2021-09-11 09:39:10 +00:00
|
|
|
# ORY Hydra configuration for CAcert
|
|
|
|
|
|
|
|
This repository contains instructions how to setup [ORY
|
|
|
|
Hydra](https://www.ory.sh/hydra/) for the OAuth2 / OpenID Connect operations
|
|
|
|
required for the CAcert IDP and client registration applications.
|
|
|
|
|
|
|
|
The documentation in this repository is licensed under the terms of the Apache
|
|
|
|
License Version 2.0.
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
Copyright © 2020, 2021, 2022 Jan Dittberner
|
2021-09-11 09:39:10 +00:00
|
|
|
|
2022-08-09 16:15:32 +00:00
|
|
|
The setup and configuration has been tested on Debian testing on 2022-08-09
|
|
|
|
using the following versions software versions:
|
|
|
|
|
|
|
|
- mkcert v1.4.4
|
|
|
|
- openssl 3.0.4
|
|
|
|
- PostgreSQL 14.4
|
|
|
|
- ORY Hydra v1.11.9
|
|
|
|
|
2021-09-11 09:39:10 +00:00
|
|
|
## Setup
|
|
|
|
|
|
|
|
### Certificates
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
You need a set of certificates for the Hydra. I recommend to use the
|
|
|
|
[mkcert](https://github.com/FiloSottile/mkcert) utility by Filippo Valsorda:
|
2021-09-11 09:39:10 +00:00
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
1. Setup local CA
|
2021-09-11 09:39:10 +00:00
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
```shell
|
|
|
|
mkcert -install
|
2021-09-11 09:39:10 +00:00
|
|
|
```
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
2. Create a key pair and certificate
|
2021-09-11 09:39:10 +00:00
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
```shell
|
|
|
|
mkcert hydra.cacert.localhost auth.cacert.localhost
|
2021-09-11 09:39:10 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
### Setup Hydra
|
|
|
|
|
|
|
|
We use the ORY Hydra OAuth2 / OpenID Connect implementation. Install Hydra
|
|
|
|
according to their [documentation](https://www.ory.sh/hydra/docs/install).
|
|
|
|
The setup has been tested with the Linux binary installation.
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
Preconditions:
|
|
|
|
|
|
|
|
- generate certificate + key (see above)
|
|
|
|
- generate a database password (`openssl rand -base64 16` might be a good idea)
|
|
|
|
- generate a secret key for your instance (`openssl rand -base64 32` might be a good idea)
|
|
|
|
|
2021-09-11 09:39:10 +00:00
|
|
|
Perform the Hydra database setup:
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
```shell
|
2021-09-11 09:39:10 +00:00
|
|
|
sudo -i -u postgres psql
|
2022-08-09 16:12:16 +00:00
|
|
|
> CREATE DATABASE hydra_local ENCODING 'utf-8';
|
2021-09-11 09:39:10 +00:00
|
|
|
> CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}';
|
|
|
|
> GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local;
|
|
|
|
|
|
|
|
hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local"
|
|
|
|
```
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
*Note*: replace `${YOUR_POSTGRESQL_PASSWORD}` with the password generated above
|
|
|
|
|
2021-09-11 09:39:10 +00:00
|
|
|
Create a configuration file for Hydra i.e. ``hydra.yaml``:
|
|
|
|
|
|
|
|
```
|
|
|
|
serve:
|
|
|
|
admin:
|
|
|
|
host: hydra.cacert.localhost
|
|
|
|
public:
|
|
|
|
host: auth.cacert.localhost
|
|
|
|
tls:
|
|
|
|
cert:
|
2022-08-09 16:12:16 +00:00
|
|
|
path: hydra.cacert.localhost+1.pem
|
2021-09-11 09:39:10 +00:00
|
|
|
key:
|
2022-08-09 16:12:16 +00:00
|
|
|
path: hydra.cacert.localhost+1.key.pem
|
2021-09-11 09:39:10 +00:00
|
|
|
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
|
|
|
|
|
|
|
|
webfinger:
|
|
|
|
oidc_discovery:
|
|
|
|
supported_claims:
|
|
|
|
- email
|
|
|
|
- email_verified
|
|
|
|
- given_name
|
|
|
|
- family_name
|
|
|
|
- middle_name
|
|
|
|
- name
|
|
|
|
- birthdate
|
|
|
|
- zoneinfo
|
|
|
|
- locale
|
|
|
|
- https://cacert.localhost/groups
|
|
|
|
supported_scope:
|
|
|
|
- profile
|
|
|
|
- email
|
|
|
|
|
|
|
|
oauth2:
|
|
|
|
expose_internal_errors: false
|
|
|
|
|
|
|
|
urls:
|
|
|
|
login: https://login.cacert.localhost:3000/login
|
|
|
|
consent: https://login.cacert.localhost:3000/consent
|
|
|
|
logout: https://login.cacert.localhost:3000/logout
|
|
|
|
error: https://login.cacert.localhost:3000/error
|
|
|
|
post_logout_redirect: https://login.cacert.localhost:3000/logout-successful
|
|
|
|
self:
|
|
|
|
public: https://auth.cacert.localhost:4444/
|
|
|
|
issuer: https://auth.cacert.localhost:4444/
|
|
|
|
|
|
|
|
secrets:
|
|
|
|
system:
|
2022-08-09 16:12:16 +00:00
|
|
|
- "${YOUR_SECRET_FOR_HYDRA}"
|
2021-09-11 09:39:10 +00:00
|
|
|
```
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
*Note:* Replace `${YOUR_POSTGRESQL_PASSWORD}` and `${YOUR_SECRET_FOR_HYDRA}`
|
|
|
|
with the values generated above.
|
|
|
|
|
2021-09-11 09:39:10 +00:00
|
|
|
The available configuration options are described in the
|
|
|
|
[Hydra configuration documentation](https://www.ory.sh/hydra/docs/reference/configuration).
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
## Start
|
2021-09-11 09:39:10 +00:00
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
Now you can start Hydra:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
hydra serve all --config hydra.yaml
|
2021-09-11 09:39:10 +00:00
|
|
|
```
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
## Add OpenID Connect configuration for a client
|
2021-09-11 09:39:10 +00:00
|
|
|
|
|
|
|
Create an OpenID Connect (OIDC) client configuration for the demo application
|
|
|
|
|
2022-08-09 16:12:16 +00:00
|
|
|
```shell
|
2021-09-11 09:39:10 +00:00
|
|
|
hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \
|
|
|
|
--callbacks https://app.cacert.localhost:4000/callback \
|
|
|
|
--logo-uri https://register.cacert.localhost:3000/images/app.png \
|
|
|
|
--name "Client App Demo" \
|
|
|
|
--scope "openid offline_access profile email" \
|
|
|
|
--post-logout-callbacks https://app.cacert.localhost:4000/after-logout \
|
|
|
|
--client-uri https://register.cacert.localhost:3000/info/app
|
|
|
|
```
|
|
|
|
|
|
|
|
The command returns a client id and a client secret, that you need for the
|
|
|
|
demo application configuration.
|