# ORY Hydra configuration for CAcert This repository contains instructions how to setup [ORY Hydra](https://www.ory.sh/hydra/) for the OAuth2 / OpenID Connect operations required for the CAcert IDP and client registration applications. The documentation in this repository is licensed under the terms of the Apache License Version 2.0. Copyright © 2020-2023 Jan Dittberner The setup and configuration has been tested on Debian testing on 2023-08-07 using the following versions software versions: - mkcert v1.4.4 - openssl 3.0.9 - PostgreSQL 15.3 - ORY Hydra v2.1.2 On Debian 12 Bookworm you can install `mkcert`, `openssl` and PostgreSQL via apt: ```shell sudo apt install mkcert openssl postgresql ``` ## Create certificate for Hydra You need a set of certificates for the Hydra. I recommend to use the `mkcert` utility by Filippo Valsorda: 1. Setup local CA ```shell mkcert -install ``` 2. Create a key pair and certificate ```shell mkcert hydra.cacert.localhost auth.cacert.localhost ``` ## Setup Hydra We use the ORY Hydra OAuth2 / OpenID Connect implementation. Install Hydra according to their [documentation](https://www.ory.sh/hydra/docs/install). The setup has been tested with the Linux binary installation. Preconditions: - generate certificate + key (see above) - generate a database password (`openssl rand -base64 16` might be a good idea) - generate a secret key for your instance (`openssl rand -base64 32` might be a good idea) Perform the Hydra database setup: ```shell sudo -i -u postgres psql > CREATE DATABASE hydra_local ENCODING 'utf-8'; > CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}'; > GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local; hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local" ``` *Note*: replace `${YOUR_POSTGRESQL_PASSWORD}` with the password generated above Create a configuration file for Hydra i.e. ``hydra.yaml``: ```yaml serve: admin: host: hydra.cacert.localhost tls: enabled: true cert: path: hydra.cacert.localhost+1.pem key: path: hydra.cacert.localhost+1.key.pem public: host: auth.cacert.localhost tls: enabled: true cert: path: hydra.cacert.localhost+1.pem key: path: hydra.cacert.localhost+1.key.pem dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local' webfinger: oidc_discovery: supported_claims: - email - email_verified - name supported_scope: - profile - email oauth2: expose_internal_errors: false urls: login: https://login.cacert.localhost:3000/login consent: https://login.cacert.localhost:3000/consent logout: https://login.cacert.localhost:3000/logout error: https://login.cacert.localhost:3000/error post_logout_redirect: https://login.cacert.localhost:3000/logout-successful self: public: https://auth.cacert.localhost:4444/ issuer: https://auth.cacert.localhost:4444/ secrets: system: - "${YOUR_SECRET_FOR_HYDRA}" ``` *Note:* Replace `${YOUR_POSTGRESQL_PASSWORD}` and `${YOUR_SECRET_FOR_HYDRA}` with the values generated above. The available configuration options are described in the [Hydra configuration documentation](https://www.ory.sh/hydra/docs/reference/configuration). ## Start Now you can start Hydra: ```shell hydra serve all --config hydra.yaml ``` ## Add OpenID Connect configuration for a client Create an OpenID Connect (OIDC) client configuration for the demo application ```shell hydra create oauth2-client --endpoint https://hydra.cacert.localhost:4445/ \ --name "OIDC Demo App with Logo" \ --scope openid --scope profile --scope groups --scope email \ --post-logout-callback https://app.cacert.localhost:4000/after-logout \ --redirect-uri https://app.cacert.localhost:4000/callback ``` The command returns a client id and a client secret, that you need for the demo application configuration.