Merge commit 'e345570210aa0fc8acdb9cf042561f35f00812f0'

2026-02-02 17:12:45 +09:00
parent 12ae5929e3 e345570210
commit 6dbdd5d483
31 changed files with 1239 additions and 160 deletions
--- a/docker/ory/kratos/kratos.yml
+++ b/docker/ory/kratos/kratos.yml
@@ -11,9 +11,8 @@ serve:
        base_url: http://localhost:4434/

 selfservice:
-    default_browser_return_url: http://localhost:4455/
+    default_browser_return_url: http://localhost:5000/
    allowed_return_urls:
-        - http://localhost:4455
        - http://localhost:5000
        - https://sss.hmac.kr
        - https://sss.hmac.kr/
@@ -33,24 +32,24 @@ selfservice:

    flows:
        error:
-            ui_url: http://localhost:4455/error
+            ui_url: http://localhost:5000/error
        settings:
-            ui_url: http://localhost:4455/settings
+            ui_url: http://localhost:5000/error?error=settings_disabled
            privileged_session_max_age: 15m
        recovery:
-            ui_url: http://localhost:4455/recovery
+            ui_url: http://localhost:5000/recovery
            use: code
        verification:
-            ui_url: http://localhost:4455/verification
+            ui_url: http://localhost:5000/verification
            use: code
        logout:
            after:
-                default_browser_return_url: http://localhost:4455/login
+                default_browser_return_url: http://localhost:5000/login
        login:
-            ui_url: http://localhost:4455/login
+            ui_url: http://localhost:5000/login
            lifespan: 10m
        registration:
-            ui_url: http://localhost:4455/registration
+            ui_url: http://localhost:5000/registration
            lifespan: 10m

 log:
--- a/docker/ory/oathkeeper/rules.active.json
+++ b/docker/ory/oathkeeper/rules.active.json
@@ -83,6 +83,21 @@
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
  },
+  {
+    "id": "hydra-well-known-oidc",
+    "description": "Hydra OIDC Discovery & JWKS (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/.well-known/<.*>",
+      "methods": ["GET", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
  {
    "id": "hydra-oauth2",
    "description": "Hydra OAuth2 Endpoints",
@@ -97,6 +112,21 @@
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
  },
+  {
+    "id": "hydra-oauth2-oidc",
+    "description": "Hydra OAuth2 Endpoints (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/oauth2/<.*>",
+      "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
  {
    "id": "hydra-userinfo",
    "description": "Hydra Userinfo",
@@ -110,5 +140,20 @@
    "authenticators": [{ "handler": "noop" }],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-userinfo-oidc",
+    "description": "Hydra Userinfo (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/userinfo",
+      "methods": ["GET", "POST", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
  }
 ]
--- a/docker/ory/oathkeeper/rules.json
+++ b/docker/ory/oathkeeper/rules.json
@@ -83,6 +83,21 @@
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
  },
+  {
+    "id": "hydra-well-known-oidc",
+    "description": "Hydra OIDC Discovery & JWKS (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/.well-known/<.*>",
+      "methods": ["GET", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
  {
    "id": "hydra-oauth2",
    "description": "Hydra OAuth2 Endpoints",
@@ -97,6 +112,21 @@
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
  },
+  {
+    "id": "hydra-oauth2-oidc",
+    "description": "Hydra OAuth2 Endpoints (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/oauth2/<.*>",
+      "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
  {
    "id": "hydra-userinfo",
    "description": "Hydra Userinfo",
@@ -110,5 +140,20 @@
    "authenticators": [{ "handler": "noop" }],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-userinfo-oidc",
+    "description": "Hydra Userinfo (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/userinfo",
+      "methods": ["GET", "POST", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
  }
 ]
--- a/docker/ory/oathkeeper/rules.stage.json
+++ b/docker/ory/oathkeeper/rules.stage.json
@@ -1,9 +1,9 @@
 [
  {
    "id": "public-health",
-    "description": "공개 헬스체크 (STAGE 도메인)",
+    "description": "공개 헬스체크",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/health",
+      "url": "<.*>://<.*>/health",
      "methods": ["GET"]
    },
    "upstream": {
@@ -15,9 +15,9 @@
  },
  {
    "id": "public-preflight",
-    "description": "CORS preflight (STAGE 도메인)",
+    "description": "CORS preflight",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
+      "url": "<.*>://<.*>/api/v1/<.*>",
      "methods": ["OPTIONS"]
    },
    "upstream": {
@@ -29,9 +29,9 @@
  },
  {
    "id": "public-auth",
-    "description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
+    "description": "인증/회원가입 등 공개 엔드포인트",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
+      "url": "<.*>://<.*>/api/v1/auth/<.*>",
      "methods": ["GET", "POST", "OPTIONS"]
    },
    "upstream": {
@@ -45,7 +45,7 @@
    "id": "backend-command",
    "description": "Command 요청은 Backend로 전달 (Audit 강제)",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
+      "url": "<.*>://<.*>/api/v1/<.*>",
      "methods": ["POST", "PUT", "PATCH", "DELETE"]
    },
    "upstream": {
@@ -59,7 +59,7 @@
    "id": "backend-query",
    "description": "Backend Query (admin/dev 포함)",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
+      "url": "<.*>://<.*>/api/v1/<.*>",
      "methods": ["GET"]
    },
    "upstream": {
@@ -73,7 +73,7 @@
    "id": "hydra-well-known",
    "description": "Hydra OIDC Discovery & JWKS",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
+      "url": "<.*>://<.*>/.well-known/<.*>",
      "methods": ["GET", "OPTIONS"]
    },
    "upstream": {
@@ -83,11 +83,26 @@
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
  },
+  {
+    "id": "hydra-well-known-oidc",
+    "description": "Hydra OIDC Discovery & JWKS (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/.well-known/<.*>",
+      "methods": ["GET", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
  {
    "id": "hydra-oauth2",
    "description": "Hydra OAuth2 Endpoints",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
+      "url": "<.*>://<.*>/oauth2/<.*>",
      "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
    },
    "upstream": {
@@ -97,11 +112,26 @@
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
  },
+  {
+    "id": "hydra-oauth2-oidc",
+    "description": "Hydra OAuth2 Endpoints (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/oauth2/<.*>",
+      "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
  {
    "id": "hydra-userinfo",
    "description": "Hydra Userinfo",
    "match": {
-      "url": "<.*>://sso-test.hmac.kr/userinfo",
+      "url": "<.*>://<.*>/userinfo",
      "methods": ["GET", "POST", "OPTIONS"]
    },
    "upstream": {
@@ -110,5 +140,20 @@
    "authenticators": [{ "handler": "noop" }],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "hydra-userinfo-oidc",
+    "description": "Hydra Userinfo (with /oidc prefix)",
+    "match": {
+      "url": "<.*>://<.*>/oidc/userinfo",
+      "methods": ["GET", "POST", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://hydra:4444",
+      "strip_path_prefix": "/oidc"
+    },
+    "authenticators": [{ "handler": "noop" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
  }
 ]