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-auth",
"description": "인증/회원가입 등 공개 엔드포인트",
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
"match": {
"url": "http://<.*>/api/v1/auth/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-command",
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
"match": {
"url": "http://<.*>/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["POST", "PUT", "PATCH", "DELETE"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-query",
"description": "Backend Query (admin/dev 포함)",
"match": {
"url": "http://<.*>/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["GET"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-well-known",
"description": "Hydra OIDC Discovery & JWKS",
"match": {
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
"methods": ["GET", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-oauth2",
"description": "Hydra OAuth2 Endpoints",
"match": {
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-userinfo",
"description": "Hydra Userinfo",
"match": {
"url": "<.*>://sso-test.hmac.kr/userinfo",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
}
]
]

48
docker/ory/oathkeeper/rules.draft.json Normal file → Executable file
View File

@@ -9,13 +9,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-auth",
@@ -27,13 +23,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-command",
@@ -45,13 +37,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-query",
@@ -63,13 +51,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "kratos-public",
@@ -82,13 +66,9 @@
"url": "http://kratos:4433",
"strip_path": "/kratos"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-public",
@@ -101,12 +81,8 @@
"url": "http://hydra:4444",
"strip_path": "/hydra"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
}
]

100
docker/ory/oathkeeper/rules.json Normal file → Executable file
View File

@@ -1,92 +1,114 @@
[
{
"id": "public-health",
"description": "공개 헬스체크",
"description": "공개 헬스체크 (STAGE 도메인)",
"match": {
"url": "http://<.*>/health",
"url": "<.*>://sso-test.hmac.kr/health",
"methods": ["GET"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-preflight",
"description": "CORS preflight",
"description": "CORS preflight (STAGE 도메인)",
"match": {
"url": "http://<.*>/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["OPTIONS"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-auth",
"description": "인증/회원가입 등 공개 엔드포인트",
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
"match": {
"url": "http://<.*>/api/v1/auth/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-command",
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
"match": {
"url": "http://<.*>/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["POST", "PUT", "PATCH", "DELETE"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-query",
"description": "Backend Query (admin/dev 포함)",
"match": {
"url": "http://<.*>/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["GET"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-well-known",
"description": "Hydra OIDC Discovery & JWKS",
"match": {
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
"methods": ["GET", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-oauth2",
"description": "Hydra OAuth2 Endpoints",
"match": {
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-userinfo",
"description": "Hydra Userinfo",
"match": {
"url": "<.*>://sso-test.hmac.kr/userinfo",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
}
]
]

40
docker/ory/oathkeeper/rules.prod.json Normal file → Executable file
View File

@@ -9,13 +9,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-preflight",
@@ -27,13 +23,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-auth",
@@ -45,13 +37,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-command",
@@ -63,13 +51,9 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-query",
@@ -81,12 +65,8 @@
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
}
]

94
docker/ory/oathkeeper/rules.stage.json Normal file → Executable file
View File

@@ -3,90 +3,112 @@
"id": "public-health",
"description": "공개 헬스체크 (STAGE 도메인)",
"match": {
"url": "https://sso.hmac.kr/health",
"url": "<.*>://sso-test.hmac.kr/health",
"methods": ["GET"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-preflight",
"description": "CORS preflight (STAGE 도메인)",
"match": {
"url": "https://sso.hmac.kr/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["OPTIONS"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "public-auth",
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
"match": {
"url": "https://sso.hmac.kr/api/v1/auth/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "noop" }
],
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-command",
"description": "Command 요청은 Backend로 전달 (Audit 강제)",
"match": {
"url": "https://sso.hmac.kr/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["POST", "PUT", "PATCH", "DELETE"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "backend-query",
"description": "Backend Query (admin/dev 포함)",
"match": {
"url": "https://sso.hmac.kr/api/v1/<.*>",
"url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["GET"]
},
"upstream": {
"url": "http://baron_backend:3000"
},
"authenticators": [
{ "handler": "cookie_session" }
],
"authenticators": [{ "handler": "cookie_session" }],
"authorizer": { "handler": "remote_json" },
"mutators": [
{ "handler": "noop" }
]
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-well-known",
"description": "Hydra OIDC Discovery & JWKS",
"match": {
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
"methods": ["GET", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-oauth2",
"description": "Hydra OAuth2 Endpoints",
"match": {
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-userinfo",
"description": "Hydra Userinfo",
"match": {
"url": "<.*>://sso-test.hmac.kr/userinfo",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
}
]
]

33
userfront/nginx.conf
View File

@@ -26,10 +26,39 @@ server {
error_log /dev/stderr warn;
access_log /var/log/nginx/access.log json_combined;
# --- UserFront 정적 파일 ---
# --- Backend API Proxy ---
location /api {
proxy_pass http://baron_backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# --- Ory Stack Proxy (via Oathkeeper) ---
# Kratos Public API
location /auth {
proxy_pass http://oathkeeper:4455;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Hydra Public API (Rewrite /oidc/... to /...)
location /oidc {
rewrite ^/oidc/(.*)$ /$1 break;
proxy_pass http://oathkeeper:4455;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# --- UserFront Static Files ---
location / {
root /usr/share/nginx/html;
index index.html;
try_files $uri $uri/ /index.html;
}
}
}