cacert
/
oidc-hydra-config
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update Hydra setup documentation

Browse Source
main
Jan Dittberner 10 months ago
parent 4d3f908958
commit 6aa5d1de04
1 changed files with 32 additions and 28 deletions
Show Stats Download Patch File Download Diff File

60
README.md
Unescape Escape View File

@ -7,20 +7,25 @@ required for the CAcert IDP and client registration applications.
The documentation in this repository is licensed under the terms of the Apache The documentation in this repository is licensed under the terms of the Apache
License Version 2.0. License Version 2.0.
Copyright © 2020, 2021, 2022 Jan Dittberner Copyright © 2020-2023 Jan Dittberner
The setup and configuration has been tested on Debian testing on 2022-08-09 The setup and configuration has been tested on Debian testing on 2023-08-07
using the following versions software versions: using the following versions software versions:
- mkcert v1.4.4 - mkcert v1.4.4
- openssl 3.0.4 - openssl 3.0.9
- PostgreSQL 14.4 - PostgreSQL 15.3
- ORY Hydra v1.11.9 - ORY Hydra v2.1.2
On Debian 12 Bookworm you can install `mkcert`, `openssl` and PostgreSQL via apt:
```shell
sudo apt install mkcert openssl postgresql
```
## Create certificate for Hydra ## Create certificate for Hydra
You need a set of certificates for the Hydra. I recommend to use the You need a set of certificates for the Hydra. I recommend to use the `mkcert` utility by Filippo Valsorda:
[mkcert](https://github.com/FiloSottile/mkcert) utility by Filippo Valsorda:
1. Setup local CA 1. Setup local CA
@ -61,32 +66,33 @@ hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:
Create a configuration file for Hydra i.e. ``hydra.yaml``: Create a configuration file for Hydra i.e. ``hydra.yaml``:
``` ```yaml
serve: serve:
admin: admin:
host: hydra.cacert.localhost host: hydra.cacert.localhost
tls:
enabled: true
cert:
path: hydra.cacert.localhost+1.pem
key:
path: hydra.cacert.localhost+1.key.pem
public: public:
host: auth.cacert.localhost host: auth.cacert.localhost
tls: tls:
cert: enabled: true
path: hydra.cacert.localhost+1.pem cert:
key: path: hydra.cacert.localhost+1.pem
path: hydra.cacert.localhost+1.key.pem key:
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local' path: hydra.cacert.localhost+1.key.pem
dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'
webfinger: webfinger:
oidc_discovery: oidc_discovery:
supported_claims: supported_claims:
- email - email
- email_verified - email_verified
- given_name
- family_name
- middle_name
- name - name
- birthdate
- zoneinfo
- locale
- https://cacert.localhost/groups
supported_scope: supported_scope:
- profile - profile
- email - email
@ -128,13 +134,11 @@ hydra serve all --config hydra.yaml
Create an OpenID Connect (OIDC) client configuration for the demo application Create an OpenID Connect (OIDC) client configuration for the demo application
```shell ```shell
hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \ hydra create oauth2-client --endpoint https://hydra.cacert.localhost:4445/ \
--callbacks https://app.cacert.localhost:4000/callback \ --name "OIDC Demo App with Logo" \
--logo-uri https://register.cacert.localhost:3000/images/app.png \ --scope openid --scope profile --scope groups --scope email \
--name "Client App Demo" \ --post-logout-callback https://app.cacert.localhost:4000/after-logout \
--scope "openid offline_access profile email" \ --redirect-uri https://app.cacert.localhost:4000/callback
--post-logout-callbacks https://app.cacert.localhost:4000/after-logout \
--client-uri https://register.cacert.localhost:3000/info/app
``` ```
The command returns a client id and a client secret, that you need for the The command returns a client id and a client secret, that you need for the

Write Preview
Loading…
Cancel
Save