cacert/oidc-hydra-config
9
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update Hydra setup documentation

Browse source
This commit is contained in:
Jan Dittberner 2023-08-07 18:40:56 +02:00
parent 4d3f908958
commit 6aa5d1de04
1 changed files with 32 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
README.md
View file

@ -7,20 +7,25 @@ required for the CAcert IDP and client registration applications.
The documentation in this repository is licensed under the terms of the Apache
License Version 2.0.
Copyright © 2020, 2021, 2022 Jan Dittberner
Copyright © 2020-2023 Jan Dittberner
The setup and configuration has been tested on Debian testing on 2022-08-09
The setup and configuration has been tested on Debian testing on 2023-08-07
using the following versions software versions:
- mkcert v1.4.4
- openssl 3.0.4
- PostgreSQL 14.4
- ORY Hydra v1.11.9
- openssl 3.0.9
- PostgreSQL 15.3
- ORY Hydra v2.1.2
On Debian 12 Bookworm you can install `mkcert`, `openssl` and PostgreSQL via apt:
```shell
sudo apt install mkcert openssl postgresql
```
## Create certificate for Hydra
You need a set of certificates for the Hydra. I recommend to use the
[mkcert](https://github.com/FiloSottile/mkcert) utility by Filippo Valsorda:
You need a set of certificates for the Hydra. I recommend to use the `mkcert` utility by Filippo Valsorda:
1. Setup local CA
@ -61,32 +66,33 @@ hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:
Create a configuration file for Hydra i.e. ``hydra.yaml``:
```
```yaml
serve:
admin:
host: hydra.cacert.localhost
tls:
enabled: true
cert:
path: hydra.cacert.localhost+1.pem
key:
path: hydra.cacert.localhost+1.key.pem
public:
host: auth.cacert.localhost
tls:
cert:
path: hydra.cacert.localhost+1.pem
key:
path: hydra.cacert.localhost+1.key.pem
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
tls:
enabled: true
cert:
path: hydra.cacert.localhost+1.pem
key:
path: hydra.cacert.localhost+1.key.pem
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
webfinger:
oidc_discovery:
supported_claims:
- email
- email_verified
- given_name
- family_name
- middle_name
- name
- birthdate
- zoneinfo
- locale
- https://cacert.localhost/groups
supported_scope:
- profile
- email
@ -128,13 +134,11 @@ hydra serve all --config hydra.yaml
Create an OpenID Connect (OIDC) client configuration for the demo application
```shell
hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \
--callbacks https://app.cacert.localhost:4000/callback \
--logo-uri https://register.cacert.localhost:3000/images/app.png \
--name "Client App Demo" \
--scope "openid offline_access profile email" \
--post-logout-callbacks https://app.cacert.localhost:4000/after-logout \
--client-uri https://register.cacert.localhost:3000/info/app
hydra create oauth2-client --endpoint https://hydra.cacert.localhost:4445/ \
--name "OIDC Demo App with Logo" \
--scope openid --scope profile --scope groups --scope email \
--post-logout-callback https://app.cacert.localhost:4000/after-logout \
--redirect-uri https://app.cacert.localhost:4000/callback
```
The command returns a client id and a client secret, that you need for the