{"id":29019187,"url":"https://github.com/nemirlev/auth-service-example","last_synced_at":"2026-05-09T06:32:28.989Z","repository":{"id":301253190,"uuid":"1008652589","full_name":"nemirlev/auth-service-example","owner":"nemirlev","description":"Complete authentication \u0026 authorization example for microservices using Ory Hydra, Ory Kratos, Apache APISIX and Go. Demonstrates JWT vs opaque tokens, OAuth2 flows, and fine-grained permissions.","archived":false,"fork":false,"pushed_at":"2025-06-25T22:46:58.000Z","size":2907,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-25T23:29:02.873Z","etag":null,"topics":["apache-apisix","api-gateway","authentication","authorization","docker","golang","jwt","microservices","oauth2","oidc","ory-hydra","ory-kratos","rbac","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nemirlev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-25T22:10:45.000Z","updated_at":"2025-06-25T22:47:02.000Z","dependencies_parsed_at":"2025-06-25T23:39:09.971Z","dependency_job_id":null,"html_url":"https://github.com/nemirlev/auth-service-example","commit_stats":null,"previous_names":["nemirlev/auth-service-example"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nemirlev/auth-service-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemirlev%2Fauth-service-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemirlev%2Fauth-service-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemirlev%2Fauth-service-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemirlev%2Fauth-service-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nemirlev","download_url":"https://codeload.github.com/nemirlev/auth-service-example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nemirlev%2Fauth-service-example/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261973746,"owners_count":23238588,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache-apisix","api-gateway","authentication","authorization","docker","golang","jwt","microservices","oauth2","oidc","ory-hydra","ory-kratos","rbac","security"],"created_at":"2025-06-26T00:08:23.062Z","updated_at":"2026-05-09T06:32:23.957Z","avatar_url":"https://github.com/nemirlev.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Authentication \u0026 Authorization in Microservices Architecture\n\nA practical implementation example for authentication and authorization in microservices using Ory Hydra, Ory Kratos, Apache APISIX, and Go microservices.\n\n📚 **For detailed explanation and theory, see [ARTICLE.md](doc/ARTICLE.md)**\n\n## 🏗️ What This Demonstrates\n\nTwo approaches to microservices authorization:\n\n1. **JWT-based approach** - Simple roles in JWT tokens\n2. **Opaque tokens + introspection** - Flexible permissions with real-time validation\n\n**Tech Stack:** Ory Kratos + Hydra, Apache APISIX, Go microservices, PostgreSQL\n\n## 🚀 Quick Start\n\n```bash\n# 1. Start all services\ndocker-compose up -d\n\n# 2. Add to /etc/hosts (required for demo)\necho \"127.0.0.1\thydra\" \u003e\u003e /etc/hosts\n\n# 3. Register OAuth2 client\ncurl -X POST http://localhost:4445/admin/clients \\\n  -H 'Content-Type: application/json' \\\n  -d '{\n      \"client_id\": \"web\",\n      \"client_secret\": \"web-secret\",\n      \"grant_types\": [\"authorization_code\", \"refresh_token\"],\n      \"response_types\": [\"code\", \"id_token\"],\n      \"scope\": \"openid offline users:read products:read orders:read\",\n      \"redirect_uris\": [\"http://hydra:4444/callback\"]\n  }'\n\n# 4. Create user at http://127.0.0.1:4455\n# 5. Get access token at http://127.0.0.1:3001\n# 6. Test protected endpoint:\ncurl -H \"Authorization: Bearer YOUR_TOKEN\" http://localhost:9080/users/123\n```\n\n## 🛠️ Services\n\n| Service | Port | Description |\n|---------|------|-------------|\n| Kratos (Public) | 4433 | Identity management API |\n| Kratos (Admin) | 4434 | Admin API for identity management |\n| Kratos UI | 4455 | Self-service UI for registration/login |\n| Hydra (Public) | 4444 | OAuth2/OIDC endpoints |\n| Hydra (Admin) | 4445 | Admin API for client management |\n| Token Demo App | 3001 | OAuth2 flow demonstration |\n| APISIX Gateway | 9080 | API Gateway (protected endpoints) |\n| APISIX Admin | 9180 | Gateway administration |\n| APISIX Dashboard | 9000 | Web UI for APISIX (admin/admin) |\n| Users Service | 8081 | Direct access (bypass gateway) |\n| Products Service | 8082 | Direct access (bypass gateway) |\n| Orders Service | 8083 | Direct access (bypass gateway) |\n| MailSlurper | 4436 | Email testing interface |\n\n## 📋 Key Features\n\n- **Dual authorization approaches** (JWT vs Opaque tokens)\n- **OAuth2/OIDC flows** with Ory Hydra\n- **API Gateway integration** with Apache APISIX\n- **Fine-grained permissions** in Go microservices\n- **Complete Docker setup** for easy testing\n\n## 🔍 Testing Examples\n\n```bash\n# Check if services are ready\ncurl http://127.0.0.1:4444/health/ready\n\n# Validate token\ncurl -X POST http://localhost:4445/oauth2/introspect \\\n     --user \"web:web-secret\" \\\n     --data-urlencode \"token=YOUR_TOKEN\"\n\n# Test different permissions\ncurl -H \"Authorization: Bearer TOKEN\" http://localhost:9080/users/    # needs users:read\ncurl -H \"Authorization: Bearer TOKEN\" http://localhost:9080/products/ # needs products:read\n```\n\n## ⚠️ Production Notes\n\nThis is a **development setup**. For production:\n- Use HTTPS everywhere\n- Configure proper secrets\n- Implement token caching\n- Use internal DNS (not `/etc/hosts`)\n- Add monitoring and logging\n\n## 📚 Learn More\n\n- [Detailed Article](doc/ARTICLE.md) - Complete explanation (Russian)\n- [Ory Documentation](https://www.ory.sh/docs)\n- [Apache APISIX Documentation](https://apisix.apache.org/docs)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnemirlev%2Fauth-service-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnemirlev%2Fauth-service-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnemirlev%2Fauth-service-example/lists"}