# ORY Hydra configuration for CAcert This repository contains instructions how to setup [ORY Hydra](https://www.ory.sh/hydra/) for the OAuth2 / OpenID Connect operations required for the CAcert IDP and client registration applications. The documentation in this repository is licensed under the terms of the Apache License Version 2.0. Copyright © 2020, 2021, 2022 Jan Dittberner The setup and configuration has been tested on Debian testing on 2022-08-09 using the following versions software versions: - mkcert v1.4.4 - openssl 3.0.4 - PostgreSQL 14.4 - ORY Hydra v1.11.9 ## Setup ### Certificates You need a set of certificates for the Hydra. I recommend to use the [mkcert](https://github.com/FiloSottile/mkcert) utility by Filippo Valsorda: 1. Setup local CA ```shell mkcert -install ``` 2. Create a key pair and certificate ```shell mkcert hydra.cacert.localhost auth.cacert.localhost ``` ### Setup Hydra We use the ORY Hydra OAuth2 / OpenID Connect implementation. Install Hydra according to their [documentation](https://www.ory.sh/hydra/docs/install). The setup has been tested with the Linux binary installation. Preconditions: - generate certificate + key (see above) - generate a database password (`openssl rand -base64 16` might be a good idea) - generate a secret key for your instance (`openssl rand -base64 32` might be a good idea) Perform the Hydra database setup: ```shell sudo -i -u postgres psql > CREATE DATABASE hydra_local ENCODING 'utf-8'; > CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}'; > GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local; hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local" ``` *Note*: replace `${YOUR_POSTGRESQL_PASSWORD}` with the password generated above Create a configuration file for Hydra i.e. ``hydra.yaml``: ``` serve: admin: host: hydra.cacert.localhost public: host: auth.cacert.localhost tls: cert: path: hydra.cacert.localhost+1.pem key: path: hydra.cacert.localhost+1.key.pem dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local' webfinger: oidc_discovery: supported_claims: - email - email_verified - given_name - family_name - middle_name - name - birthdate - zoneinfo - locale - https://cacert.localhost/groups supported_scope: - profile - email oauth2: expose_internal_errors: false urls: login: https://login.cacert.localhost:3000/login consent: https://login.cacert.localhost:3000/consent logout: https://login.cacert.localhost:3000/logout error: https://login.cacert.localhost:3000/error post_logout_redirect: https://login.cacert.localhost:3000/logout-successful self: public: https://auth.cacert.localhost:4444/ issuer: https://auth.cacert.localhost:4444/ secrets: system: - "${YOUR_SECRET_FOR_HYDRA}" ``` *Note:* Replace `${YOUR_POSTGRESQL_PASSWORD}` and `${YOUR_SECRET_FOR_HYDRA}` with the values generated above. The available configuration options are described in the [Hydra configuration documentation](https://www.ory.sh/hydra/docs/reference/configuration). ## Start Now you can start Hydra: ```shell hydra serve all --config hydra.yaml ``` ## Add OpenID Connect configuration for a client Create an OpenID Connect (OIDC) client configuration for the demo application ```shell hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \ --callbacks https://app.cacert.localhost:4000/callback \ --logo-uri https://register.cacert.localhost:3000/images/app.png \ --name "Client App Demo" \ --scope "openid offline_access profile email" \ --post-logout-callbacks https://app.cacert.localhost:4000/after-logout \ --client-uri https://register.cacert.localhost:3000/info/app ``` The command returns a client id and a client secret, that you need for the demo application configuration.