nightwatch OpenID Hydra Windows

Windows

Update chrome v75

> mkdir t
> cd t
> midir tests

> npm install nightwatch  --save-dev
> npm install chromedriver --save-dev

> nano nightwatch.js
require('nightwatch/bin/runner.js');

> nano nightwatch.conf.js
const chrome = require('chromedriver')

module.exports = {
  src_folders: ['tests'],
  webdriver: {
    start_process: true,
    server_path: chrome.path,
    port: 9515,
  },
  test_settings: {
    default: {
      desiredCapabilities: {
        browserName: 'chrome',
      },
    },
  },
}

> nano tests/test.js
module.exports = {
  'step one: navigate to google' : function (browser) {
    for (var i = 0; i < 10; i += 1) {
      browser
        .url('https://t.tt:9010')
        .waitForElementVisible('body', 1000)
        .click('a')
        .waitForElementVisible('input[type=email]')
        .setValue('input[type=email]', 'foo@bar.com')
        .setValue('input[type=password]', 'foobar')
        .click('input[type=submit]', function(result) {
          this.assert.strictEqual(result.status, 0);
        })
        .waitForElementVisible('input[type=checkbox]')
        .click('input[id=openid]')
        .click('input[id=offline]')
        .click('input[id=accept]', function(result) {
          this.assert.strictEqual(result.status, 0);
        })
    }
  },
};

> node nightwatch.js tests/test.js

OpenID Hydra session data can't show at userinfo or introspect

If you use consent website(official login&consent) run all step, routes/consent.js session part need remove mark, surely you can get session data.

@token= xLPcJ3tobDqGUDxIVTxWt2p7w_odZSV22IAlUf5QPZU.YD6R_xKQ2ldCLbEV7mmc01E6ZLzemzdEC5H4-otTMPg

### userinfo
GET https://openid.hydra:9001/userinfo
Authorization: Bearer {{token}}

### introspect
POST https://openid.hydra:9002/oauth2/introspect
Content-Type: application/x-www-form-urlencoded

token={{token}}
&scope=openid+photos.read

PS：&scope=openid+photos.read can remove.

But you use REST Client need fix. Put session data by yourself.

### accept conent scope
PUT https://192.168.99.100:9002/oauth2/auth/requests/consent/accept?consent_challenge={{consent_challenge}}
Content-Type: application/json

{
  "grant_scope": ["openid", "photos.read"],
  "session": {
    "access_token": { "foo": "bar" },
    "id_token": { "baz": "bar" }
  }
}

Try and watch many document. Can't get real why. Official Website no any discuss.

OpenID hydra

https://www.ory.sh/docs/next/hydra/oauth2#oauth-20-scope

A OAuth 2.0 Scope is not a permission:

A permission allows an actor to perform a certain action in a system: Bob is allowed to delete his own photos.
OAuth 2.0 Scope implies that an end-user granted certain privileges to a client: Bob allowed the OAuth 2.0 Client to delete all users.
The OAuth 2.0 Scope can be granted without the end-user actually having the right permissions. In the examples above, Bob granted an OAuth 2.0 Client the permission ("scope") to delete all users in his name. However, since Bob is not an administrator, that permission ("access control") is not actually granted to Bob. Therefore any request by the OAuth 2.0 Client that tries to delete users on behalf of Bob should fail.


我授權程式可以“讀取、刪除“權限，但實際上授權程式能不能真正“讀取、刪除“資料 或是 真正有“讀取、刪除“權限 是不一定有的

OpenID hydra context data save

hydra login consent node
https://github.com/ory/hydra-login-consent-node

When login success, context data be saved .
Can use
GET https://openid.hydra:9002/oauth2/auth/sessions/consent?subject=foo@bar.com HTTP/1.1
check by subject.

routes/login.js

hydra.acceptLoginRequest(challenge, {

    context: {
      "test1": "test1",
      "test2": { "test2i": "test2i"}
    },

Database keep context

Table name: hydra_oauth2_consent_request save context data. Here is Postgresql (pg).

===== Postgresql command ====

1. Login Postgresql (pg) docker

2.

psql hydra -U hydra

#login pg (already in db cmd)
\dt;
select * from hydra_oauth2_consent_request;

=============== userinfo ===============

GET https://openid.hydra:9001/userinfo
Authorization: Bearer pFmYrUWtkGswx6RjvsGfgUAl4gV88id90P7hVLHUfQ4.AhbkWRawXV35S_V6Nq-Hf3DlBZ8Dl622sB4M3dg_hNQ

{
  "sid": "891db392-859c-49d9-958c-83135f6986ee",
  "sub": "foo@bar.com"
}

sid can check by use sub.

GET https://openid.hydra:9002/oauth2/auth/sessions/consent?subject=foo@bar.com HTTP/1.1

An Identity Provider for ORY Hydra over LDAP

https://github.com/i-core/werther

php swoole