kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

위키 업데이트 및 docs 최신화

Browse Source
This commit is contained in:
Lectom C Han
2026-02-05 14:48:37 +09:00
parent 044f5cf122
commit a4e5ee78d1
4 changed files with 237 additions and 316 deletions
Download Patch File Download Diff File Expand all files Collapse all files

476
compose.ory.yaml
View File

@@ -1,257 +1,255 @@
services:
postgres_ory:
image: postgres:${ORY_POSTGRES_TAG:-17-alpine}
container_name: ory_postgres
environment:
- POSTGRES_USER=${ORY_POSTGRES_USER:-ory}
- POSTGRES_PASSWORD=${ORY_POSTGRES_PASSWORD:-secret}
- POSTGRES_DB=${ORY_POSTGRES_DB:-ory}
volumes:
- ./docker/ory/init-db:/docker-entrypoint-initdb.d
- ory_postgres_data:/var/lib/postgresql/data
networks:
- ory-net
healthcheck:
test:
[
"CMD-SHELL",
"pg_isready -U ${ORY_POSTGRES_USER:-ory} -d ${KRATOS_DB:-ory_kratos}",
]
interval: 5s
timeout: 5s
retries: 5
postgres_ory:
image: postgres:${ORY_POSTGRES_TAG:-17-alpine}
container_name: ory_postgres
environment:
- POSTGRES_USER=${ORY_POSTGRES_USER:-ory}
- POSTGRES_PASSWORD=${ORY_POSTGRES_PASSWORD:-secret}
- POSTGRES_DB=${ORY_POSTGRES_DB:-ory}
volumes:
- ./docker/ory/init-db:/docker-entrypoint-initdb.d
- ory_postgres_data:/var/lib/postgresql/data
networks:
- ory-net
healthcheck:
test:
[
"CMD-SHELL",
"pg_isready -U ${ORY_POSTGRES_USER:-ory} -d ${KRATOS_DB:-ory_kratos}",
]
interval: 5s
timeout: 5s
retries: 5
# --- Kratos ---
kratos-migrate:
image: oryd/kratos:${KRATOS_VERSION:-v25.4.0}
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20
- KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL:-http://localhost:4433}
- KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
- KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}
- KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=["${KRATOS_UI_URL:-http://localhost:5000}","${USERFRONT_URL:-http://localhost:5000}"]
- KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error
- KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error?error=settings_disabled
- KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/recovery
- KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/verification
- KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
- KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/registration
- KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
volumes:
- ./docker/ory/kratos:/etc/config/kratos
command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
depends_on:
postgres_ory:
condition: service_healthy
networks:
- ory-net
# --- Kratos ---
kratos-migrate:
image: oryd/kratos:${KRATOS_VERSION:-v25.4.0}
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20
- KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL:-http://localhost:4433}
- KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
- KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}
- KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=["${KRATOS_UI_URL:-http://localhost:5000}","${USERFRONT_URL:-http://localhost:5000}"]
- KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error
- KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error?error=settings_disabled
- KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/recovery
- KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/verification
- KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
- KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/registration
- KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
volumes:
- ./docker/ory/kratos:/etc/config/kratos
command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
depends_on:
postgres_ory:
condition: service_healthy
networks:
- ory-net
kratos:
image: oryd/kratos:${KRATOS_VERSION:-v25.4.0}
container_name: ory_kratos
ports:
- "${KRATOS_PUBLIC_PORT:-4433}:4433"
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20
- COOKIE_SECRET=${COOKIE_SECRET:-localcookie123}
- KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL:-http://localhost:4433}
- KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
- KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}
- KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=["${KRATOS_UI_URL:-http://localhost:5000}","${USERFRONT_URL:-http://localhost:5000}"]
- KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error
- KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error?error=settings_disabled
- KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/recovery
- KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/verification
- KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
- KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/registration
- KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
volumes:
- ./docker/ory/kratos:/etc/config/kratos
command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
depends_on:
kratos-migrate:
condition: service_completed_successfully
networks:
- ory-net
- kratosnet
kratos:
image: oryd/kratos:${KRATOS_VERSION:-v25.4.0}
container_name: ory_kratos
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KRATOS_DB:-ory_kratos}?sslmode=disable&max_conns=20
- COOKIE_SECRET=${COOKIE_SECRET:-localcookie123}
- KRATOS_SERVE_PUBLIC_BASE_URL=${KRATOS_BROWSER_URL:-http://localhost:4433}
- KRATOS_SERVE_ADMIN_BASE_URL=${KRATOS_ADMIN_URL:-http://kratos:4434}
- KRATOS_SELFSERVICE_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}
- KRATOS_SELFSERVICE_ALLOWED_RETURN_URLS=["${KRATOS_UI_URL:-http://localhost:5000}","${USERFRONT_URL:-http://localhost:5000}"]
- KRATOS_SELFSERVICE_FLOWS_ERROR_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error
- KRATOS_SELFSERVICE_FLOWS_SETTINGS_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/error?error=settings_disabled
- KRATOS_SELFSERVICE_FLOWS_RECOVERY_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/recovery
- KRATOS_SELFSERVICE_FLOWS_VERIFICATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/verification
- KRATOS_SELFSERVICE_FLOWS_LOGIN_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
- KRATOS_SELFSERVICE_FLOWS_REGISTRATION_UI_URL=${KRATOS_UI_URL:-http://localhost:5000}/registration
- KRATOS_SELFSERVICE_FLOWS_LOGOUT_AFTER_DEFAULT_BROWSER_RETURN_URL=${KRATOS_UI_URL:-http://localhost:5000}/login
volumes:
- ./docker/ory/kratos:/etc/config/kratos
command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
depends_on:
kratos-migrate:
condition: service_completed_successfully
networks:
- ory-net
- kratosnet
# --- Hydra ---
hydra-migrate:
image: oryd/hydra:${HYDRA_VERSION:-v25.4.0}
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20
command: migrate sql up -e --yes
depends_on:
postgres_ory:
condition: service_healthy
networks:
- ory-net
# --- Hydra ---
hydra-migrate:
image: oryd/hydra:${HYDRA_VERSION:-v25.4.0}
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20
command: migrate sql up -e --yes
depends_on:
postgres_ory:
condition: service_healthy
networks:
- ory-net
hydra:
image: oryd/hydra:${HYDRA_VERSION:-v25.4.0}
container_name: ory_hydra
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20
- URLS_SELF_ISSUER=${USERFRONT_URL:-http://localhost:5000}/oidc
- URLS_LOGIN=${USERFRONT_URL:-http://localhost:5000}/login
- URLS_CONSENT=${USERFRONT_URL:-http://localhost:5000}/consent
- SECRETS_SYSTEM=${ORY_POSTGRES_PASSWORD}
volumes:
- ./docker/ory/hydra:/etc/config/hydra
command: serve -c /etc/config/hydra/hydra.yml all --dev
depends_on:
hydra-migrate:
condition: service_completed_successfully
networks:
- ory-net
- hydranet
hydra:
image: oryd/hydra:${HYDRA_VERSION:-v25.4.0}
container_name: ory_hydra
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${HYDRA_DB:-ory_hydra}?sslmode=disable&max_conns=20
- URLS_SELF_ISSUER=${USERFRONT_URL:-http://localhost:5000}/oidc
- URLS_LOGIN=${USERFRONT_URL:-http://localhost:5000}/login
- URLS_CONSENT=${USERFRONT_URL:-http://localhost:5000}/consent
- SECRETS_SYSTEM=${ORY_POSTGRES_PASSWORD}
volumes:
- ./docker/ory/hydra:/etc/config/hydra
command: serve -c /etc/config/hydra/hydra.yml all --dev
depends_on:
hydra-migrate:
condition: service_completed_successfully
networks:
- ory-net
- hydranet
# --- Keto ---
keto-migrate:
image: oryd/keto:${KETO_VERSION:-v25.4.0}
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20
volumes:
- ./docker/ory/keto:/etc/config/keto
command: ["migrate", "up", "-c", "/etc/config/keto/keto.yml", "--yes"]
depends_on:
postgres_ory:
condition: service_healthy
networks:
- ory-net
# --- Keto ---
keto-migrate:
image: oryd/keto:${KETO_VERSION:-v25.4.0}
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20
volumes:
- ./docker/ory/keto:/etc/config/keto
command: ["migrate", "up", "-c", "/etc/config/keto/keto.yml", "--yes"]
depends_on:
postgres_ory:
condition: service_healthy
networks:
- ory-net
keto:
image: oryd/keto:${KETO_VERSION:-v25.4.0}
container_name: ory_keto
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20
volumes:
- ./docker/ory/keto:/etc/config/keto
command: serve -c /etc/config/keto/keto.yml
depends_on:
keto-migrate:
condition: service_completed_successfully
networks:
- ory-net
keto:
image: oryd/keto:${KETO_VERSION:-v25.4.0}
container_name: ory_keto
environment:
- DSN=postgres://${ORY_POSTGRES_USER}:${ORY_POSTGRES_PASSWORD}@postgres_ory:5432/${KETO_DB:-ory_keto}?sslmode=disable&max_conns=20
volumes:
- ./docker/ory/keto:/etc/config/keto
command: serve -c /etc/config/keto/keto.yml
depends_on:
keto-migrate:
condition: service_completed_successfully
networks:
- ory-net
# --- Oathkeeper ---
oathkeeper:
image: oryd/oathkeeper:${OATHKEEPER_VERSION:-v25.4.0}
container_name: ory_oathkeeper
user: "${OATHKEEPER_UID:-1001}:${OATHKEEPER_GID:-1001}"
ports:
- "4457:4455" # Proxy
environment:
- APP_ENV=${APP_ENV:-development}
- LOG_LEVEL=debug
- OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
- OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
volumes:
- ./docker/ory/oathkeeper:/etc/config/oathkeeper
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper
entrypoint: ["/etc/config/oathkeeper/entrypoint.sh"]
networks:
- ory-net
- public_net
# --- Oathkeeper ---
oathkeeper:
image: oryd/oathkeeper:${OATHKEEPER_VERSION:-v25.4.0}
container_name: ory_oathkeeper
user: "${OATHKEEPER_UID:-1001}:${OATHKEEPER_GID:-1001}"
ports:
- "4457:4455" # Proxy
environment:
- APP_ENV=${APP_ENV:-development}
- LOG_LEVEL=debug
- OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
- OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
volumes:
- ./docker/ory/oathkeeper:/etc/config/oathkeeper
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper
entrypoint: ["/etc/config/oathkeeper/entrypoint.sh"]
networks:
- ory-net
- public_net
ory_clickhouse:
image: clickhouse/clickhouse-server:latest
container_name: ory_clickhouse
environment:
- CLICKHOUSE_USER=${ORY_CLICKHOUSE_USER:-ory}
- CLICKHOUSE_PASSWORD=${ORY_CLICKHOUSE_PASSWORD:-orypass}
volumes:
- ory_clickhouse_data:/var/lib/clickhouse
- ./docker/ory/clickhouse:/docker-entrypoint-initdb.d
networks:
- ory-net
ory_clickhouse:
image: clickhouse/clickhouse-server:latest
container_name: ory_clickhouse
environment:
- CLICKHOUSE_USER=${ORY_CLICKHOUSE_USER:-ory}
- CLICKHOUSE_PASSWORD=${ORY_CLICKHOUSE_PASSWORD:-orypass}
volumes:
- ory_clickhouse_data:/var/lib/clickhouse
- ./docker/ory/clickhouse:/docker-entrypoint-initdb.d
networks:
- ory-net
ory_vector:
image: timberio/vector:0.36.0-alpine
container_name: ory_vector
volumes:
- ./docker/ory/vector:/etc/vector
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper
command: ["-c", "/etc/vector/vector.toml"]
depends_on:
- oathkeeper
- ory_clickhouse
networks:
- ory-net
ory_vector:
image: timberio/vector:0.36.0-alpine
container_name: ory_vector
volumes:
- ./docker/ory/vector:/etc/vector
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper
command: ["-c", "/etc/vector/vector.toml"]
depends_on:
- oathkeeper
- ory_clickhouse
networks:
- ory-net
# --- 초기화 & 헬스체크 ---
ory_stack_check:
image: alpine:latest
container_name: ory_stack_check
command: >
/bin/sh -c "
apk add --no-cache curl;
echo 'Wait for services...';
until curl -s http://kratos:4433/health/ready; do sleep 1; done;
until curl -s http://hydra:4444/health/ready; do sleep 1; done;
until curl -s http://keto:4466/health/ready; do sleep 1; done;
echo 'Ory Stack is fully operational!';"
depends_on:
- kratos
- hydra
- keto
networks:
- ory-net
# --- 초기화 & 헬스체크 ---
ory_stack_check:
image: alpine:latest
container_name: ory_stack_check
command: >
/bin/sh -c "
apk add --no-cache curl;
echo 'Wait for services...';
until curl -s http://kratos:4433/health/ready; do sleep 1; done;
until curl -s http://hydra:4444/health/ready; do sleep 1; done;
until curl -s http://keto:4466/health/ready; do sleep 1; done;
echo 'Ory Stack is fully operational!';"
depends_on:
- kratos
- hydra
- keto
networks:
- ory-net
# 기본 RP (Admin Front 등) 자동 등록 컨테이너
init-rp:
image: oryd/hydra:${HYDRA_VERSION:-v25.4.0}
environment:
- HYDRA_ADMIN_URL=http://hydra:4445
- OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
- OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
command: |
hydra clients create \
--endpoint http://hydra:4445 \
--id adminfront \
--secret admin-secret \
--grant-types authorization_code,refresh_token \
--response-types code \
--scope openid,offline_access,profile,email \
--callbacks http://localhost:5000/callback;
# 기본 RP (Admin Front 등) 자동 등록 컨테이너
init-rp:
image: oryd/hydra:${HYDRA_VERSION:-v25.4.0}
environment:
- HYDRA_ADMIN_URL=http://hydra:4445
- OATHKEEPER_INTROSPECT_CLIENT_ID=${OATHKEEPER_INTROSPECT_CLIENT_ID:-oathkeeper-introspect}
- OATHKEEPER_INTROSPECT_CLIENT_SECRET=${OATHKEEPER_INTROSPECT_CLIENT_SECRET:-oathkeeper-secret}
command: |
hydra clients create \
--endpoint http://hydra:4445 \
--id adminfront \
--secret admin-secret \
--grant-types authorization_code,refresh_token \
--response-types code \
--scope openid,offline_access,profile,email \
--callbacks http://localhost:5000/callback;
hydra clients create \
--endpoint http://hydra:4445 \
--id devfront \
--grant-types authorization_code,refresh_token \
--response-types code \
--scope openid,offline_access,profile,email \
--token-endpoint-auth-method none \
--response-types code \
--callbacks http://localhost:5174/callback;
hydra clients create \
--endpoint http://hydra:4445 \
--id devfront \
--grant-types authorization_code,refresh_token \
--response-types code \
--scope openid,offline_access,profile,email \
--token-endpoint-auth-method none \
--response-types code \
--callbacks http://localhost:5174/callback;
hydra clients create \
--endpoint http://hydra:4445 \
--id "$OATHKEEPER_INTROSPECT_CLIENT_ID" \
--secret "$OATHKEEPER_INTROSPECT_CLIENT_SECRET" \
--grant-types client_credentials \
--response-types token \
--scope openid,offline_access,profile,email;
depends_on:
ory_stack_check:
condition: service_completed_successfully
networks:
- hydranet
hydra clients create \
--endpoint http://hydra:4445 \
--id "$OATHKEEPER_INTROSPECT_CLIENT_ID" \
--secret "$OATHKEEPER_INTROSPECT_CLIENT_SECRET" \
--grant-types client_credentials \
--response-types token \
--scope openid,offline_access,profile,email;
depends_on:
ory_stack_check:
condition: service_completed_successfully
networks:
- hydranet
volumes:
ory_postgres_data:
ory_clickhouse_data:
ory_postgres_data:
ory_clickhouse_data:
networks:
ory-net:
external: true
name: ory-net
hydranet:
external: true
name: hydranet
kratosnet:
external: true
name: kratosnet
public_net:
external: true
name: public_net
ory-net:
external: true
name: ory-net
hydranet:
external: true
name: hydranet
kratosnet:
external: true
name: kratosnet
public_net:
external: true
name: public_net

77
docs/consent_flow_explanation.md
View File

@@ -1,77 +0,0 @@
# Baron SSO Consent(권한 동의) 흐름 설명
이 문서는 Baron SSO 시스템에서 `/consent` 페이지가 어떻게 구현되어 있으며, 사용자가 어떻게 이 페이지로 이동하게 되는지 설명합니다.
## 1. 개요
Consent(권한 동의) 흐름은 **Ory Hydra**가 처리하는 OAuth2/OpenID Connect 프로토콜의 핵심 절차입니다. 클라이언트 앱(Relying Party, RP)이 사용자의 정보에 접근하기 위해 특정 권한(Scope)을 요청할 때, 사용자가 아직 해당 권한을 승인하지 않았다면 Hydra는 사용자를 설정된 Consent URL로 리다이렉트하여 동의를 구합니다.
## 2. `/consent` 페이지로의 리다이렉트 과정
사용자가 `/consent` 페이지로 이동하는 것은 Ory Hydra의 환경 설정에 의해 제어됩니다.
- **설정 파일**: `compose.ory.yaml` (및 `docker-compose.yaml`)
- **환경 변수**: `URLS_CONSENT`
`compose.ory.yaml` 파일 내 `hydra` 서비스의 설정은 다음과 같습니다:
```yaml
hydra:
environment:
- URLS_CONSENT=${USERFRONT_URL:-http://localhost:5000}/consent
```
Hydra는 권한 동의가 필요하다고 판단하면, 사용자의 브라우저를 다음 주소로 리다이렉트합니다:
`{USERFRONT_URL}/consent?consent_challenge={challenge_id}`
## 3. 프론트엔드 구현 (`userfront`)
`userfront` 애플리케이션(Flutter)은 권한 동의 화면의 UI와 사용자 상호작용을 처리합니다.
### 라우트 처리
- **파일**: `userfront/lib/main.dart`
- **로직**: 라우터 설정에서 `/consent` 경로를 처리합니다. URL 쿼리 파라미터에서 `consent_challenge`를 추출하여 `ConsentScreen` 위젯에 전달합니다.
### UI 및 비즈니스 로직
- **파일**: `userfront/lib/features/auth/presentation/consent_screen.dart`
- **로직**:
1. **정보 로드**: 페이지 로드 시 `AuthProxyService.getConsentInfo(widget.consentChallenge)`를 호출하여 동의 요청의 상세 정보를 가져옵니다.
2. **화면 표시**: 접근을 요청한 앱의 이름과 요청된 권한 목록(Scope)을 사용자에게 보여줍니다.
3. **동의 실행**: 사용자가 "동의" 버튼을 누르면 `AuthProxyService.acceptConsent(widget.consentChallenge)`를 호출합니다.
4. **최종 이동**: 백엔드로부터 성공 응답과 함께 `redirectTo` URL을 받으면, 해당 URL로 브라우저를 이동시켜 로그인/인증 과정을 완료합니다.
### API 서비스
- **파일**: `userfront/lib/core/services/auth_proxy_service.dart`
- **엔드포인트**:
- 정보 조회: `GET /api/v1/auth/consent`
- 동의 수락: `POST /api/v1/auth/consent/accept`
## 4. 백엔드 구현 (`backend`)
백엔드는 프론트엔드와 Ory Hydra Admin API 사이에서 보안 및 통신을 중계합니다.
### 핸들러
- **파일**: `backend/internal/handler/auth_handler.go`
- **주요 함수**:
- `GetConsentRequest`: 전달받은 `challenge`를 사용하여 Hydra로부터 권한 동의 요청의 상세 내용(클라이언트 정보, 스코프 등)을 가져옵니다.
- `AcceptConsentRequest`: Hydra에 권한 동의 수락을 통보합니다. Hydra가 생성한 최종 리다이렉트 URL(`redirect_to`)을 응답으로 받아 프론트엔드에 전달합니다.
### Hydra Admin 서비스 연동
- **파일**: `backend/internal/service/hydra_admin_service.go`
- **로직**: Hydra Admin API와 직접 통신합니다.
- 정보 조회: `GET /oauth2/auth/requests/consent` (Hydra Admin 인터페이스)
- 동의 수락: `PUT /oauth2/auth/requests/consent/accept` (Hydra Admin 인터페이스)
## 5. 전체 흐름 요약
1. **사용자**: 클라이언트 앱(예: adminfront, devfront 등)에서 로그인을 시도합니다.
2. **Hydra**: 사용자의 세션을 확인하고, 해당 앱에 필요한 권한 동의가 있는지 확인합니다. 동의가 필요하면 사용자를 `USERFRONT_URL/consent?consent_challenge=...`로 보냅니다.
3. **Userfront**: `/consent` 페이지가 로드되고 `consent_challenge`를 인식합니다.
4. **Userfront -> Backend**: `GET /api/v1/auth/consent`를 호출하여 어떤 권한을 요청 중인지 묻습니다.
5. **Backend -> Hydra**: Hydra Admin API에 해당 챌린지의 상세 정보를 조회하여 반환합니다.
6. **사용자**: 화면에서 권한 내용을 확인하고 "동의"를 클릭합니다.
7. **Userfront -> Backend**: `POST /api/v1/auth/consent/accept`를 호출합니다.
8. **Backend -> Hydra**: Hydra Admin API에 동의 수락을 요청합니다.
9. **Hydra -> Backend**: 인증을 완료할 수 있는 최종 리다이렉트 URL(클라이언트 앱의 callback 주소)을 반환합니다.
10. **Backend -> Userfront**: 해당 URL을 전달합니다.
11. **Userfront**: 사용자를 클라이언트 앱으로 이동시키며 프로세스가 종료됩니다.

0
docs/consent_loop_fix_report.md → docs/trouble-shooting/consent_loop_fix_report.md
View File

0
docs/hydra-rp-dummy.md → docs/trouble-shooting/hydra-rp-dummy.md
View File