ORY jwt verification

README.md

@@ -24,6 +24,7 @@ This template provides out of the box some commonly used functionalities:
 * Async tasks execution using [Dramatiq](https://dramatiq.io/index.html)
 * Repository pattern for databases using [SQLAlchemy](https://www.sqlalchemy.org/) and [SQLAlchemy bind manager](https://febus982.github.io/sqlalchemy-bind-manager/stable/)
 * Database migrations using [Alembic](https://alembic.sqlalchemy.org/en/latest/) (configured supporting both sync and async SQLAlchemy engines)
+* Authentication and Identity Provider using [ORY Zero Trust architecture](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy)
 * [TODO] Producer and consumer to emit and consume events using [CloudEvents](https://cloudevents.io/) format on [Confluent Kafka](https://docs.confluent.io/kafka-clients/python/current/overview.html)
 
 ## Documentation

auth_volumes/kratos/.gitignore

@@ -0,0 +1 @@
+db.sqlite

auth_volumes/kratos/identity.schema.json

@@ -0,0 +1,49 @@
+{
+  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 3,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "verification": {
+              "via": "email"
+            },
+            "recovery": {
+              "via": "email"
+            }
+          }
+        },
+        "name": {
+          "type": "object",
+          "properties": {
+            "first": {
+              "title": "First Name",
+              "type": "string"
+            },
+            "last": {
+              "title": "Last Name",
+              "type": "string"
+            }
+          }
+        }
+      },
+      "required": [
+        "email"
+      ],
+      "additionalProperties": false
+    }
+  }
+}

auth_volumes/kratos/kratos.yml

@@ -0,0 +1,120 @@
+serve:
+  public:
+    # This URL has to match the one in oathkeeper rules config
+    # we'll probably want to remove references to ory and kratos
+    base_url: http://127.0.0.1:8080/.ory/kratos/public/
+    # We're proxying the requests through oathkeeper, need CORS
+    cors:
+      enabled: true
+      allowed_origins:
+        - http://127.0.0.1:8080
+      allowed_methods:
+        - POST
+        - GET
+        - PUT
+        - PATCH
+        - DELETE
+      allowed_headers:
+        - Authorization
+        - Cookie
+        - Content-Type
+      exposed_headers:
+        - Content-Type
+        - Set-Cookie
+  admin:
+    # This is the internal URL, we'll be accessing using docker network
+    # mainly to get the JWKS endpoint and do token validation
+    base_url: http://kratos:4434/
+
+selfservice:
+  # URLs are using the Oathkeeper
+  default_browser_return_url: http://127.0.0.1:8080/
+  allowed_return_urls:
+    - http://127.0.0.1:8080
+    - http://localhost:19006/Callback
+    - exp://localhost:8081/--/Callback
+
+  methods:
+    password:
+      enabled: true
+#    totp:
+#      config:
+#        issuer: Kratos
+#      enabled: true
+#    lookup_secret:
+#      enabled: true
+#    link:
+#      enabled: true
+#    code:
+#      enabled: true
+
+  flows:
+    error:
+      ui_url: http://127.0.0.1:8080/error
+
+    settings:
+      ui_url: http://127.0.0.1:8080/settings
+      privileged_session_max_age: 15m
+      required_aal: highest_available
+
+    # If we enable recovery or verification we need also
+    # MailSlurper in the docker-compose file
+    recovery:
+      enabled: false
+      ui_url: http://127.0.0.1:8080/recovery
+      use: code
+    verification:
+      enabled: false
+      ui_url: http://127.0.0.1:8080/verification
+      use: code
+      after:
+        default_browser_return_url: http://127.0.0.1:8080/
+
+    logout:
+      after:
+        default_browser_return_url: http://127.0.0.1:8080/login
+
+    login:
+      ui_url: http://127.0.0.1:8080/login
+      lifespan: 10m
+
+    registration:
+      lifespan: 10m
+      ui_url: http://127.0.0.1:8080/registration
+      after:
+        password:
+          hooks:
+            - hook: session
+#            - hook: show_verification_ui
+
+log:
+  level: info
+  format: text
+  leak_sensitive_values: true
+
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+  cipher:
+    - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+ciphers:
+  algorithm: xchacha20-poly1305
+
+hashers:
+  algorithm: bcrypt
+  bcrypt:
+    cost: 8
+
+identity:
+  default_schema_id: default
+  schemas:
+    - id: default
+      url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+
+feature_flags:
+  use_continue_with_transitions: true

auth_volumes/oathkeeper/access-rules.yml

@@ -0,0 +1,101 @@
+# Kratos public API for authorized and unauthorized traffic
+- id: "ory:kratos:public"
+  upstream:
+    preserve_host: true
+    url: "http://kratos:4433"
+    strip_path: /.ory/kratos/public
+  match:
+    # This URL has to match serve.public.base_url in kratos config
+    # we'll probably want to remove references to ory and kratos
+    url: "http://127.0.0.1:8080/.ory/kratos/public/<**>"
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+  authenticators:
+    - handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+
+# UI Access for anonymous traffic (Home page)
+- id: "ory:auth-ui:anonymous"
+  upstream:
+    preserve_host: true
+    url: "http://auth-ui:3000"
+  match:
+    url: "http://127.0.0.1:8080/"
+    methods:
+      - GET
+  authenticators:
+    - handler: anonymous
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+
+# UI Access for anonymous traffic (Other pages)
+- id: "ory:auth-ui-home:anonymous"
+  upstream:
+    preserve_host: true
+    url: "http://auth-ui:3000"
+  match:
+    url: "http://127.0.0.1:8080/<{registration,welcome,recovery,verification,login,error,health/{alive,ready},**.css,**.js,**.png,**.svg,**.woff*}>"
+    methods:
+      - GET
+  authenticators:
+    - handler: anonymous
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+
+# UI Access for logged-in only pages
+- id: "ory:kratos-selfservice-ui-node:protected"
+  upstream:
+    preserve_host: true
+    url: "http://auth-ui:3000"
+  match:
+    url: "http://127.0.0.1:8080/<{sessions,settings}>"
+    methods:
+      - GET
+  authenticators:
+    - handler: cookie_session
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: id_token
+  errors:
+    - handler: redirect
+      config:
+        to: http://127.0.0.1:8080/login
+
+# Dev container access to protected /hello endpoint
+- id: "http_app:protected"
+  upstream:
+    preserve_host: true
+    url: "http://dev:8000"
+  match:
+    url: "http://127.0.0.1:8080/hello<{,/,/**}>"
+    methods:
+      - GET
+  authenticators:
+    # Get opaque token from cookie
+    - handler: cookie_session
+
+    # Or from bearer token
+    # Note this is not a secure way to do authentication but
+    # but we can use it for local development (i.e. Postman)
+    # Refer to: https://www.ory.sh/docs/kratos/self-service/flows/user-login#login-for-api-clients-and-clients-without-browsers
+    - handler: bearer_token
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: id_token
+  errors:
+    - handler: redirect
+      config:
+        to: http://127.0.0.1:8080/login

auth_volumes/oathkeeper/id_token.jwks.json

@@ -0,0 +1,18 @@
+{
+  "keys": [
+    {
+      "use": "sig",
+      "kty": "RSA",
+      "kid": "a2aa9739-d753-4a0d-87ee-61f101050277",
+      "alg": "RS256",
+      "n": "zpjSl0ySsdk_YC4ZJYYV-cSznWkzndTo0lyvkYmeBkW60YHuHzXaviHqonY_DjFBdnZC0Vs_QTWmBlZvPzTp4Oni-eOetP-Ce3-B8jkGWpKFOjTLw7uwR3b3jm_mFNiz1dV_utWiweqx62Se0SyYaAXrgStU8-3P2Us7_kz5NnBVL1E7aEP40aB7nytLvPhXau-YhFmUfgykAcov0QrnNY0DH0eTcwL19UysvlKx6Uiu6mnbaFE1qx8X2m2xuLpErfiqj6wLCdCYMWdRTHiVsQMtTzSwuPuXfH7J06GTo3I1cEWN8Mb-RJxlosJA_q7hEd43yYisCO-8szX0lgCasw",
+      "e": "AQAB",
+      "d": "x3dfY_rna1UQTmFToBoMn6Edte47irhkra4VSNPwwaeTTvI-oN2TO51td7vo91_xD1nw-0c5FFGi4V2UfRcudBv9LD1rHt_O8EPUh7QtAUeT3_XXgjx1Xxpqu5goMZpkTyGZ-B6JzOY3L8lvWQ_Qeia1EXpvxC-oTOjJnKZeuwIPlcoNKMRU-mIYOnkRFfnUvrDm7N9UZEp3PfI3vhE9AquP1PEvz5KTUYkubsfmupqqR6FmMUm6ulGT7guhBw9A3vxIYbYGKvXLdBvn68mENrEYxXrwmu6ITMh_y208M5rC-hgEHIAIvMu1aVW6jNgyQTunsGST3UyrSbwjI0K9UQ",
+      "p": "77fDvnfHRFEgyi7mh0c6fAdtMEMJ05W8NwTG_D-cSwfWipfTwJJrroWoRwEgdAg5AWGq-MNUzrubTVXoJdC2T4g1o-VRZkKKYoMvav3CvOIMzCBxBs9I_GAKr5NCSk7maksMqiCTMhmkoZ5RPuMYMY_YzxKNAbjBd9qFLfaVAqs",
+      "q": "3KEmPA2XQkf7dvtpY1Xkp1IfMV_UBdmYk7J6dB5BYqzviQWdEFvWaSATJ_7qV1dw0JDZynOgipp8gvoL-RepfjtArhPz41wB3J2xmBYrBr1sJ-x5eqAvMkQk2bd5KTor44e79TRIkmkFYAIdUQ5JdVXPA13S8WUZfb_bAbwaCBk",
+      "dp": "5uyy32AJkNFKchqeLsE6INMSp0RdSftbtfCfM86fZFQno5lA_qjOnO_avJPkTILDT4ZjqoKYxxJJOEXCffNCPPltGvbE5GrDXsUbP8k2-LgWNeoml7XFjIGEqcCFQoohQ1IK4DTDN6cmRh76C0e_Pbdh15D6TydJEIlsdGuu_kM",
+      "dq": "aegFNYCEojFxeTzX6vIZL2RRSt8oJKK-Be__reu0EUzYMtr5-RdMhev6phFMph54LfXKRc9ZOg9MQ4cJ5klAeDKzKpyzTukkj6U20b2aa8LTvxpZec6YuTVSxxu2Ul71IGRQijTNvVIiXWLGddk409Ub6Q7JqkyQfvdwhpWnnUk",
+      "qi": "P68-EwgcRy9ce_PZ75c909cU7dzCiaGcTX1psJiXmQAFBcG0msWfsyHGbllOZG27pKde78ORGJDYDNk1FqTwsogZyCP87EiBmOoqXWnMvKYfJ1DOx7x42LMAGwMD3bgQj9jgRACxFJG4n3NI6uFlFruyl_CLQzwW_rQFHshLK7Q"
+    }
+  ]
+}