Ory Hydra 403 带反向代理
Ory Hydra 403 With Reverse Proxy
我正在尝试让 Ory Hydra 在 Docker-Compose with Nginx 中工作。由于我的迭代方法,在添加 Nginx 之前我已经有了一个工作系统。换句话说,它是工作,现在不是。
我认为可能会影响此过程的更改是:Nginx、Hydra 的主机名、我的演示应用程序中的 oauth2 配置。另外,我的设置是基于 Kratos-Hydra integration demo。当然,Kratos 和 UI 现在也可以从 Nginx 访问,所以这显然也发生了变化,但我认为这不会造成问题。
下面是我尝试访问我的演示应用程序中的安全端点时发生的情况:
- 重定向到 kratos-ui 进行登录
- 输入详细信息并发送请求
- 登录成功
- Hydra returns 403:您不能执行此操作。
Nginx:
# kratos-selfservice-ui-node
server {
server_name self.localhost;
proxy_set_header Host self.localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://self:3000;
}
}
# kratos
server {
server_name login.localhost;
#proxy_set_header Host ...;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://kratos:4433;
}
}
#hydra
server {
server_name oidc.localhost;
#proxy_set_header Host 127.0.0.1:4444;
#proxy_set_header Host oidc.localhost;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://hydra:4444;
}
}
要求:
GET /oauth2/auth?client_id=auth-code-client&login_verifier=8b5f6d3f964c4470ab2e42fac90ae1c2&nonce=XTr2FJETXFsr6kxw3SlZsbh7rbQ_RMw8SdK3MeMCAs0&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&scope=openid+profile&state=4OSX7C_A84-u-6MlUZOlzjAAXiBYIzbKGfGwcAp1n1M%3D HTTP/1.1
Host: hydra:4444
User-Agent: <stuff>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://self.localhost/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
docker-compose 中的 Hydra 条目:
# OIDC Server
# Configured to use Kratos for identities
hydra:
image: oryd/hydra:v1.6.0-alpine
container_name: hydra
depends_on:
- hydra-migrate
#ports:
#- 4444:4444 # Public port
#- 4445:4445 # Admin port
#- 5555:5555 # Port for hydra token user
command:
serve all --dangerous-force-http
volumes:
-
type: bind
source: ./config/hydra
target: /home/ory
environment:
- DSN=postgres://pguser:secret@postgres:5432/hydra?sslmode=disable
- OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
- LOG_LEAK_SENSITIVE_VALUES=true
##- URLS_SELF_ISSUER=http://127.0.0.1:4444
##- URLS_SELF_PUBLIC=http://127.0.0.1:4444
#- URLS_SELF_ISSUER=http://hydra:4444
#- URLS_SELF_PUBLIC=http://hydra:4444
- URLS_SELF_ISSUER=http://oidc.localhost
- URLS_SELF_PUBLIC=http://oidc.localhost
- URLS_CONSENT=http://self.localhost/auth/hydra/consent
- URLS_LOGIN=http://self.localhost/auth/hydra/login
- URLS_LOGOUT=http://self.localhost/logout
- SECRETS_SYSTEM=youReallyNeedToChangeThis
- OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
- OAUTH2_EXPOSE_INTERNAL_ERRORS=true;
- OAUTH2_INCLUDE_LEGACY_ERROR_FIELDS=true
restart: on-failure
networks:
- <ory>
Spring 启动应用程序配置:
spring:
security:
oauth2:
client:
registration:
hydra:
client-name: Demo OIDC Client with Spring Boot :D
client-id: auth-code-client
client-secret: secret
provider:
hydra:
issuer-uri: http://oidc.localhost/
这是我创建的客户端:
docker exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id auth-code-client \
--secret secret \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,profile \
--callbacks http://localhost:8080/login/oauth2/code/hydra
/etc/hosts 我添加的内容:
# Dev stuff
127.0.0.1 self.localhost
127.0.0.1 login.localhost
127.0.0.1 oidc.localhost
127.0.0.1 oidc-demo.localhost
127.0.0.1 hello.localhost
Hydra 日志:
< THIS IS FROM THE INITIAL REQUEST TO THE KRATOS UI >
time=2022-01-24T12:49:00Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http]
time=2022-01-24T12:49:00Z level=info msg=access allowed audience=audit http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http] service_name=ORY Hydra service_version=v1.6.0
time=2022-01-24T12:49:00Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http] http_response=map[status:302 text_status:Found took:15.9869ms]
time=2022-01-24T12:49:00Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54218 scheme:http]
time=2022-01-24T12:49:00Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54218 scheme:http] http_response=map[status:200 text_status:OK took:3.034ms]
< THIS IS AFTER LOGIN >
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54292 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54292 scheme:http] http_response=map[status:200 text_status:OK took:3.7631ms]
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54296 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54296 scheme:http] http_response=map[status:200 text_status:OK took:8.8812ms]
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=access denied audience=audit error=map[message:request_forbidden reason:You are not allowed to perform this action. status:Forbidden status_code:403] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http] service_name=ORY Hydra service_version=v1.6.0
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http] http_response=map[status:302 text_status:Found took:8.6448ms]
更新
在将此问题发布到 whosebug.com 之前尝试一切的过程中,我回到了一个较旧的 git 提交。
坏消息,它不再起作用了。我检查了官方的 kratos-hydra 集成和 built ($ git status -> On branch hydra-integration \n Your branch is up to date with 'origin/hydra-integration'.),并且我执行了 required 步骤,现在我明白了:
$ docker exec hydra_hydra_1 \
hydra token user \
--client-id auth-code-client \
--client-secret secret \
--endpoint http://127.0.0.1:4444/ \
--port 5555 \
--scope openid,offline
Config file not found because "Config File ".hydra" Not Found in "[/home/ory]""
Setting up home route on http://127.0.0.1:5555/
Setting up callback listener on http://127.0.0.1:5555/callback
Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process.
If your browser does not open automatically, navigate to:
http://127.0.0.1:5555/
< then I navigate to 127.0.0.1:5555, click on authorize application, I have to enter log in details, and then I get redirected to an error page >
Got error: The request is not allowed
http: Server closed
浏览器没有添加太多信息:
An error occurred
request_forbidden
The request is not allowed
You are not allowed to perform this action.
我尝试删除所有容器、图像、卷和网络、浏览器 cookie,使用不同的浏览器,重新启动 docker,重新启动我的计算机。同样的问题。
奇怪的是,应用程序总是要求我登录,即使我在手动转到 UI url 时已经登录。我记得如果我已经登录了,它不会要求我重新登录?
更新
出于某种原因,我在 hydra-integration 分支上,而不是 hydra-integration-2021,这就是为什么回到基础知识不起作用的原因。那是我的错误。
实际项目不工作,但在重新评估工作 required 和 benefits/drawbacks/requirements 后,我决定从 Kratos 切换到 werther。
为了对此保持理智,我会首先更新到良好的内部和外部 URLs。问题的症结在于您需要配置 Ory Hydra(运行 在集群内),并在浏览器等中使用互联网 URL,这将不同于 Ory Hydra 的物理 URL .
类似的安全示例
感觉这与您的设置相似 - 值得花一点时间来了解资源:
请看上面第三个link顶部的base-url 属性,这是浏览器等互联网客户端用来连接到授权服务器的。 Hydra中会有这样的属性可以设置
我正在尝试让 Ory Hydra 在 Docker-Compose with Nginx 中工作。由于我的迭代方法,在添加 Nginx 之前我已经有了一个工作系统。换句话说,它是工作,现在不是。
我认为可能会影响此过程的更改是:Nginx、Hydra 的主机名、我的演示应用程序中的 oauth2 配置。另外,我的设置是基于 Kratos-Hydra integration demo。当然,Kratos 和 UI 现在也可以从 Nginx 访问,所以这显然也发生了变化,但我认为这不会造成问题。
下面是我尝试访问我的演示应用程序中的安全端点时发生的情况:
- 重定向到 kratos-ui 进行登录
- 输入详细信息并发送请求
- 登录成功
- Hydra returns 403:您不能执行此操作。
Nginx:
# kratos-selfservice-ui-node
server {
server_name self.localhost;
proxy_set_header Host self.localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://self:3000;
}
}
# kratos
server {
server_name login.localhost;
#proxy_set_header Host ...;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://kratos:4433;
}
}
#hydra
server {
server_name oidc.localhost;
#proxy_set_header Host 127.0.0.1:4444;
#proxy_set_header Host oidc.localhost;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://hydra:4444;
}
}
要求:
GET /oauth2/auth?client_id=auth-code-client&login_verifier=8b5f6d3f964c4470ab2e42fac90ae1c2&nonce=XTr2FJETXFsr6kxw3SlZsbh7rbQ_RMw8SdK3MeMCAs0&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&scope=openid+profile&state=4OSX7C_A84-u-6MlUZOlzjAAXiBYIzbKGfGwcAp1n1M%3D HTTP/1.1
Host: hydra:4444
User-Agent: <stuff>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://self.localhost/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
docker-compose 中的 Hydra 条目:
# OIDC Server
# Configured to use Kratos for identities
hydra:
image: oryd/hydra:v1.6.0-alpine
container_name: hydra
depends_on:
- hydra-migrate
#ports:
#- 4444:4444 # Public port
#- 4445:4445 # Admin port
#- 5555:5555 # Port for hydra token user
command:
serve all --dangerous-force-http
volumes:
-
type: bind
source: ./config/hydra
target: /home/ory
environment:
- DSN=postgres://pguser:secret@postgres:5432/hydra?sslmode=disable
- OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
- LOG_LEAK_SENSITIVE_VALUES=true
##- URLS_SELF_ISSUER=http://127.0.0.1:4444
##- URLS_SELF_PUBLIC=http://127.0.0.1:4444
#- URLS_SELF_ISSUER=http://hydra:4444
#- URLS_SELF_PUBLIC=http://hydra:4444
- URLS_SELF_ISSUER=http://oidc.localhost
- URLS_SELF_PUBLIC=http://oidc.localhost
- URLS_CONSENT=http://self.localhost/auth/hydra/consent
- URLS_LOGIN=http://self.localhost/auth/hydra/login
- URLS_LOGOUT=http://self.localhost/logout
- SECRETS_SYSTEM=youReallyNeedToChangeThis
- OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
- OAUTH2_EXPOSE_INTERNAL_ERRORS=true;
- OAUTH2_INCLUDE_LEGACY_ERROR_FIELDS=true
restart: on-failure
networks:
- <ory>
Spring 启动应用程序配置:
spring:
security:
oauth2:
client:
registration:
hydra:
client-name: Demo OIDC Client with Spring Boot :D
client-id: auth-code-client
client-secret: secret
provider:
hydra:
issuer-uri: http://oidc.localhost/
这是我创建的客户端:
docker exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id auth-code-client \
--secret secret \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,profile \
--callbacks http://localhost:8080/login/oauth2/code/hydra
/etc/hosts 我添加的内容:
# Dev stuff
127.0.0.1 self.localhost
127.0.0.1 login.localhost
127.0.0.1 oidc.localhost
127.0.0.1 oidc-demo.localhost
127.0.0.1 hello.localhost
Hydra 日志:
< THIS IS FROM THE INITIAL REQUEST TO THE KRATOS UI >
time=2022-01-24T12:49:00Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http]
time=2022-01-24T12:49:00Z level=info msg=access allowed audience=audit http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http] service_name=ORY Hydra service_version=v1.6.0
time=2022-01-24T12:49:00Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:response_type=code&client_id=auth-code-client&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D&redirect_uri=http://localhost:8080/login/oauth2/code/hydra remote:192.168.16.11:43608 scheme:http] http_response=map[status:302 text_status:Found took:15.9869ms]
time=2022-01-24T12:49:00Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54218 scheme:http]
time=2022-01-24T12:49:00Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54218 scheme:http] http_response=map[status:200 text_status:OK took:3.034ms]
< THIS IS AFTER LOGIN >
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54292 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:GET path:/oauth2/auth/requests/login query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54292 scheme:http] http_response=map[status:200 text_status:OK took:3.7631ms]
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54296 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json] host:hydra:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=3a6891edb669434f821a0d5413519bfe remote:192.168.16.2:54296 scheme:http] http_response=map[status:200 text_status:OK took:8.8812ms]
time=2022-01-24T12:49:59Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http]
time=2022-01-24T12:49:59Z level=info msg=access denied audience=audit error=map[message:request_forbidden reason:You are not allowed to perform this action. status:Forbidden status_code:403] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http] service_name=ORY Hydra service_version=v1.6.0
time=2022-01-24T12:49:59Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache referer:http://self.localhost/ user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:client_id=auth-code-client&login_verifier=fedb596a040648b8b626e0f7e4f3f04a&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin%2Foauth2%2Fcode%2Fhydra&response_type=code&state=-__end_skoEpW7KSAfzng1yZyOdJoF2-Cfzls-dccD4%3D remote:192.168.16.11:43694 scheme:http] http_response=map[status:302 text_status:Found took:8.6448ms]
更新
在将此问题发布到 whosebug.com 之前尝试一切的过程中,我回到了一个较旧的 git 提交。
坏消息,它不再起作用了。我检查了官方的 kratos-hydra 集成和 built ($ git status -> On branch hydra-integration \n Your branch is up to date with 'origin/hydra-integration'.),并且我执行了 required 步骤,现在我明白了:
$ docker exec hydra_hydra_1 \
hydra token user \
--client-id auth-code-client \
--client-secret secret \
--endpoint http://127.0.0.1:4444/ \
--port 5555 \
--scope openid,offline
Config file not found because "Config File ".hydra" Not Found in "[/home/ory]""
Setting up home route on http://127.0.0.1:5555/
Setting up callback listener on http://127.0.0.1:5555/callback
Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process.
If your browser does not open automatically, navigate to:
http://127.0.0.1:5555/
< then I navigate to 127.0.0.1:5555, click on authorize application, I have to enter log in details, and then I get redirected to an error page >
Got error: The request is not allowed
http: Server closed
浏览器没有添加太多信息:
An error occurred
request_forbidden
The request is not allowed
You are not allowed to perform this action.
我尝试删除所有容器、图像、卷和网络、浏览器 cookie,使用不同的浏览器,重新启动 docker,重新启动我的计算机。同样的问题。
奇怪的是,应用程序总是要求我登录,即使我在手动转到 UI url 时已经登录。我记得如果我已经登录了,它不会要求我重新登录?
更新
出于某种原因,我在 hydra-integration 分支上,而不是 hydra-integration-2021,这就是为什么回到基础知识不起作用的原因。那是我的错误。
实际项目不工作,但在重新评估工作 required 和 benefits/drawbacks/requirements 后,我决定从 Kratos 切换到 werther。
为了对此保持理智,我会首先更新到良好的内部和外部 URLs。问题的症结在于您需要配置 Ory Hydra(运行 在集群内),并在浏览器等中使用互联网 URL,这将不同于 Ory Hydra 的物理 URL .
类似的安全示例
感觉这与您的设置相似 - 值得花一点时间来了解资源:
请看上面第三个link顶部的base-url 属性,这是浏览器等互联网客户端用来连接到授权服务器的。 Hydra中会有这样的属性可以设置