Ory Hydra之Oauth 2.0 Client Credentials flow

发表于 更新于 阅读次数: 阅读次数:

背景

我们使用Hydra v1.11.10版本,并使用docker-compose来部署Hydra,本次将验证一下Client Credentials flow

部署

这次我们使用docker-compose来部署,参考自quickstart.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
version: "3.7"
services:
  hydra:
    image: oryd/hydra:v1.11.10
    ports:
      - "4444:4444" # Public port
      - "4445:4445" # Admin port
      - "5555:5555" # Port for hydra token user
    command: serve all --dangerous-force-http
    environment:
      - DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
    restart: unless-stopped
    depends_on:
      - hydra-migrate
    networks:
      - hydranet
  hydra-migrate:
    image: oryd/hydra:v1.11.10
    environment:
      - DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
    command: migrate sql -e --yes
    restart: on-failure
    networks:
      - hydranet
  postgresd:
    image: postgres:9.6
    ports:
      - "5432:5432"
    environment:
      - POSTGRES_USER=hydra
      - POSTGRES_PASSWORD=secret
      - POSTGRES_DB=hydra
    networks:
      - hydranet
networks:
  hydranet:
1
docker-compose -f quickstart.yml up --build

postgresd 数据库
hydra-migrate 初始化数据库
hydra 创建认证服务

创建应用并验证Client Credentials flow

通过Hydra CLI

创建应用

1
2
3
4
5
6
7
8
9
docker-compose -f quickstart.yml exec hydra hydra clients create \
--endpoint http://localhost:4445/ \
--id my-client \
--secret my-secret \
--grant-types client_credentials \
--scope api

You should not provide secrets using command line flags, the secret might leak to bash history and similar systems
OAuth 2.0 Client ID: my-client

生成 token

1
2
3
4
5
6
docker-compose -f quickstart.yml exec hydra hydra token client \
--endpoint http://localhost:4444/ \
--client-id my-client \
--client-secret my-secret

vRm9SR63-7vuhdMhZs72PT9Uhj4HQXCL3QrKVRja_yI.jpXIW0ichJFr4ANUSMVvXwL7CFEuNmCQNdUU6FgkGHc

验证token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
docker-compose -f quickstart.yml exec hydra hydra token introspect \
--endpoint http://localhost:4445/ \
vRm9SR63-7vuhdMhZs72PT9Uhj4HQXCL3QrKVRja_yI.jpXIW0ichJFr4ANUSMVvXwL7CFEuNmCQNdUU6FgkGHc

{
	"active": true,
	"aud": [],
	"client_id": "my-client",
	"exp": 1661071059,
	"iat": 1661067458,
	"iss": "http://localhost:4444/",
	"nbf": 1661067458,
	"sub": "my-client",
	"token_type": "Bearer",
	"token_use": "access_token"
}

通过rest api

创建应用

1
curl -X POST 'http://localhost:5445/clients' -H 'Content-Type: application/json' --data-raw '{ "client_id": "my-client", "client_name": "MyClientApp", "client_secret": "my-secret", "grant_types": ["client_credentials"], "scope": "api" }'

ydc36b

生成 token

1
curl -u 'my-client:my-secret' -X POST 'http://localhost:5444/oauth2/token' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'grant_type=client_credentials&scope=api'
1
2
3
4
5
6
{
    "access_token": "fKPlJDSuZ2fJ0gGhDzf3GIfIv2RKxp03wN9FRhAyub4.3PAALlq2b1TU6i8n-IbSPEhM3GNXwANV9S3Tw4A4DrQ",
    "expires_in": 3599,
    "scope": "api",
    "token_type": "bearer"
}

0HHVyk
jM7mrU

验证token

1
curl -X POST 'http://localhost:4445/oauth2/introspect' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'token=fKPlJDSuZ2fJ0gGhDzf3GIfIv2RKxp03wN9FRhAyub4.3PAALlq2b1TU6i8n-IbSPEhM3GNXwANV9S3Tw4A4DrQ'

dmpnF4