|
|
|
@ -7,20 +7,25 @@ required for the CAcert IDP and client registration applications.
|
|
|
|
|
The documentation in this repository is licensed under the terms of the Apache
|
|
|
|
|
License Version 2.0.
|
|
|
|
|
|
|
|
|
|
Copyright © 2020, 2021, 2022 Jan Dittberner
|
|
|
|
|
Copyright © 2020-2023 Jan Dittberner
|
|
|
|
|
|
|
|
|
|
The setup and configuration has been tested on Debian testing on 2022-08-09
|
|
|
|
|
The setup and configuration has been tested on Debian testing on 2023-08-07
|
|
|
|
|
using the following versions software versions:
|
|
|
|
|
|
|
|
|
|
- mkcert v1.4.4
|
|
|
|
|
- openssl 3.0.4
|
|
|
|
|
- PostgreSQL 14.4
|
|
|
|
|
- ORY Hydra v1.11.9
|
|
|
|
|
- openssl 3.0.9
|
|
|
|
|
- PostgreSQL 15.3
|
|
|
|
|
- ORY Hydra v2.1.2
|
|
|
|
|
|
|
|
|
|
On Debian 12 Bookworm you can install `mkcert`, `openssl` and PostgreSQL via apt:
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
sudo apt install mkcert openssl postgresql
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create certificate for Hydra
|
|
|
|
|
|
|
|
|
|
You need a set of certificates for the Hydra. I recommend to use the
|
|
|
|
|
[mkcert](https://github.com/FiloSottile/mkcert) utility by Filippo Valsorda:
|
|
|
|
|
You need a set of certificates for the Hydra. I recommend to use the `mkcert` utility by Filippo Valsorda:
|
|
|
|
|
|
|
|
|
|
1. Setup local CA
|
|
|
|
|
|
|
|
|
@ -61,32 +66,33 @@ hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:
|
|
|
|
|
|
|
|
|
|
Create a configuration file for Hydra i.e. ``hydra.yaml``:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
```yaml
|
|
|
|
|
serve:
|
|
|
|
|
admin:
|
|
|
|
|
host: hydra.cacert.localhost
|
|
|
|
|
tls:
|
|
|
|
|
enabled: true
|
|
|
|
|
cert:
|
|
|
|
|
path: hydra.cacert.localhost+1.pem
|
|
|
|
|
key:
|
|
|
|
|
path: hydra.cacert.localhost+1.key.pem
|
|
|
|
|
public:
|
|
|
|
|
host: auth.cacert.localhost
|
|
|
|
|
tls:
|
|
|
|
|
cert:
|
|
|
|
|
path: hydra.cacert.localhost+1.pem
|
|
|
|
|
key:
|
|
|
|
|
path: hydra.cacert.localhost+1.key.pem
|
|
|
|
|
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
|
|
|
|
|
tls:
|
|
|
|
|
enabled: true
|
|
|
|
|
cert:
|
|
|
|
|
path: hydra.cacert.localhost+1.pem
|
|
|
|
|
key:
|
|
|
|
|
path: hydra.cacert.localhost+1.key.pem
|
|
|
|
|
|
|
|
|
|
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
|
|
|
|
|
|
|
|
|
|
webfinger:
|
|
|
|
|
oidc_discovery:
|
|
|
|
|
supported_claims:
|
|
|
|
|
- email
|
|
|
|
|
- email_verified
|
|
|
|
|
- given_name
|
|
|
|
|
- family_name
|
|
|
|
|
- middle_name
|
|
|
|
|
- name
|
|
|
|
|
- birthdate
|
|
|
|
|
- zoneinfo
|
|
|
|
|
- locale
|
|
|
|
|
- https://cacert.localhost/groups
|
|
|
|
|
supported_scope:
|
|
|
|
|
- profile
|
|
|
|
|
- email
|
|
|
|
@ -128,13 +134,11 @@ hydra serve all --config hydra.yaml
|
|
|
|
|
Create an OpenID Connect (OIDC) client configuration for the demo application
|
|
|
|
|
|
|
|
|
|
```shell
|
|
|
|
|
hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \
|
|
|
|
|
--callbacks https://app.cacert.localhost:4000/callback \
|
|
|
|
|
--logo-uri https://register.cacert.localhost:3000/images/app.png \
|
|
|
|
|
--name "Client App Demo" \
|
|
|
|
|
--scope "openid offline_access profile email" \
|
|
|
|
|
--post-logout-callbacks https://app.cacert.localhost:4000/after-logout \
|
|
|
|
|
--client-uri https://register.cacert.localhost:3000/info/app
|
|
|
|
|
hydra create oauth2-client --endpoint https://hydra.cacert.localhost:4445/ \
|
|
|
|
|
--name "OIDC Demo App with Logo" \
|
|
|
|
|
--scope openid --scope profile --scope groups --scope email \
|
|
|
|
|
--post-logout-callback https://app.cacert.localhost:4000/after-logout \
|
|
|
|
|
--redirect-uri https://app.cacert.localhost:4000/callback
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The command returns a client id and a client secret, that you need for the
|
|
|
|
|