denise
/
ory-account-experience
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
ory-account-experience/README.md

45 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# ory-account-experience
Ory Kratos (and eventually Hydra) testing for La Contre-Voie
Comes pre-packaged with the Ory Account Experience (tm) Community Edition and the Ory Account Login Consent Experience (tm(patent pending (limited))).
Based off Dockerfile and docker-compose from https://github.com/ory/kratos, which is under the Apache License 2.0.
Also based off Dockerfile and docker-compose from https://github.com/ory/hydra, which is also under the Apache License 2.0.
Also based docker-compose from https://git.4201337.xyz/miaoute/config_files, which is under the MIT license.
To run:
```
docker compose -f dc-services.yaml -f dc-kratos.yaml -f dc-hydra.yaml build
docker compose -f dc-services.yaml -f dc-kratos.yaml -f dc-hydra.yaml up -d
```
To create a OAUTH2 client with OPENID authorisation that should work with Gitea:
(assuming that you set the oauth2 provider's name to ory_hydra on the Gitea side)
(The autodiscovery OPENID url is http://hydra:4444/.well-known/openid-configuration)
```
docker compose -f dc-services.yaml -f dc-kratos.yaml -f dc-hydra.yaml exec hydra hydra create client \
--endpoint http://hydra:4445 \
--grant-type authorization_code,refresh_token \
--response-type code \
--scope offline_access,openid \
--redirect-uri http://localhost:3621/user/oauth2/ory_hydra/callback \
--metadata '{"trusted":true}'
```
Replace e1r2p1.clusters.42paris.fr in the configuration files by a hostname that the whole network shares, and is accessible via your browser.
Configuration files you need to change: dc-kratos.yaml and kratos.yml
You cannot use localhost unless you want to do network_mode: host, which is a **terrible idea**.
A permanent fix is to NOT use the Admin API, for the Admin API, when fetching identity schemas, redirects to the public base_url defined in /etc/config/kratos/kratos.yml, which is only adapted for use outside of Docker containers, and is not the url that should be used internally between containers.
Basically, develop your own consent flow and use the internal hostname to get the schema information so that the system is as airgapped as possible.
Reference in New Issue View Git Blame Copy Permalink