From 6aa5d1de0411ce93deb67d91ed841ec1ef658bc3 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Mon, 7 Aug 2023 18:40:56 +0200 Subject: [PATCH] Update Hydra setup documentation --- README.md | 60 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 3d88715..6df0025 100644 --- a/README.md +++ b/README.md @@ -7,20 +7,25 @@ required for the CAcert IDP and client registration applications. The documentation in this repository is licensed under the terms of the Apache License Version 2.0. -Copyright © 2020, 2021, 2022 Jan Dittberner +Copyright © 2020-2023 Jan Dittberner -The setup and configuration has been tested on Debian testing on 2022-08-09 +The setup and configuration has been tested on Debian testing on 2023-08-07 using the following versions software versions: - mkcert v1.4.4 -- openssl 3.0.4 -- PostgreSQL 14.4 -- ORY Hydra v1.11.9 +- openssl 3.0.9 +- PostgreSQL 15.3 +- ORY Hydra v2.1.2 + +On Debian 12 Bookworm you can install `mkcert`, `openssl` and PostgreSQL via apt: + +```shell +sudo apt install mkcert openssl postgresql +``` ## Create certificate for Hydra -You need a set of certificates for the Hydra. I recommend to use the -[mkcert](https://github.com/FiloSottile/mkcert) utility by Filippo Valsorda: +You need a set of certificates for the Hydra. I recommend to use the `mkcert` utility by Filippo Valsorda: 1. Setup local CA @@ -61,32 +66,33 @@ hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost: Create a configuration file for Hydra i.e. ``hydra.yaml``: -``` +```yaml serve: admin: host: hydra.cacert.localhost + tls: + enabled: true + cert: + path: hydra.cacert.localhost+1.pem + key: + path: hydra.cacert.localhost+1.key.pem public: host: auth.cacert.localhost - tls: - cert: - path: hydra.cacert.localhost+1.pem - key: - path: hydra.cacert.localhost+1.key.pem - dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local' + tls: + enabled: true + cert: + path: hydra.cacert.localhost+1.pem + key: + path: hydra.cacert.localhost+1.key.pem + +dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local' webfinger: oidc_discovery: supported_claims: - email - email_verified - - given_name - - family_name - - middle_name - name - - birthdate - - zoneinfo - - locale - - https://cacert.localhost/groups supported_scope: - profile - email @@ -128,13 +134,11 @@ hydra serve all --config hydra.yaml Create an OpenID Connect (OIDC) client configuration for the demo application ```shell -hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \ - --callbacks https://app.cacert.localhost:4000/callback \ - --logo-uri https://register.cacert.localhost:3000/images/app.png \ - --name "Client App Demo" \ - --scope "openid offline_access profile email" \ - --post-logout-callbacks https://app.cacert.localhost:4000/after-logout \ - --client-uri https://register.cacert.localhost:3000/info/app +hydra create oauth2-client --endpoint https://hydra.cacert.localhost:4445/ \ + --name "OIDC Demo App with Logo" \ + --scope openid --scope profile --scope groups --scope email \ + --post-logout-callback https://app.cacert.localhost:4000/after-logout \ + --redirect-uri https://app.cacert.localhost:4000/callback ``` The command returns a client id and a client secret, that you need for the