cacert/oidc-hydra-config
9
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update setup documentation

Browse source
This commit is contained in:
Jan Dittberner 2022-08-09 18:12:16 +02:00
parent fb38ef86dd
commit 0f4bba55d5
2 changed files with 33 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,3 +1,3 @@
*.pem
.idea/ .idea/
certs/
hydra.yaml hydra.yaml

74
README.md
View file

@ -7,38 +7,25 @@ required for the CAcert IDP and client registration applications.
The documentation in this repository is licensed under the terms of the Apache The documentation in this repository is licensed under the terms of the Apache
License Version 2.0. License Version 2.0.
Copyright © 2020, 2021 Jan Dittberner Copyright © 2020, 2021, 2022 Jan Dittberner
## Setup ## Setup
### Certificates ### Certificates
You need a set of certificates for the Hydra. You can use the Test CA created You need a set of certificates for the Hydra. I recommend to use the
by the ``setup_test_ca.sh`` script from the [CAcert developer [mkcert](https://github.com/FiloSottile/mkcert) utility by Filippo Valsorda:
setup](https://git.dittberner.info/jan/cacert-devsetup) repository like this:
1. create signing requests 1. Setup local CA
``` ```shell
mkdir certs mkcert -install
cd certs
openssl req -new -newkey rsa:3072 -nodes \
-keyout hydra.cacert.localhost.key \
-out hydra.cacert.localhost.csr.pem \
-subj /CN=hydra.cacert.localhost \
-addext subjectAltName=DNS:hydra.cacert.localhost,DNS:auth.cacert.localhost
cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
``` ```
2. Use the CA to sign the certificates 2. Create a key pair and certificate
``` ```shell
pushd $PATH_TO_DEVSETUP_TESTCA/ mkcert hydra.cacert.localhost auth.cacert.localhost
openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
-in hydra.cacert.localhost.csr.pem \
-out hydra.cacert.localhost.crt.pem -days 365
popd
cp $PATH_TO_DEVSETUP_TESTCA/hydra.cacert.localhost.crt.pem .
``` ```
### Setup Hydra ### Setup Hydra
@ -47,17 +34,25 @@ We use the ORY Hydra OAuth2 / OpenID Connect implementation. Install Hydra
according to their [documentation](https://www.ory.sh/hydra/docs/install). according to their [documentation](https://www.ory.sh/hydra/docs/install).
The setup has been tested with the Linux binary installation. The setup has been tested with the Linux binary installation.
Preconditions:
- generate certificate + key (see above)
- generate a database password (`openssl rand -base64 16` might be a good idea)
- generate a secret key for your instance (`openssl rand -base64 32` might be a good idea)
Perform the Hydra database setup: Perform the Hydra database setup:
``` ```shell
sudo -i -u postgres psql sudo -i -u postgres psql
> CREATE DATABASE hydra_local ENCODING utf-8; > CREATE DATABASE hydra_local ENCODING 'utf-8';
> CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}'; > CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}';
> GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local; > GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local;
hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local" hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local"
``` ```
*Note*: replace `${YOUR_POSTGRESQL_PASSWORD}` with the password generated above
Create a configuration file for Hydra i.e. ``hydra.yaml``: Create a configuration file for Hydra i.e. ``hydra.yaml``:
``` ```
@ -68,9 +63,9 @@ serve:
host: auth.cacert.localhost host: auth.cacert.localhost
tls: tls:
cert: cert:
path: certs/hydra.cacert.localhost.crt.pem path: hydra.cacert.localhost+1.pem
key: key:
path: certs/hydra.cacert.localhost.key path: hydra.cacert.localhost+1.key.pem
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local' dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
webfinger: webfinger:
@ -105,25 +100,28 @@ urls:
secrets: secrets:
system: system:
- "${YOUR SECRET FOR HYDRA}" - "${YOUR_SECRET_FOR_HYDRA}"
``` ```
*Note:* Replace `${YOUR_POSTGRESQL_PASSWORD}` and `${YOUR_SECRET_FOR_HYDRA}`
with the values generated above.
The available configuration options are described in the The available configuration options are described in the
[Hydra configuration documentation](https://www.ory.sh/hydra/docs/reference/configuration). [Hydra configuration documentation](https://www.ory.sh/hydra/docs/reference/configuration).
Hydra needs to be able to resolve its hostnames and does not work with the ## Start
systemd-nss module. You therefore need to define Hydra's hostnames in your
``/etc/hosts`` file:
``` Now you can start Hydra:
::1 auth.cacert.localhost hydra.cacert.localhost
```shell
hydra serve all --config hydra.yaml
``` ```
### Add OpenID Connect configuration for a client ## Add OpenID Connect configuration for a client
Create an OpenID Connect (OIDC) client configuration for the demo application Create an OpenID Connect (OIDC) client configuration for the demo application
``` ```shell
hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \ hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \
--callbacks https://app.cacert.localhost:4000/callback \ --callbacks https://app.cacert.localhost:4000/callback \
--logo-uri https://register.cacert.localhost:3000/images/app.png \ --logo-uri https://register.cacert.localhost:3000/images/app.png \
@ -135,11 +133,3 @@ hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \
The command returns a client id and a client secret, that you need for the The command returns a client id and a client secret, that you need for the
demo application configuration. demo application configuration.
## Start
Now you can start Hydra:
```
hydra serve all --config hydra.yaml
```