ory-hosting 기본구동

docker/ory/hydra/hydra.yml

@@ -0,0 +1,41 @@
+dsn: memory
+
+serve:
+    cookies:
+        same_site_mode: Lax
+    public:
+        cors:
+            enabled: true
+            allowed_origins:
+                - "*"
+            allowed_methods:
+                - POST
+                - GET
+                - PUT
+                - PATCH
+                - DELETE
+            allowed_headers:
+                - Authorization
+                - Content-Type
+            exposed_headers:
+                - Content-Type
+            allow_credentials: true
+
+urls:
+    self:
+        issuer: http://127.0.0.1:4444
+    consent: http://127.0.0.1:3000/consent
+    login: http://127.0.0.1:3000/login
+    logout: http://127.0.0.1:3000/logout
+
+secrets:
+    system:
+        - youReallyNeedToChangeThis
+
+oidc:
+    subject_identifiers:
+        supported_types:
+            - pairwise
+            - public
+        pairwise:
+            salt: youReallyNeedToChangeThis

docker/ory/init-db/01_create_dbs.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+
+# 환경 변수에서 DB 이름 가져오기 (기본값 설정)
+KRATOS_DB=${KRATOS_DB:-ory_kratos}
+HYDRA_DB=${HYDRA_DB:-ory_hydra}
+KETO_DB=${KETO_DB:-ory_keto}
+
+# 함수 정의: DB가 없으면 생성
+create_db_if_not_exists() {
+    local dbname=$1
+    if ! psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" -lqt | cut -d \| -f 1 | grep -qw "$dbname"; then
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+            CREATE DATABASE $dbname;
+EOSQL
+        echo "Database '$dbname' created."
+    else
+        echo "Database '$dbname' already exists."
+    fi
+}
+
+create_db_if_not_exists "$KRATOS_DB"
+create_db_if_not_exists "$HYDRA_DB"
+create_db_if_not_exists "$KETO_DB"

docker/ory/keto/keto.yml

@@ -0,0 +1,13 @@
+version: v0.11.0
+dsn: memory
+serve:
+  read:
+    host: 0.0.0.0
+    port: 4466
+  write:
+    host: 0.0.0.0
+    port: 4467
+namespaces:
+  location: file:///etc/config/keto/namespaces.yml
+log:
+  level: debug

docker/ory/keto/namespaces.yml

@@ -0,0 +1,7 @@
+namespaces:
+  - id: 0
+    name: default
+  - id: 1
+    name: roles
+  - id: 2
+    name: permissions

docker/ory/kratos/identity.schema.json

@@ -0,0 +1,49 @@
+{
+  "$id": "https://schemas.ory.sh/presets/kratos/identity.email.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 3,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "recovery": {
+              "via": "email"
+            },
+            "verification": {
+              "via": "email"
+            }
+          }
+        },
+        "name": {
+          "type": "object",
+          "properties": {
+            "first": {
+              "type": "string",
+              "title": "First Name"
+            },
+            "last": {
+              "type": "string",
+              "title": "Last Name"
+            }
+          }
+        }
+      },
+      "required": [
+        "email"
+      ],
+      "additionalProperties": false
+    }
+  }
+}

docker/ory/kratos/kratos.yml

@@ -0,0 +1,76 @@
+version: v1.3.0
+
+dsn: memory
+
+serve:
+  public:
+    base_url: http://127.0.0.1:4433/
+    cors:
+      enabled: true
+  admin:
+    base_url: http://127.0.0.1:4434/
+
+selfservice:
+  default_browser_return_url: http://127.0.0.1:4455/
+  allowed_return_urls:
+    - http://127.0.0.1:4455
+    - http://localhost:5000
+
+  methods:
+    password:
+      enabled: true
+    link:
+      enabled: true
+    code:
+      enabled: true
+
+  flows:
+    error:
+      ui_url: http://127.0.0.1:4455/error
+    settings:
+      ui_url: http://127.0.0.1:4455/settings
+      privileged_session_max_age: 15m
+    recovery:
+      ui_url: http://127.0.0.1:4455/recovery
+      use: code
+    verification:
+      ui_url: http://127.0.0.1:4455/verification
+      use: code
+    logout:
+      after:
+        default_browser_return_url: http://127.0.0.1:4455/login
+    login:
+      ui_url: http://127.0.0.1:4455/login
+      lifespan: 10m
+    registration:
+      ui_url: http://127.0.0.1:4455/registration
+      lifespan: 10m
+
+log:
+  level: debug
+  format: text
+  leak_sensitive_values: true
+
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+  cipher:
+    - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+ciphers:
+  algorithm: xchacha20-poly1305
+
+hashers:
+  algorithm: bcrypt
+  bcrypt:
+    cost: 8
+
+identity:
+  default_schema_id: default
+  schemas:
+    - id: default
+      url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

docker/ory/oathkeeper/oathkeeper.yml

@@ -0,0 +1,41 @@
+serve:
+  proxy:
+    port: 4455
+  api:
+    port: 4456
+
+errors:
+  fallback:
+    - json
+
+access_rules:
+  repositories:
+    - file:///etc/config/oathkeeper/rules.json
+
+authenticators:
+  noop:
+    enabled: true
+  cookie_session:
+    enabled: true
+    config:
+      check_session_url: http://kratos:4433/sessions/whoami
+      preserve_path: true
+      extra_from: "@this"
+      subject_from: "identity.id"
+
+authorizers:
+  allow:
+    enabled: true
+  remote_json:
+    enabled: true
+    config:
+      remote: http://keto:4466/check
+
+mutators:
+  noop:
+    enabled: true
+  id_token:
+    enabled: true
+    config:
+      issuer_url: http://127.0.0.1:4456/
+      jwks_url: file:///etc/config/oathkeeper/jwks.json

docker/ory/oathkeeper/rules.json

@@ -0,0 +1 @@
+[]