From 67fc433ab56bccd2cdb0c8adf1685f456e82114e Mon Sep 17 00:00:00 2001
From: mr <morgane.roques@irt-saintexupery.com>
Date: Thu, 19 Feb 2026 14:57:14 +0100
Subject: [PATCH] New OAUTH2 Docker deployment

---
 README.md                               |  1 +
 docker/tools/clients.json               | 23 ++++++++
 docker/tools/docker-compose.dev.yml     | 72 +++++++++++--------------
 docker/tools/docker-compose.traefik.yml |  8 +--
 k8s/datas/cluster-1/peer.json           |  8 +--
 k8s/datas/cluster-2/peer.json           |  8 +--
 6 files changed, 67 insertions(+), 53 deletions(-)
 create mode 100644 docker/tools/clients.json

diff --git a/README.md b/README.md
index d833a24..d2d216c 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
 # RUN DOCKER DEMO
+http://localhost:8000/hydra/oauth2/auth?client_id=2171304d-d15e-45b7-8cc0-1f8e18235ccb&scope=openid offline profile email&response_type=code&redirect_uri=http://localhost:8094/swagger&state=xyz
 
 ADD a clean argo
 ```
diff --git a/docker/tools/clients.json b/docker/tools/clients.json
new file mode 100644
index 0000000..6fcf66a
--- /dev/null
+++ b/docker/tools/clients.json
@@ -0,0 +1,23 @@
+[
+  {
+    "client_id": "test-client",
+    "client_secret": "oc-auth-got-secret",
+    "client_name": "test-client",
+    "grant_types": [
+      "implicit",
+      "refresh_token",
+      "authorization_code",
+      "client_credentials"
+    ],
+    "response_types": [
+      "id_token",
+      "token",
+      "code"
+    ],
+    "scope": "openid profile email roles",
+    "redirect_uris": [
+      "http://localhost:8094/swagger"
+    ],
+    "token_endpoint_auth_method": "client_secret_post"
+  }
+]
diff --git a/docker/tools/docker-compose.dev.yml b/docker/tools/docker-compose.dev.yml
index 8b62ace..6dd4a8d 100644
--- a/docker/tools/docker-compose.dev.yml
+++ b/docker/tools/docker-compose.dev.yml
@@ -1,4 +1,4 @@
-version: '3.4'
+version: '3.9'
 
 services:
   mongo:
@@ -76,12 +76,30 @@ services:
         SECRETS_SYSTEM: oc-auth-got-secret
         LOG_LEAK_SENSITIVE_VALUES: true
         # OAUTH2_TOKEN_HOOK_URL: http://oc-auth:8080/oc/claims
-        URLS_SELF_ISSUER: http://hydra:4444
-        URLS_SELF_PUBLIC: http://hydra:4444
+        HYDRA_ADMIN_URL: http://hydra:4445
+        URLS_SELF_ISSUER: http://localhost:8000/hydra
+        URLS_SELF_PUBLIC: http://localhost:8000/hydra
+        URLS_LOGIN: http://localhost:8000/auth/login
+        URLS_CONSENT: http://localhost:8000/auth/consent
+        URLS_LOGOUT: http://localhost:8000/auth/logout
         WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
         WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
         DSN: memory
-      command: serve all --dev
+      user: root
+      entrypoint: >
+        sh -c "
+        hydra serve all --dev &
+        echo '⏳ Waiting for Hydra admin API...' &&
+        until wget -q --spider http://localhost:4445/health/ready; do
+          sleep 2;
+        done &&
+        echo '✅ Hydra is ready. Importing clients...' &&
+        hydra import oauth2-client /clients.json -e http://hydra:4445 &&
+        echo '🚀 Clients imported.' &&
+        wait
+        "
+      volumes: 
+        - ./clients.json:/clients.json
       networks:
         - oc
       ports:
@@ -90,6 +108,13 @@ services:
       deploy:
         restart_policy:
           condition: on-failure
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.hydra.entrypoints=web"
+        - "traefik.http.routers.hydra.rule=PathPrefix(`/hydra`)"
+        - "traefik.http.services.hydra.loadbalancer.server.port=4444"
+        - "traefik.http.middlewares.hydra-stripprefix.stripprefix.prefixes=/hydra"
+        - "traefik.http.routers.hydra.middlewares=hydra-stripprefix"
   ldap:
     image: pgarrett/ldap-alpine
     container_name: ldap
@@ -116,44 +141,6 @@ services:
     container_name: keto
     networks: 
       - oc
-  
-  hydra-client: 
-        image: oryd/hydra:v2.2.0
-        container_name: hydra-client
-        environment:
-            HYDRA_ADMIN_URL: http://hydra:4445
-            ORY_SDK_URL: http://hydra:4445
-        command:
-            - create
-            - oauth2-client
-            - --skip-tls-verify
-            - --name
-            - test-client
-            - --secret
-            - oc-auth-got-secret
-            - --response-type
-            - id_token,token,code
-            - --grant-type
-            - implicit,refresh_token,authorization_code,client_credentials
-            - --scope
-            - openid,profile,email,roles
-            - --token-endpoint-auth-method
-            - client_secret_post
-            - --redirect-uri
-            - http://localhost:3000
-
-        networks:
-            - oc
-        deploy:
-            restart_policy:
-                condition: none
-        depends_on:
-            - hydra
-        healthcheck:
-            test: ["CMD", "curl", "-f", "http://hydra:4445"]
-            interval: 10s
-            timeout: 10s
-            retries: 10
 
 volumes:
   oc-data:
@@ -161,3 +148,4 @@ volumes:
 networks: 
   oc:
     external: true
+
diff --git a/docker/tools/docker-compose.traefik.yml b/docker/tools/docker-compose.traefik.yml
index 7d8109e..b9e2dca 100644
--- a/docker/tools/docker-compose.traefik.yml
+++ b/docker/tools/docker-compose.traefik.yml
@@ -1,8 +1,8 @@
-version: '3.4'
+version: '3.9'
 
 services:
   traefik:
-    image: traefik:v2.10.4
+    image: traefik:v3.6
     container_name: traefik
     restart: unless-stopped
     networks:
@@ -10,11 +10,13 @@ services:
     command:
       - "--api.insecure=true"
       - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:8000"
+    user: root
     ports:
       - "8000:8000"  # Expose Traefik on port 8000    
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
 volumes:
   oc-data:
diff --git a/k8s/datas/cluster-1/peer.json b/k8s/datas/cluster-1/peer.json
index ffadad6..1f366df 100644
--- a/k8s/datas/cluster-1/peer.json
+++ b/k8s/datas/cluster-1/peer.json
@@ -6,7 +6,7 @@
         "id":"c0cece97-7730-4c2a-8c20-a30944564106",
         "name":"local","is_draft":false,
         "creation_date":{"$date":"2025-03-27T09:13:13.230Z"}},
-        "api_url":"http://192.168.1.1",
+        "api_url":"http://beta.opencloud.com:9600",
         "nats_address": "nats://nats:4222",
         "stream_address":"/ip4/192.168.1.1/tcp/4001/p2p/QmXkKz9kE7pY3Yw4m6x9FhJ3JY5P2QJpX9C7Yz2T4H8WvA",
         "wallet_address":"my-wallet",
@@ -22,12 +22,12 @@
         "id":"6a3fc74d-8c06-4dbb-ad11-d5c53562775b",
         "name":"local","is_draft":false,
         "creation_date":{"$date":"2025-03-27T09:13:13.230Z"}},
-        "api_url":"http://192.168.1.2",
+        "api_url":"http://beta.opencloud.com:9700",
         "nats_address": "nats://nats:4222",
         "stream_address":"/ip4/192.168.1.1/tcp/4002/p2p/QmTzQ1NwFz9bYH7Kp8Zs4XyJQk3E6C5R9H1m2A8L7V",
         "peer_id": "QmTzQ1NwFz9bYH7Kp8Zs4XyJQk3E6C5R9H1m2A8L7V",
         "wallet_address":"my-wallet",
         "public_key":"MCowBQYDK2VwAyEAZ2nLJBL8a5opfa8nFeVj0SZToW8pl4+zgcSUkeZFRO4=",
-        "state":2,
-        "relation": 1
+        "state":1,
+        "relation": 2
 }]
diff --git a/k8s/datas/cluster-2/peer.json b/k8s/datas/cluster-2/peer.json
index 5a02303..8740a3e 100644
--- a/k8s/datas/cluster-2/peer.json
+++ b/k8s/datas/cluster-2/peer.json
@@ -6,11 +6,11 @@
         "id":"c0cece97-7730-4c2a-8c20-a30944564106",
         "name":"local","is_draft":false,
         "creation_date":{"$date":"2025-03-27T09:13:13.230Z"}},
-        "url":"http://192.168.1.1",
+        "url":"http://beta.opencloud.com:9600",
         "wallet_address":"my-wallet",
         "public_key":"-----BEGIN RSA PUBLIC KEY-----\nMIICCgKCAgEAw2pdG6wMtuLcP0+k1LFvIb0DQo/oHW2uNJaEJK74plXqp4ztz2dR\nb+RQHFLeLuqk4i/zc3b4K3fKPXSlwnVPJCwzPrnyT8jYGOZVlWlETiV9xeJhu6s/\nBh6g1PWz75XjjwV50iv/CEiLNBT23f/3J44wrQzygqNQCiQSALdxWLAEl4l5kHSa\n9oMyV70/Uql94/ayMARZsHgp9ZvqQKbkZPw6yzVMfCBxQozlNlo315OHevudhnhp\nDRjN5I7zWmqYt6rbXJJC7Y3Izdvzn7QI88RqjSRST5I/7Kz3ndCqrOnI+OQUE5NT\nREyQebphvQfTDTKlRPXkdyktdK2DH28Zj6ZF3yjQvN35Q4zhOzlq77dO5IhhopI7\nct8dZH1T1nYkvdyCA/EVMtQsASmBOitH0Y0ACoXQK5Kb6nm/TcM/9ZSJUNiEMuy5\ngBZ3YKE9oa4cpTpPXwcA+S/cU7HPNnQAsvD3iJi8GTW9uJs84pn4/WhpQqmXd4rv\nhKWECCN3fHy01fUs/U0PaSj2jDY/kQVeXoikNMzPUjdZd9m816TIBh3v3aVXCH/0\niTHHAxctvDgMRb2fpvRJ/wwnYjFG9RpamVFDMvC9NffuYzWAA9IRIY4cqgerfHrV\nZ2HHiPTDDvDAIsvImXZc/h7mXN6m3RCQ4Qywy993wd9gUdgg/qnynHcCAwEAAQ==\n-----END RSA PUBLIC KEY-----\n",
-        "state":2,
-        "relation": 1
+        "state":1,
+        "relation": 2
 }, {
     "_id":"6a3fc74d-8c06-4dbb-ad11-d5c53562775b",
     "failed_execution":null,
@@ -19,7 +19,7 @@
         "id":"6a3fc74d-8c06-4dbb-ad11-d5c53562775b",
         "name":"local","is_draft":false,
         "creation_date":{"$date":"2025-03-27T09:13:13.230Z"}},
-        "url":"http://192.168.1.2",
+        "url":"http://beta.opencloud.com:9700",
         "wallet_address":"my-wallet",
         "public_key":"-----BEGIN RSA PUBLIC KEY-----\nMIICCgKCAgEAw2pdG6wMtuLcP0+k1LFvIb0DQo/oHW2uNJaEJK74plXqp4ztz2dR\nb+RQHFLeLuqk4i/zc3b4K3fKPXSlwnVPJCwzPrnyT8jYGOZVlWlETiV9xeJhu6s/\nBh6g1PWz75XjjwV50iv/CEiLNBT23f/3J44wrQzygqNQCiQSALdxWLAEl4l5kHSa\n9oMyV70/Uql94/ayMARZsHgp9ZvqQKbkZPw6yzVMfCBxQozlNlo315OHevudhnhp\nDRjN5I7zWmqYt6rbXJJC7Y3Izdvzn7QI88RqjSRST5I/7Kz3ndCqrOnI+OQUE5NT\nREyQebphvQfTDTKlRPXkdyktdK2DH28Zj6ZF3yjQvN35Q4zhOzlq77dO5IhhopI7\nct8dZH1T1nYkvdyCA/EVMtQsASmBOitH0Y0ACoXQK5Kb6nm/TcM/9ZSJUNiEMuy5\ngBZ3YKE9oa4cpTpPXwcA+S/cU7HPNnQAsvD3iJi8GTW9uJs84pn4/WhpQqmXd4rv\nhKWECCN3fHy01fUs/U0PaSj2jDY/kQVeXoikNMzPUjdZd9m816TIBh3v3aVXCH/0\niTHHAxctvDgMRb2fpvRJ/wwnYjFG9RpamVFDMvC9NffuYzWAA9IRIY4cqgerfHrV\nZ2HHiPTDDvDAIsvImXZc/h7mXN6m3RCQ4Qywy993wd9gUdgg/qnynHcCAwEAAQ==\n-----END RSA PUBLIC KEY-----\n",
         "state":1,