diff --git a/README.md b/README.md index b2e6695..0f8c853 100644 --- a/README.md +++ b/README.md @@ -1,967 +1,19 @@ -

Ory Hydra - Open Source OAuth 2 and OpenID Connect server

+# Identity -

- Chat | - Discussions | - Newsletter

- Guide | - API Docs | - Code Docs

- Support this project!

- Work in Open Source, Ory is hiring! -

+This is a Laravel, IntertiaJS with Vue based application that works as an OIDC Provider. ---- +## Installation -

- CI Tasks for Ory Hydra - - Go Report Card - PkgGoDev - CII Best Practices - - -

+1. Clone the Repo +2. Run docker-compose up -d --build to start the project +3. Add auth.eurofurence.localhost and identity.eurofurence.localhost to your hosts file and forward them to 127.0.0.1 +4. Project has been Setup -Ory Hydra is a hardened, **OpenID Certified OAuth 2.0 Server and OpenID Connect -Provider** optimized for low-latency, high throughput, and low resource -consumption. Ory Hydra _is not_ an identity provider (user sign up, user login, -password reset flow), but connects to your existing identity provider through a -[login and consent app](https://www.ory.sh/docs/hydra/oauth2#authenticating-users-and-requesting-consent). -Implementing the login and consent app in a different language is easy, and -exemplary consent apps ([Node](https://github.com/ory/hydra-login-consent-node)) -and [SDKs](https://www.ory.sh/docs/kratos/sdk/index) for common languages are -provided. +### Security -Ory Hydra can use [Ory Kratos](https://github.com/ory/kratos) as its identity -server. +If you discover any security related issues, please email me@thiritin.com instead of using the issue tracker. -## Get Started +## Credits -You can use -[Docker to run Ory Hydra locally](https://www.ory.sh/docs/hydra/5min-tutorial) -or use the Ory CLI to try out Ory Hydra: - -```shell -# This example works best in Bash -bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory -sudo mv ./ory /usr/local/bin/ - -# Or with Homebrew installed -brew install ory/tap/cli -``` - -create a new project (you may also use -[Docker](https://www.ory.sh/docs/hydra/5min-tutorial)) - -``` -ory create project --name "Ory Hydra 2.0 Example" -project_id="{set to the id from output}" -``` - -and follow the quick & easy steps below. - -### OAuth 2.0 Client Credentials / Machine-to-Machine - -Create an OAuth 2.0 Client, and run the OAuth 2.0 Client Credentials flow: - -```shell -ory create oauth2-client --project $project_id \ - --name "Client Credentials Demo" \ - --grant-type client_credentials -client_id="{set to client id from output}" -client_secret="{set to client secret from output}" - -ory perform client-credentials --client-id=$client_id --client-secret=$client_secret --project $project_id -access_token="{set to access token from output}" - -ory introspect token $access_token --project $project_id -``` - -### OAuth 2.0 Authorize Code + OpenID Connect - -Try out the OAuth 2.0 Authorize Code grant right away! - -By accepting permissions `openid` and `offline_access` at the consent screen, -Ory refreshes and OpenID Connect ID token, - -```shell -ory create oauth2-client --project $project_id \ - --name "Authorize Code with OpenID Connect Demo" \ - --grant-type authorization_code,refresh_token \ - --response-type code \ - --redirect-uri http://127.0.0.1:4446/callback -code_client_id="{set to client id from output}" -code_client_secret="{set to client secret from output}" - -ory perform authorization-code \ - --project $project_id \ - --client-id $code_client_id \ - --client-secret $code_client_secret -code_access_token="{set to access token from output}" - -ory introspect token $code_access_token --project $project_id -``` - ---- - - - - -- [What is Ory Hydra?](#what-is-ory-hydra) - - [Who's using it?](#whos-using-it) - - [OAuth2 and OpenID Connect: Open Standards!](#oauth2-and-openid-connect-open-standards) - - [OpenID Connect Certified](#openid-connect-certified) -- [Quickstart](#quickstart) - - [Installation](#installation) -- [Ecosystem](#ecosystem) - - [Ory Kratos: Identity and User Infrastructure and Management](#ory-kratos-identity-and-user-infrastructure-and-management) - - [Ory Hydra: OAuth2 & OpenID Connect Server](#ory-hydra-oauth2--openid-connect-server) - - [Ory Oathkeeper: Identity & Access Proxy](#ory-oathkeeper-identity--access-proxy) - - [Ory Keto: Access Control Policies as a Server](#ory-keto-access-control-policies-as-a-server) -- [Security](#security) - - [Disclosing vulnerabilities](#disclosing-vulnerabilities) -- [Benchmarks](#benchmarks) -- [Telemetry](#telemetry) -- [Documentation](#documentation) - - [Guide](#guide) - - [HTTP API documentation](#http-api-documentation) - - [Upgrading and Changelog](#upgrading-and-changelog) - - [Command line documentation](#command-line-documentation) - - [Develop](#develop) - - [Dependencies](#dependencies) - - [Formatting Code](#formatting-code) - - [Running Tests](#running-tests) - - [Short Tests](#short-tests) - - [Regular Tests](#regular-tests) - - [E2E Tests](#e2e-tests) - - [OpenID Connect Conformity Tests](#openid-connect-conformity-tests) - - [Build Docker](#build-docker) - - [Run the Docker Compose quickstarts](#run-the-docker-compose-quickstarts) - - [Add a new migration](#add-a-new-migration) -- [Libraries and third-party projects](#libraries-and-third-party-projects) - - - -## What is Ory Hydra? - -Ory Hydra is a server implementation of the OAuth 2.0 authorization framework -and the OpenID Connect Core 1.0. Existing OAuth2 implementations usually ship as -libraries or SDKs such as -[node-oauth2-server](https://github.com/oauthjs/node-oauth2-server) or -[Ory Fosite](https://github.com/ory/fosite/issues), or as fully featured -identity solutions with user management and user interfaces, such as -[Keycloak](https://www.keycloak.org). - -Implementing and using OAuth2 without understanding the whole specification is -challenging and prone to errors, even when SDKs are being used. The primary goal -of Ory Hydra is to make OAuth 2.0 and OpenID Connect 1.0 better accessible. - -Ory Hydra implements the flows described in OAuth2 and OpenID Connect 1.0 -without forcing you to use a "Hydra User Management" or some template engine or -a predefined front-end. Instead, it relies on HTTP redirection and cryptographic -methods to verify user consent allowing you to use Ory Hydra with any -authentication endpoint, be it [Ory Kratos](https://github.com/ory/kratos), -[authboss](https://github.com/go-authboss/authboss), -[User Frosting](https://www.userfrosting.com/) or your proprietary Java -authentication. - -### Who's using it? - - - -The Ory community stands on the shoulders of individuals, companies, and -maintainers. We thank everyone involved - from submitting bug reports and -feature requests, to contributing patches, to sponsoring our work. Our community -is 1000+ strong and growing rapidly. The Ory stack protects 16.000.000.000+ API -requests every month with over 250.000+ active service nodes. We would have -never been able to achieve this without each and everyone of you! - -The following list represents companies that have accompanied us along the way -and that have made outstanding contributions to our ecosystem. _If you think -that your company deserves a spot here, reach out to -office-muc@ory.sh now_! - -**Please consider giving back by becoming a sponsor of our open source work on -Patreon or -Open Collective.** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TypeNameLogoWebsite
SponsorRaspberry PI Foundation - - - Raspberry PI Foundation - - raspberrypi.org
ContributorKyma Project - - - Kyma Project - - kyma-project.io
SponsorTulip - - - Tulip Retail - - tulip.com
SponsorCashdeck / All My Funds - - - All My Funds - - cashdeck.com.au
ContributorHootsuite - - - Hootsuite - - hootsuite.com
Adopter *Segment - - - Segment - - segment.com
Adopter *Arduino - - - Arduino - - arduino.cc
Adopter *DataDetect - - - Datadetect - - unifiedglobalarchiving.com/data-detect/
Adopter *Sainsbury's - - - Sainsbury's - - sainsburys.co.uk
Adopter *Contraste - - - Contraste - - contraste.com
Adopter *Reyah - - - Reyah - - reyah.eu
Adopter *Zero - - - Project Zero by Commit - - getzero.dev
Adopter *Padis - - - Padis - - padis.io
Adopter *Cloudbear - - - Cloudbear - - cloudbear.eu
Adopter *Security Onion Solutions - - - Security Onion Solutions - - securityonionsolutions.com
Adopter *Factly - - - Factly - - factlylabs.com
Adopter *Nortal - - - Nortal - - nortal.com
SponsorOrderMyGear - - - OrderMyGear - - ordermygear.com
SponsorSpiri.bo - - - Spiri.bo - - spiri.bo
SponsorStrivacity - - - Spiri.bo - - strivacity.com
Adopter *Hanko - - - Hanko - - hanko.io
Adopter *Rabbit - - - Rabbit - - rabbit.co.th
Adopter *inMusic - - - InMusic - - inmusicbrands.com
Adopter *Buhta - - - Buhta - - buhta.com
Adopter *Connctd - - - Connctd - - connctd.com
Adopter *Paralus - - - Paralus - - paralus.io
Adopter *TIER IV - - - TIER IV - - tier4.jp
Adopter *R2Devops - - - R2Devops - - r2devops.io
Adopter *LunaSec - - - LunaSec - - lunasec.io
Adopter *Serlo - - - Serlo - - serlo.org
Adopter *dyrector.io - - - dyrector.io - - dyrector.io
Adopter *Stackspin - - - stackspin.net - - stackspin.net
Adopter *Amplitude - - - amplitude.com - - amplitude.com
- -We also want to thank all individual contributors - - - -as well as all of our backers - - - -and past & current supporters (in alphabetical order) on -[Patreon](https://www.patreon.com/_ory): Alexander Alimovs, Billy, Chancy -Kennedy, Drozzy, Edwin Trejos, Howard Edidin, Ken Adler Oz Haven, Stefan Hans, -TheCrealm. - -\* Uses one of Ory's major projects in production. - - - -### OAuth2 and OpenID Connect: Open Standards! - -Ory Hydra implements Open Standards set by the IETF: - -- [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749) -- [OAuth 2.0 Threat Model and Security Considerations](https://tools.ietf.org/html/rfc6819) -- [OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009) -- [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) -- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10) -- [OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) -- [OAuth 2.0 Dynamic Client Registration Management Protocol](https://datatracker.ietf.org/doc/html/rfc7592) -- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636) -- [JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://tools.ietf.org/html/rfc7523) - -and the OpenID Foundation: - -- [OpenID Connect Core 1.0](http://openid.net/specs/openid-connect-core-1_0.html) -- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) -- [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) -- [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html) -- [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html) - -### OpenID Connect Certified - -Ory Hydra is an OpenID Foundation -[certified OpenID Provider (OP)](http://openid.net/certification/#OPs). - -

- Ory Hydra is a certified OpenID Providier -

- -The following OpenID profiles are certified: - -- [Basic OpenID Provider](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) - (response types `code`) -- [Implicit OpenID Provider](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth) - (response types `id_token`, `id_token+token`) -- [Hybrid OpenID Provider](http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth) - (response types `code+id_token`, `code+id_token+token`, `code+token`) -- [OpenID Provider Publishing Configuration Information](https://openid.net/specs/openid-connect-discovery-1_0.html) -- [Dynamic OpenID Provider](https://openid.net/specs/openid-connect-registration-1_0.html) - -To obtain certification, we deployed the -[reference user login and consent app](https://github.com/ory/hydra-login-consent-node) -(unmodified) and Ory Hydra v1.0.0. - -## Quickstart - -This section is a starter guide to working with Ory Hydra. In-depth docs are -available as well: - -- The documentation is available [here](https://www.ory.sh/docs/hydra). -- The REST API documentation is available - [here](https://www.ory.sh/docs/hydra/sdk/api). - -### Installation - -Head over to the -[Ory Developer Documentation](https://www.ory.sh/docs/hydra/install) to learn -how to install Ory Hydra on Linux, macOS, Windows, and Docker and how to build -Ory Hydra from source. - -## Ecosystem - - - -We build Ory on several guiding principles when it comes to our architecture -design: - -- Minimal dependencies -- Runs everywhere -- Scales without effort -- Minimize room for human and network errors - -Ory's architecture is designed to run best on a Container Orchestration system -such as Kubernetes, CloudFoundry, OpenShift, and similar projects. Binaries are -small (5-15MB) and available for all popular processor types (ARM, AMD64, i386) -and operating systems (FreeBSD, Linux, macOS, Windows) without system -dependencies (Java, Node, Ruby, libxml, ...). - -### Ory Kratos: Identity and User Infrastructure and Management - -[Ory Kratos](https://github.com/ory/kratos) is an API-first Identity and User -Management system that is built according to -[cloud architecture best practices](https://www.ory.sh/docs/next/ecosystem/software-architecture-philosophy). -It implements core use cases that almost every software application needs to -deal with: Self-service Login and Registration, Multi-Factor Authentication -(MFA/2FA), Account Recovery and Verification, Profile, and Account Management. - -### Ory Hydra: OAuth2 & OpenID Connect Server - -[Ory Hydra](https://github.com/ory/hydra) is an OpenID Certified™ OAuth2 and -OpenID Connect Provider which easily connects to any existing identity system by -writing a tiny "bridge" application. It gives absolute control over the user -interface and user experience flows. - -### Ory Oathkeeper: Identity & Access Proxy - -[Ory Oathkeeper](https://github.com/ory/oathkeeper) is a BeyondCorp/Zero Trust -Identity & Access Proxy (IAP) with configurable authentication, authorization, -and request mutation rules for your web services: Authenticate JWT, Access -Tokens, API Keys, mTLS; Check if the contained subject is allowed to perform the -request; Encode resulting content into custom headers (`X-User-ID`), JSON Web -Tokens and more! - -### Ory Keto: Access Control Policies as a Server - -[Ory Keto](https://github.com/ory/keto) is a policy decision point. It uses a -set of access control policies, similar to AWS IAM Policies, in order to -determine whether a subject (user, application, service, car, ...) is authorized -to perform a certain action on a resource. - - - -## Security - -_Why should I use Ory Hydra? It's not that hard to implement two OAuth2 -endpoints and there are numerous SDKs out there!_ - -OAuth2 and OAuth2 related specifications are over 400 written pages. -Implementing OAuth2 is easy, getting it right is hard. Ory Hydra is trusted by -companies all around the world, has a vibrant community and faces millions of -requests in production each day. Of course, we also compiled a security guide -with more details on cryptography and security concepts. Read -[the security guide now](https://www.ory.sh/docs/hydra/security-architecture). - -### Disclosing vulnerabilities - -If you think you found a security vulnerability, please refrain from posting it -publicly on the forums, the chat, or GitHub. You can find all info for -responsible disclosure in our -[security.txt](https://www.ory.sh/.well-known/security.txt). - -## Benchmarks - -Our continuous integration runs a collection of benchmarks against Ory Hydra. -You can find the results [here](https://www.ory.sh/docs/performance/hydra). - -## Telemetry - -Our services collect summarized, anonymized data that can optionally be turned -off. Click [here](https://www.ory.sh/docs/ecosystem/sqa) to learn more. - -## Documentation - -### Guide - -The full Ory Hydra documentation is available -[here](https://www.ory.sh/docs/hydra). - -### HTTP API documentation - -The HTTP API is documented [here](https://www.ory.sh/docs/hydra/sdk/api). - -### Upgrading and Changelog - -New releases might introduce breaking changes. To help you identify and -incorporate those changes, we document these changes in -[CHANGELOG.md](./CHANGELOG.md). - -### Command line documentation - -Run `hydra -h` or `hydra help`. - -### Develop - -We love all contributions! Please read our -[contribution guidelines](./CONTRIBUTING.md). - -#### Dependencies - -You need Go 1.13+ with `GO111MODULE=on` and (for the test suites): - -- Docker and Docker Compose -- Makefile -- NodeJS / npm - -It is possible to develop Ory Hydra on Windows, but please be aware that all -guides assume a Unix shell like bash or zsh. - -#### Formatting Code - -You can format all code using `make format`. Our CI checks if your code is -properly formatted. - -#### Running Tests - -There are three types of tests you can run: - -- Short tests (do not require a SQL database like PostgreSQL) -- Regular tests (do require PostgreSQL, MySQL, CockroachDB) -- End to end tests (do require databases and will use a test browser) - -All of the above tests can be run using the makefile. See the commands below. - -**Makefile commands** - -```shell -# quick tests -make quicktest - -# regular tests -make test -test-resetdb - -# end-to-end tests -make e2e -``` - -##### Short Tests - -It is recommended to use the make file to run your tests using `make quicktest` -, however, you can still use the `go test` command. - -**Please note**: - -All tests run against a sqlite in-memory database, thus it is required to use -the `-tags sqlite,json1` build tag. - -Short tests run fairly quickly. You can either test all of the code at once: - -```shell script -go test -v -failfast -short -tags sqlite,json1 ./... -``` - -or test just a specific module: - -```shell script -go test -v -failfast -short -tags sqlite,json1 ./client -``` - -or a specific test: - -```shell script -go test -v -failfast -short -tags sqlite,json1 -run ^TestName$ ./... -``` - -##### Regular Tests - -Regular tests require a database set up. Our test suite is able to work with -docker directly (using [ory/dockertest](https://github.com/ory/dockertest)) but -we encourage to use the Makefile instead. Using dockertest can bloat the number -of Docker Images on your system and are quite slow. Instead we recommend doing: - -```shell script -make test -``` - -Please be aware that `make test` recreates the databases every time you run -`make test`. This can be annoying if you are trying to fix something very -specific and need the database tests all the time. In that case we suggest that -you initialize the databases with: - -```shell script -make test-resetdb -export TEST_DATABASE_MYSQL='mysql://root:secret@(127.0.0.1:3444)/mysql?parseTime=true&multiStatements=true' -export TEST_DATABASE_POSTGRESQL='postgres://postgres:secret@127.0.0.1:3445/postgres?sslmode=disable' -export TEST_DATABASE_COCKROACHDB='cockroach://root@127.0.0.1:3446/defaultdb?sslmode=disable' -``` - -Then you can run `go test` as often as you'd like: - -```shell script -go test -p 1 ./... - -# or in a module: -cd client; go test . -``` - -#### E2E Tests - -The E2E tests use [Cypress](https://www.cypress.io) to run full browser tests. -You can execute these tests with: - -``` -make e2e -``` - -The runner will not show the Browser window, as it runs in the CI Mode -(background). That makes debugging these type of tests very difficult, but -thankfully you can run the e2e test in the browser which helps with debugging! -Just run: - -```shell script -./test/e2e/circle-ci.bash memory --watch - -# Or for the JSON Web Token Access Token strategy: -# ./test/e2e/circle-ci.bash memory-jwt --watch -``` - -or if you would like to test one of the databases: - -```shell script -make test-resetdb -export TEST_DATABASE_MYSQL='mysql://root:secret@(127.0.0.1:3444)/mysql?parseTime=true&multiStatements=true' -export TEST_DATABASE_POSTGRESQL='postgres://postgres:secret@127.0.0.1:3445/postgres?sslmode=disable' -export TEST_DATABASE_COCKROACHDB='cockroach://root@127.0.0.1:3446/defaultdb?sslmode=disable' - -# You can test against each individual database: -./test/e2e/circle-ci.bash postgres --watch -./test/e2e/circle-ci.bash memory --watch -./test/e2e/circle-ci.bash mysql --watch -# ... -``` - -Once you run the script, a Cypress window will appear. Hit the button "Run all -Specs"! - -The code for these tests is located in -[./cypress/integration](./cypress/integration) and -[./cypress/support](./cypress/support) and -[./cypress/helpers](./cypress/helpers). The website you're seeing is located in -[./test/e2e/oauth2-client](./test/e2e/oauth2-client). - -##### OpenID Connect Conformity Tests - -To run Ory Hydra against the OpenID Connect conformity suite, run - -```shell script -$ test/conformity/start.sh --build -``` - -and then in a separate shell - -```shell script -$ test/conformity/test.sh -``` - -Running these tests will take a significant amount of time which is why they are -not part of the CI pipeline. - -#### Build Docker - -You can build a development Docker Image using: - -```shell script -make docker -``` - -#### Run the Docker Compose quickstarts - -If you wish to check your code changes against any of the docker-compose -quickstart files, run: - -```shell script -make docker -docker compose -f quickstart.yml up # .... -``` - -#### Add a new migration - -1. `mkdir persistence/sql/src/YYYYMMDD000001_migration_name/` -2. Put the migration files into this directory, following the standard naming - conventions. If you wish to execute different parts of a migration in - separate transactions, add split marks (lines with the text `--split`) where - desired. Why this might be necessary is explained in - https://github.com/gobuffalo/fizz/issues/104. -3. Run `make persistence/sql/migrations/` to generate migration - fragments. -4. If an update causes the migration to have fewer fragments than the number - already generated, run - `make persistence/sql/migrations/-clean`. This is equivalent to - a `rm` command with the right parameters, but comes with better tab - completion. -5. Before committing generated migration fragments, run the above clean command - and generate a fresh copy of migration fragments to make sure the `sql/src` - and `sql/migrations` directories are consistent. - -## Libraries and third-party projects - -Official: - -- [User Login & Consent Example](https://github.com/ory/hydra-login-consent-node) - -Community: - -- Visit - [this document for an overview of community projects and articles](https://www.ory.sh/docs/ecosystem/community) - -Developer Blog: - -- Visit the [Ory Blog](https://www.ory.sh/blog/) for guides, tutorials and - articles around Ory Hydra and the Ory ecosystem. +- [Thiritin](https://github.com/thiritin) +- [All Contributors](../../contributors)