rhythmic-holiday-67222
03/14/2022, 3:39 PMoauth2_client_credentials
to use hydra’s endpoints I keep getting connection refused..
I’m using http://127.0.0.1 and my docker compose already has driver set to ‘bridge’ and hydra cli tool can communicate with corresponding docker container, but oathkeeper cannot.
Any ideas?damp-sunset-69236
03/14/2022, 3:51 PMdamp-sunset-69236
03/14/2022, 3:52 PMrhythmic-holiday-67222
03/14/2022, 5:54 PMversion: '3.7'
services:
consent:
environment:
- HYDRA_ADMIN_URL=<http://hydra:4445>
image: oryd/hydra-login-consent-node:v1.11.7
networks:
- intranet
ports:
- '3000:3000'
restart: unless-stopped
hydra:
command: serve -c /etc/config/hydra/hydra.yaml all --dangerous-force-http
depends_on:
- hydra-migrate
environment:
- TRACING_PROVIDER=jaeger
- TRACING_PROVIDERS_JAEGER_PROPAGATION=jaeger
- TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<http://jaeger:5778/sampling>
- TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=jaeger:6831
- TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=const
- TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=1
- TRACING_SERVICE_NAME="Ory Hydra"
image: oryd/hydra:v1.11.7
networks:
- intranet
ports:
- '4444:4444' # Public port
- '4445:4445' # Admin port
- '5555:5555' # Port for hydra token user
restart: unless-stopped
volumes:
- type: bind
source: ./configs/hydra
target: /etc/config/hydra
hydra-migrate:
command: migrate -c /etc/config/hydra/hydra.yaml sql -e --yes
image: oryd/hydra:v1.11.7
environment:
- DSN=<postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4>
networks:
- intranet
restart: on-failure
volumes:
- type: bind
source: ./configs/hydra
target: /etc/config/hydra
jaeger:
image: jaegertracing/all-in-one
networks:
- intranet
ports:
- 6831:6831/udp
- 5778:5778/tcp
- 16686:16686
oathkeeper:
command: serve --config=/etc/config/oathkeeper/oathkeeper.yaml
depends_on:
- jaeger
environment:
- TRACING_PROVIDER=jaeger
- TRACING_PROVIDERS_JAEGER_PROPAGATION=jaeger
- TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<http://jaeger:5778/sampling>
- TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=jaeger:6831
- TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=const
- TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=1
- TRACING_SERVICE_NAME="Ory Oathkeeper"
image: oryd/oathkeeper:v0.38.23-beta.1
networks:
- intranet
ports:
- '4455:4455'
- '4456:4456'
restart: on-failure
volumes:
- type: bind
source: ./configs/oathkeeper
target: /etc/config/oathkeeper
postgresd:
environment:
- POSTGRES_USER=hydra
- POSTGRES_PASSWORD=secret
- POSTGRES_DB=hydra
image: postgres:9.6
networks:
- intranet
ports:
- '5432:5432'
networks:
intranet:
driver: bridge
rhythmic-holiday-67222
03/14/2022, 5:54 PM[
{
"id": "my-client",
"upstream": {
"url": "<https://www.ory.sh/>"
},
"match": {
"url": "http://<127.0.0.1|localhost>:4455/oauth2-ccf",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "oauth2_client_credentials"
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "noop"
}
]
},
{
"id": "auth-code-client",
"upstream": {
"url": "<https://www.ory.sh/>"
},
"match": {
"url": "http://<127.0.0.1|localhost>:4455/oauth2-acgf",
"methods": [
"GET"
]
},
"authenticators": [
{
"handler": "oauth2_introspection",
"config": {
"required_scope": [
"tickets"
],
"target_audience": [
"<https://www.ory.sh/>"
]
}
}
],
"authorizer": {
"handler": "allow"
},
"mutators": [
{
"handler": "noop"
}
]
}
]
rhythmic-holiday-67222
03/14/2022, 5:54 PMaccess_rules:
repositories:
- file:///etc/config/oathkeeper/rules.json
authenticators:
anonymous:
enabled: true
config:
subject: guest
oauth2_client_credentials:
enabled: true
config:
token_url: <http://127.0.0.1:4444/oauth2/token>
oauth2_introspection:
enabled: true
config:
introspection_url: <http://127.0.0.1:4445/oauth2/introspect>
scope_strategy: exact
trusted_issuers:
- <http://127.0.0.1:4445>
pre_authorization:
enabled: true
client_id: auth-code-client
client_secret: secret
scope:
- introspect
token_url: <http://127.0.0.1:4444/oauth2/token>
retry:
max_delay: 300ms
give_up_after: 2s
cache:
enabled: true
ttl: 60s
authorizers:
allow:
enabled: true
deny:
enabled: true
errors:
fallback:
- json
handlers:
json:
enabled: true
config:
verbose: true
redirect:
enabled: true
config:
to: <https://www.ory.sh/docs>
mutators:
header:
enabled: true
config:
headers:
X-User: '{{ print .Subject }}'
noop:
enabled: true
serve:
proxy:
port: 4455 # run the proxy at port 4455
api:
port: 4456 # run the api at port 4456
tracing:
service_name: Ory Oathkeeper
providers:
jaeger:
propagation: jaeger
max_tag_value_length: 0
sampling:
type: const
value: 1
server_url: <http://jaeger:5778/sampling>
local_agent_address: jaeger:6831
provider: jaeger
rhythmic-holiday-67222
03/14/2022, 5:55 PM# DSN
dsn: '<postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4>'
oauth2:
# OAUTH2_EXPOSE_INTERNAL_ERRORS
expose_internal_errors: true
oidc:
subject_identifiers:
pairwise:
# OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT
salt: .....
# OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES
supported_types:
- pairwise
- public
secrets:
# SECRETS_SYSTEM
system:
- ....
serve:
cookies:
# SERVE_COOKIES_SAME_SITE_MODE
same_site_mode: Lax
admin:
cors:
# SERVE_ADMIN_CORS_ALLOW_CREDENTIALS
allow_credentials: true
# SERVE_ADMIN_CORS_ALLOWED_HEADERS
allowed_headers:
- '*'
# SERVE_ADMIN_CORS_ALLOWED_METHODS
allowed_methods:
- POST
- GET
- PUT
- DELETE
- OPTIONS
# SERVE_ADMIN_CORS_ALLOWED_ORIGINS
allowed_origins:
- '*'
# SERVE_ADMIN_CORS_ENABLED
enabled: true
public:
cors:
# SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS
allow_credentials: true
# SERVE_PUBLIC_CORS_ALLOWED_HEADERS
allowed_headers:
- '*'
# SERVE_PUBLIC_CORS_ALLOWED_METHODS
allowed_methods:
- POST
- GET
- PUT
- DELETE
- OPTIONS
# SERVE_PUBLIC_CORS_ALLOWED_ORIGINS
allowed_origins:
- '*'
# SERVE_PUBLIC_CORS_ENABLED
enabled: true
tracing:
service_name: Ory Hydra
providers:
jaeger:
propagation: jaeger
max_tag_value_length: 0
sampling:
type: const
value: 1
server_url: <http://127.0.0.1:5778/sampling>
local_agent_address: 127.0.0.1:6831
provider: jaeger
urls:
self:
# URLS_SELF_ISSUER
issuer: <http://127.0.0.1:4444>
# URLS_CONSENT
consent: <http://127.0.0.1:3000/consent>
# URLS_LOGIN
login: <http://127.0.0.1:3000/login>
# URLS_LOGOUT
logout: <http://127.0.0.1:3000/logout>
rhythmic-holiday-67222
03/14/2022, 5:56 PMrhythmic-holiday-67222
03/14/2022, 6:44 PMdamp-sunset-69236
03/14/2022, 7:32 PM