Example ORY Hydra (https://www.ory.sh/hydra/) configuration for a local development setup
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jan Dittberner 6aa5d1de04 Update Hydra setup documentation 7 months ago
.gitignore Update setup documentation 2 years ago
README.md Update Hydra setup documentation 7 months ago

README.md

ORY Hydra configuration for CAcert

This repository contains instructions how to setup ORY Hydra for the OAuth2 / OpenID Connect operations required for the CAcert IDP and client registration applications.

The documentation in this repository is licensed under the terms of the Apache License Version 2.0.

Copyright © 2020-2023 Jan Dittberner

The setup and configuration has been tested on Debian testing on 2023-08-07 using the following versions software versions:

  • mkcert v1.4.4
  • openssl 3.0.9
  • PostgreSQL 15.3
  • ORY Hydra v2.1.2

On Debian 12 Bookworm you can install mkcert, openssl and PostgreSQL via apt:

sudo apt install mkcert openssl postgresql

Create certificate for Hydra

You need a set of certificates for the Hydra. I recommend to use the mkcert utility by Filippo Valsorda:

  1. Setup local CA

    mkcert -install
    
  2. Create a key pair and certificate

    mkcert hydra.cacert.localhost auth.cacert.localhost
    

Setup Hydra

We use the ORY Hydra OAuth2 / OpenID Connect implementation. Install Hydra according to their documentation. The setup has been tested with the Linux binary installation.

Preconditions:

  • generate certificate + key (see above)
  • generate a database password (openssl rand -base64 16 might be a good idea)
  • generate a secret key for your instance (openssl rand -base64 32 might be a good idea)

Perform the Hydra database setup:

sudo -i -u postgres psql
> CREATE DATABASE hydra_local ENCODING 'utf-8';
> CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}';
> GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local;

hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local"

Note: replace ${YOUR_POSTGRESQL_PASSWORD} with the password generated above

Create a configuration file for Hydra i.e. hydra.yaml:

serve:
  admin:
    host: hydra.cacert.localhost
    tls:
      enabled: true
      cert:
        path: hydra.cacert.localhost+1.pem
      key:
        path: hydra.cacert.localhost+1.key.pem
  public:
    host: auth.cacert.localhost
    tls:
      enabled: true
      cert:
        path: hydra.cacert.localhost+1.pem
      key:
        path: hydra.cacert.localhost+1.key.pem

dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'

webfinger:
  oidc_discovery:
    supported_claims:
      - email
      - email_verified
      - name
    supported_scope:
      - profile
      - email

oauth2:
  expose_internal_errors: false

urls:
  login: https://login.cacert.localhost:3000/login
  consent: https://login.cacert.localhost:3000/consent
  logout: https://login.cacert.localhost:3000/logout
  error: https://login.cacert.localhost:3000/error
  post_logout_redirect: https://login.cacert.localhost:3000/logout-successful
  self:
    public: https://auth.cacert.localhost:4444/
    issuer: https://auth.cacert.localhost:4444/

secrets:
  system:
    - "${YOUR_SECRET_FOR_HYDRA}"

Note: Replace ${YOUR_POSTGRESQL_PASSWORD} and ${YOUR_SECRET_FOR_HYDRA} with the values generated above.

The available configuration options are described in the Hydra configuration documentation.

Start

Now you can start Hydra:

hydra serve all --config hydra.yaml

Add OpenID Connect configuration for a client

Create an OpenID Connect (OIDC) client configuration for the demo application

hydra create oauth2-client --endpoint https://hydra.cacert.localhost:4445/ \
    --name "OIDC Demo App with Logo" \
    --scope openid --scope profile --scope groups --scope email \
    --post-logout-callback https://app.cacert.localhost:4000/after-logout \
    --redirect-uri https://app.cacert.localhost:4000/callback 

The command returns a client id and a client secret, that you need for the demo application configuration.