这个时候说明我们的hydra已经正常跑起来了.
登录/授权样例网站启动 docker run -d \ --name ory-hydra-example--consent \ -p 9020:3000 \ --network hydraguide \ -e HYDRA_URL=https://ory-hydra-example--hydra:4444 \ -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ oryd/hydra-login-consent-node:v1.0.0-beta.5在上面我们提过,XX应用请求授权的时候,首先是跳转到统一登录页面,
这个本质是是一个统一用户中心的应用,需要我们自行开发的.
hydra官方提供一个样例给我们来测试用,node.js写的.
项目地址:https://github.com/ory/hydra-login-consent-node
这里就是在启动这个登录/授权样例网站了.
PS:我用dotnet core也实现了一套完整的用户中心授权网站,过几天空了整理一下开源发出来.
创建oauth client 客户端 docker run --rm -it \ -e HYDRA_URL=https://ory-hydra-example--hydra:4444 \ --network hydraguide \ oryd/hydra:v1.0.0-beta.5 \ clients create --skip-tls-verify \ --id facebook-photo-backup \ --secret some-secret \ --grant-types authorization_code,refresh_token,client_credentials,implicit \ --response-types token,code,id_token \ --scope openid,offline,photos.read \ --callbacks :9010/callback没什么说的,留意一下callbacks地址即可.
其实就是XX互联里面的XX应用的一些信息.
测试hydra oauth整体授权流程启动一个请求授权的APP,如下:
docker run --rm -it \ --network hydraguide \ -p 9010:9010 \ oryd/hydra:v1.0.0-beta.5 \ token user --skip-tls-verify \ --port 9010 \ --auth-url https://localhost:9000/oauth2/auth \ --token-url https://ory-hydra-example--hydra:4444/oauth2/token \ --client-id facebook-photo-backup \ --client-secret some-secret \ --scope openid,offline,photos.read启动之后访问:9010/
大概会看到:
Welcome to the example OAuth 2.0 Consumer This example requests an OAuth 2.0 Access, Refresh, and OpenID Connect ID Token from the OAuth 2.0 Server (ORY Hydra). To initiate the flow, click the "Authorize Application" button. Authorize application点击 Authorize application 立即调整到登录页面.
登录页其实就是我们上面启动的node.js的的登录页面,即::9020/login?login_challenge=XXX
输入账号密码之后会跳到授权页面,即::9020/consent?consent_challenge=XXXX
授权选好了之后点击"" 允许授权,立即跳转回到回调地址,同时显示access token相关信息.
Access Token: SwMfFOSHEFpiChmBvRtFLTeaPzCh-TNEXtxTfibgmdw.AgqJrWyn1VlH4FouUucBJSDsmcwOGDI3cHpuy2sDrpI Refresh Token: 48pXaTrBoXl9JxkweFgQV6frEYPwrkE6BaY8U5mymbo.ZuZe68sqX6wtRTk9k1cKBNPJxQzEBEb0G86tT_WVzCg Expires in: 2018-08-09 11:46:14.9905228 +0000 UTC m=+3843.912315001 ID Token: eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo3MzBhZDc4ZC04ODJmLTQzNzItYTRhMi05NTE2NDdlNTk0ZTciLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiZmFjZWJvb2stcGhvdG8tYmFja3VwIl0sImF1dGhfdGltZSI6MTUzMzgxMTUyMSwiZXhwIjoxNTMzODE1MTc1LCJpYXQiOjE1MzM4MTE1NzUsImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0OjkwMDAvIiwianRpIjoiOGFkMWE2ZTYtZWY3NC00MTM2LThmODUtMGU0N2FhYWYxZjY1Iiwibm9uY2UiOiJkcXBrcXlkaG1iZXZhdXNtYXJzdWxjcW0iLCJyYXQiOjE1MzM4MTE0MTMsInN1YiI6ImZvb0BiYXIuY29tIn0.euqVspiSeYvMonrwHSPxhfXaCOoYtfP5S5_dJLg6zeQ-Kw6rRJfQRh2ddMiaZBOHdRrQLGHouNSd5SCWP4DgKjr6eA4YKmiTNvDKt0ktIBfTROs5HKOIp9NHLSCL636m10lEVAGJEnL2jwVn5JeNjYmn4nRqOqPBfAxmqFYu-RuHk3HP4w9cKAK2tUBvwUkjH7PBkZ4MZI3AgvK985iPxZWkiyJAn4QPSAidenlQqQJXc7kpYpvP6wauk-nWxid6p0GRL1MozEV1Kok6Nqiw5BtEhuuC3Saijezr-G7Va6SwgTe731huzM6xRH_ovh2x4gayQu-qFX6bT8gjvLh6otQbqEa11nNc0gXIauKds2FF8mD65k9-tnFvbs3T7fJS6wu3LOm9VAtCB78CiTH92E7sbGXaQRC9nsB6LCCteoBPYa8e-dYZxXZHPdWP9tDNc3t2Zr1Lg5bljpWXmFcLllO6gSTqhKiT0otQaQgLDm9GvSeobEaCYRmgk50FdGz4z4Sngek6JJBWHNDo16zuJMScLxIdUfhK9LtLpIsL7w7F01GRMkcriowloRM85qO3V-Dq6REY6VzAe3OkT3_0bxsbU_fzFEIbpDcXdq8hchkEq3aAp48dqXb0WE4R7Iwl4JhjDKiQFxP4-Wk5rPqRyRs7rWiDUxS9v29c88pXd6E这个时候我们使用Access Token去调用userinfo API,即可正常获取到用户信息.
curl -X GET \ https://localhost:9000/userinfo \ -H 'authorization: Bearer SwMfFOSHEFpiChmBvRtFLTeaPzCh-TNEXtxTfibgmdw.AgqJrWyn1VlH4FouUucBJSDsmcwOGDI3cHpuy2sDrpI' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -H 'postman-token: fecb7032-db0a-bb1b-a61b-de22add7e5bc'用户信息如下:
{ "sub": "foo@bar.com" }为什么这里用户信息只有一个sub呢?
因为他们实现ory-hydra-example--consent的时候什么都没加进去,
具体应该怎么做等我下次分享dotnet core实现 login-consent再说了..