oidc-hydra-config/README.md

146 lines
3.9 KiB
Markdown
Raw Permalink Normal View History

2021-09-11 09:39:10 +00:00
# ORY Hydra configuration for CAcert
This repository contains instructions how to setup [ORY
Hydra](https://www.ory.sh/hydra/) for the OAuth2 / OpenID Connect operations
required for the CAcert IDP and client registration applications.
The documentation in this repository is licensed under the terms of the Apache
License Version 2.0.
2023-08-07 16:40:56 +00:00
Copyright © 2020-2023 Jan Dittberner
2021-09-11 09:39:10 +00:00
2023-08-07 16:40:56 +00:00
The setup and configuration has been tested on Debian testing on 2023-08-07
2022-08-09 16:15:32 +00:00
using the following versions software versions:
- mkcert v1.4.4
2023-08-07 16:40:56 +00:00
- openssl 3.0.9
- PostgreSQL 15.3
- ORY Hydra v2.1.2
On Debian 12 Bookworm you can install `mkcert`, `openssl` and PostgreSQL via apt:
```shell
sudo apt install mkcert openssl postgresql
```
2022-08-09 16:15:32 +00:00
2022-08-09 16:19:58 +00:00
## Create certificate for Hydra
2021-09-11 09:39:10 +00:00
2023-08-07 16:40:56 +00:00
You need a set of certificates for the Hydra. I recommend to use the `mkcert` utility by Filippo Valsorda:
2021-09-11 09:39:10 +00:00
2022-08-09 16:12:16 +00:00
1. Setup local CA
2021-09-11 09:39:10 +00:00
2022-08-09 16:12:16 +00:00
```shell
mkcert -install
2021-09-11 09:39:10 +00:00
```
2022-08-09 16:12:16 +00:00
2. Create a key pair and certificate
2021-09-11 09:39:10 +00:00
2022-08-09 16:12:16 +00:00
```shell
mkcert hydra.cacert.localhost auth.cacert.localhost
2021-09-11 09:39:10 +00:00
```
2022-08-09 16:19:58 +00:00
## Setup Hydra
2021-09-11 09:39:10 +00:00
We use the ORY Hydra OAuth2 / OpenID Connect implementation. Install Hydra
according to their [documentation](https://www.ory.sh/hydra/docs/install).
The setup has been tested with the Linux binary installation.
2022-08-09 16:12:16 +00:00
Preconditions:
- generate certificate + key (see above)
- generate a database password (`openssl rand -base64 16` might be a good idea)
- generate a secret key for your instance (`openssl rand -base64 32` might be a good idea)
2021-09-11 09:39:10 +00:00
Perform the Hydra database setup:
2022-08-09 16:12:16 +00:00
```shell
2021-09-11 09:39:10 +00:00
sudo -i -u postgres psql
2022-08-09 16:12:16 +00:00
> CREATE DATABASE hydra_local ENCODING 'utf-8';
2021-09-11 09:39:10 +00:00
> CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}';
> GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local;
hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local"
```
2022-08-09 16:12:16 +00:00
*Note*: replace `${YOUR_POSTGRESQL_PASSWORD}` with the password generated above
2021-09-11 09:39:10 +00:00
Create a configuration file for Hydra i.e. ``hydra.yaml``:
2023-08-07 16:40:56 +00:00
```yaml
2021-09-11 09:39:10 +00:00
serve:
admin:
host: hydra.cacert.localhost
2023-08-07 16:40:56 +00:00
tls:
enabled: true
cert:
path: hydra.cacert.localhost+1.pem
key:
path: hydra.cacert.localhost+1.key.pem
2021-09-11 09:39:10 +00:00
public:
host: auth.cacert.localhost
2023-08-07 16:40:56 +00:00
tls:
enabled: true
cert:
path: hydra.cacert.localhost+1.pem
key:
path: hydra.cacert.localhost+1.key.pem
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
2021-09-11 09:39:10 +00:00
webfinger:
oidc_discovery:
supported_claims:
- email
- email_verified
- name
supported_scope:
- profile
- email
oauth2:
expose_internal_errors: false
urls:
login: https://login.cacert.localhost:3000/login
consent: https://login.cacert.localhost:3000/consent
logout: https://login.cacert.localhost:3000/logout
error: https://login.cacert.localhost:3000/error
post_logout_redirect: https://login.cacert.localhost:3000/logout-successful
self:
public: https://auth.cacert.localhost:4444/
issuer: https://auth.cacert.localhost:4444/
secrets:
system:
2022-08-09 16:12:16 +00:00
- "${YOUR_SECRET_FOR_HYDRA}"
2021-09-11 09:39:10 +00:00
```
2022-08-09 16:12:16 +00:00
*Note:* Replace `${YOUR_POSTGRESQL_PASSWORD}` and `${YOUR_SECRET_FOR_HYDRA}`
with the values generated above.
2021-09-11 09:39:10 +00:00
The available configuration options are described in the
[Hydra configuration documentation](https://www.ory.sh/hydra/docs/reference/configuration).
2022-08-09 16:12:16 +00:00
## Start
2021-09-11 09:39:10 +00:00
2022-08-09 16:12:16 +00:00
Now you can start Hydra:
```shell
hydra serve all --config hydra.yaml
2021-09-11 09:39:10 +00:00
```
2022-08-09 16:12:16 +00:00
## Add OpenID Connect configuration for a client
2021-09-11 09:39:10 +00:00
Create an OpenID Connect (OIDC) client configuration for the demo application
2022-08-09 16:12:16 +00:00
```shell
2023-08-07 16:40:56 +00:00
hydra create oauth2-client --endpoint https://hydra.cacert.localhost:4445/ \
--name "OIDC Demo App with Logo" \
--scope openid --scope profile --scope groups --scope email \
--post-logout-callback https://app.cacert.localhost:4000/after-logout \
--redirect-uri https://app.cacert.localhost:4000/callback
2021-09-11 09:39:10 +00:00
```
The command returns a client id and a client secret, that you need for the
demo application configuration.