refactor: Clean up

This commit includes a bunch of changes:
- Specify 8443 port
- Automatically create the Hydra client if no client_id is provided
- Do not start server in go code
- Clean up messages
- Set log level for login UI to info

hack/flow-test/go.mod

@@ -5,13 +5,21 @@ go 1.21.1
 require (
 	github.com/go-chi/chi/v5 v5.0.10
 	github.com/kelseyhightower/envconfig v1.4.0
+	github.com/ory/hydra-client-go/v2 v2.1.1
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1
 	go.uber.org/zap v1.26.0
 	golang.org/x/oauth2 v0.15.0
 )
 
 require (
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	go.opentelemetry.io/otel v1.21.0 // indirect
+	go.opentelemetry.io/otel/metric v1.21.0 // indirect
+	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
 	golang.org/x/net v0.19.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect

hack/flow-test/go.sum

@@ -1,22 +1,39 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
 github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
+github.com/ory/hydra-client-go/v2 v2.1.1 h1:3JatU9uFbw5XhF3lgPCas1l1Kok2v5Mq1p26zZwGHNg=
+github.com/ory/hydra-client-go/v2 v2.1.1/go.mod h1:IiIwChp/9wRvPoyFQblqPvg78uVishCCrV9+/M7Pl34=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
+go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
+go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
+go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4=
+go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM=
+go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc=
+go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ=
 go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
 go.uber.org/goleak v1.2.0/go.mod h1:XJYK+MuIchqpmGmUSAzotztawfKvYLUIgg7guXrwVUo=
 go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=

hack/flow-test/main.go

@@ -9,9 +9,10 @@ import (
 	"syscall"
 	"time"
 
-	chi "github.com/go-chi/chi/v5"
 	"github.com/kelseyhightower/envconfig"
+	client "github.com/ory/hydra-client-go/v2"
 	qrcode "github.com/skip2/go-qrcode"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.uber.org/zap"
 	oauth2 "golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
@@ -160,28 +161,38 @@ type EnvSpec struct {
 	AuthURL           string       `envconfig:"auth_url" default:"http://localhost:4444/oauth2/auth"`
 	TokenURL          string       `envconfig:"token_url" default:"http://localhost:4444/oauth2/token"`
 	DeviceAuthURL     string       `envconfig:"device_auth_url" default:"http://localhost:4444/oauth2/device/auth"`
+	HydraAdminApiURL  string       `envconfig:"hydra_admin_api_url" default:"http://localhost:4445"`
 }
 
-func router(logger *zap.SugaredLogger) *chi.Mux {
-	router := chi.NewMux()
-
-	router.Get(
-		"/api/ready",
-		func(w http.ResponseWriter, r *http.Request) {
-			logger.Infof("query params: %v", r.URL.Query())
-			w.WriteHeader(http.StatusOK)
+func registerHydraClient(hydraAdminUrl string) string {
+	configuration := client.NewConfiguration()
+	configuration.Servers = []client.ServerConfiguration{
+		{
+			URL: hydraAdminUrl,
 		},
-	)
+	}
+
+	configuration.HTTPClient = &http.Client{Transport: otelhttp.NewTransport(http.DefaultTransport)}
 
-	return router
+	c := client.NewAPIClient(configuration)
+
+	oauthClient := client.NewOAuth2Client()
+	oauthClient.SetGrantTypes([]string{"authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"})
+	oauthClient.SetScope("openid profile offline email")
+	oauthClient.SetTokenEndpointAuthMethod("none")
+
+	cc, _, err := c.OAuth2Api.CreateOAuth2Client(context.Background()).OAuth2Client(*oauthClient).Execute()
+	if err != nil {
+		panic("Failed to create oauth2 client " + err.Error())
+	}
+	return *cc.ClientId
 }
 
 func deviceFlow(specs *EnvSpec, logger *zap.SugaredLogger) {
 	config := new(oauth2.Config)
 	config.ClientID = specs.OAuthClientID
 	config.ClientSecret = specs.OAuthClientSecret
 	config.Scopes = specs.Scopes
-	// config.RedirectURL = specs.CallbackURI
 
 	switch specs.Provider {
 	case Github:
@@ -236,13 +247,12 @@ and then swap the client-id in the flow-test-hydra configmap
 bounce the flow-test pod to pick up the changes
 ############################################################
 please enter code %s at %s
-or use following command: http --verify=/usr/local/share/ca-certificates/ca.crt %s user_code==%s --follow
+or go to %s
 ############################################################
 	`,
 			response.UserCode,
 			response.VerificationURI,
-			response.VerificationURI,
-			response.UserCode,
+			response.VerificationURIComplete,
 		)
 		if qr, err := qrcode.New(response.VerificationURIComplete, qrcode.Low); err == nil {
 			logger.Infof("############################################################")
@@ -254,11 +264,15 @@ or use following command: http --verify=/usr/local/share/ca-certificates/ca.crt
 		if err != nil {
 			logger.Warn(err, token)
 		} else {
-			logger.Infof("Succeeded, Token: %v", token)
+			logger.Infof("You are logged in")
+			logger.Infof("Access Token: %s", token.AccessToken)
+			logger.Infof("Refresh Token: %s", token.RefreshToken)
+			logger.Infof("ID Token: %s", token.Extra("id_token"))
 		}
 
 		logger.Info("device flow done...one way or the other")
 		logger.Infof("############################################################")
+		break
 	}
 }
 
@@ -278,20 +292,10 @@ func main() {
 		panic(fmt.Errorf("issues with environment sourcing: %s", err))
 	}
 
-	srv := &http.Server{
-		Addr:         fmt.Sprintf("0.0.0.0:%v", 9000),
-		WriteTimeout: time.Second * 15,
-		ReadTimeout:  time.Second * 15,
-		IdleTimeout:  time.Second * 60,
-		Handler:      router(logger),
+	if specs.OAuthClientID == "" {
+		specs.OAuthClientID = registerHydraClient(specs.HydraAdminApiURL)
 	}
 
-	go func() {
-		if err := srv.ListenAndServe(); err != nil {
-			logger.Fatal(err)
-		}
-	}()
-
 	go deviceFlow(specs, logger)
 
 	c := make(chan os.Signal, 1)
@@ -300,13 +304,6 @@ func main() {
 	// Block until we receive our signal.
 	<-c
 
-	// Create a deadline to wait for.
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
-	defer cancel()
-	// Doesn't block if no connections, but will otherwise wait
-	// until the timeout deadline.
-	srv.Shutdown(ctx)
-
 	logger.Desugar().Sync()
 
 	// Optionally, you could run srv.Shutdown in a goroutine and block on

hack/helm/hydra.yaml

@@ -10,27 +10,27 @@ hydra:
     dsn: "postgres://iam:[email protected]/hydra?sslmode=disable&max_conn_lifetime=10s"
     # dsn: memory
     secrets:
-      system: 
+      system:
         - SUFNUGxhdGZvcm0K
     webfinger:
       jwks:
         broadcast_keys:
           - hydra.openid.id-token
       oidc_discovery:
-        jwks_url: https://iam.internal/.well-known/jwks.json
-        auth_url: https://iam.internal/oauth2/auth
-        token_url: https://iam.internal/oauth2/token
-        device_authorization_url: https://iam.internal/oauth2/device/auth
+        jwks_url: https://iam.internal:8443/.well-known/jwks.json
+        auth_url: https://iam.internal:8443/oauth2/auth
+        token_url: https://iam.internal:8443/oauth2/token
+        device_authorization_url: https://iam.internal:8443/oauth2/device/auth
     urls:
       self:
-        issuer: https://iam.internal/
-        public: https://iam.internal/  
-      login: https://iam.internal/ui/login
-      consent: https://iam.internal/ui/consent
-      # device: http://iam.internal/admin/oauth2/auth/requests/device/verify
-      device: https://iam.internal/ui/device
-      post_device_done: https://iam.internal/api/v0/status
-      error: https://iam.internal//ui/oidc_error
+        issuer: https://iam.internal:8443/
+        public: https://iam.internal:8443/
+      login: https://iam.internal:8443/ui/login
+      consent: https://iam.internal:8443/ui/consent
+      # device: http://iam.internal:8443/admin/oauth2/auth/requests/device/verify
+      device: https://iam.internal:8443/ui/device
+      post_device_done: https://iam.internal:8443/api/v0/status
+      error: https://iam.internal:8443//ui/oidc_error
     ttl:
       # configures how long a user login and consent flow may take. Defaults to 1h.
       login_consent_request: 1h

hack/helm/kratos.yaml

@@ -7,7 +7,7 @@ kratos:
         leak_sensitive_values: true
     serve:
       public:
-        base_url: https://iam.internal
+        base_url: https://iam.internal:8443
         cors:
           enabled: true
       admin:
@@ -30,19 +30,19 @@ kratos:
       url: http://hydra-admin.default.svc.cluster.local:4445
     selfservice:
       allowed_return_urls:
-        - https://iam.internal
+        - https://iam.internal:8443
       default_browser_return_url:
-          https://iam.internal
+          https://iam.internal:8443
       flows:
           error:
-              ui_url: https://iam.internal/ui/error
+              ui_url: https://iam.internal:8443/ui/error
           login:
-              ui_url: https://iam.internal/ui/login
+              ui_url: https://iam.internal:8443/ui/login
           registration:
               after:
                   oidc:
                       hooks:
-                      - hook: session 
+                      - hook: session
       methods:
           password:
               enabled: False

hack/kubectl/flow-test.yaml

@@ -59,9 +59,10 @@ kind: ConfigMap
 metadata:
   name: flow-test-hydra
 data:
+  HYDRA_ADMIN_API_URL: http://hydra-admin.default.svc.cluster.local:4445
   CALLBACK_URI: http://flow-test.default.svc.cluster.local/api/ready
   # OAUTH_CLIENT_SECRET: KOVbs8SDizELCUQhFEDLYPA4zN
-  OAUTH_CLIENT_ID: 27d0bf29-c653-4893-acf7-443b3df0dce2
+  OAUTH_CLIENT_ID:
   SCOPES: openid,offline,email,profile
   PROVIDER: "0" # hydra
   AUTH_URL: http://hydra-public.default.svc.cluster.local:4444/oauth2/auth

hack/kubectl/iam.yaml

@@ -44,12 +44,11 @@ metadata:
   name: iam
 data:
   TRACING_ENABLED: "false"
-  BASE_URL: https://iam.internal
+  BASE_URL: https://iam.internal:8443
   KRATOS_PUBLIC_URL: http://kratos-public.default.svc.cluster.local
   HYDRA_ADMIN_URL: http://hydra-admin.default.svc.cluster.local:4445
   PORT: "8000"
-  LOG_LEVEL: "debug"
-  DEBUG: "true"
+  LOG_LEVEL: "info"
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress

skaffold.yaml

@@ -68,7 +68,7 @@ profiles:
             repo: https://charts.jetstack.io
             remoteChart: cert-manager
             setValues:
-              installCRDs: true 
+              installCRDs: true
           - name: contour
             remoteChart: oci://registry-1.docker.io/bitnamicharts/contour