Example ORY Hydra (https://www.ory.sh/hydra/) configuration for a local development setup
Find a file
2021-09-11 11:39:10 +02:00
.gitignore Add Hydra setup documentation 2021-09-11 11:39:10 +02:00
README.md Add Hydra setup documentation 2021-09-11 11:39:10 +02:00

ORY Hydra configuration for CAcert

This repository contains instructions how to setup ORY Hydra for the OAuth2 / OpenID Connect operations required for the CAcert IDP and client registration applications.

The documentation in this repository is licensed under the terms of the Apache License Version 2.0.

Copyright © 2020, 2021 Jan Dittberner

Setup

Certificates

You need a set of certificates for the Hydra. You can use the Test CA created by the setup_test_ca.sh script from the CAcert developer setup repository like this:

  1. create signing requests

    mkdir certs
    cd certs
    openssl req -new -newkey rsa:3072 -nodes \
        -keyout hydra.cacert.localhost.key \
        -out hydra.cacert.localhost.csr.pem \
        -subj /CN=hydra.cacert.localhost \
        -addext subjectAltName=DNS:hydra.cacert.localhost,DNS:auth.cacert.localhost
    cp *.csr.pem $PATH_TO_DEVSETUP_TESTCA/
    
  2. Use the CA to sign the certificates

    pushd $PATH_TO_DEVSETUP_TESTCA/
    openssl ca -config ca.cnf -name class3_ca -extensions server_ext \
       -in hydra.cacert.localhost.csr.pem \
       -out hydra.cacert.localhost.crt.pem -days 365
    popd
    cp $PATH_TO_DEVSETUP_TESTCA/hydra.cacert.localhost.crt.pem .
    

Setup Hydra

We use the ORY Hydra OAuth2 / OpenID Connect implementation. Install Hydra according to their documentation. The setup has been tested with the Linux binary installation.

Perform the Hydra database setup:

sudo -i -u postgres psql
> CREATE DATABASE hydra_local ENCODING utf-8;
> CREATE USER hydra_local WITH PASSWORD '${YOUR_POSTGRESQL_PASSWORD}';
> GRANT CONNECT, CREATE ON DATABASE hydra_local TO hydra_local;

hydra migrate sql "postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local"

Create a configuration file for Hydra i.e. hydra.yaml:

serve:
  admin:
    host: hydra.cacert.localhost
  public:
    host: auth.cacert.localhost
  tls:
    cert:
      path: certs/hydra.cacert.localhost.crt.pem
    key:
      path: certs/hydra.cacert.localhost.key
  dsn: 'postgres://hydra_local:${YOUR_POSTGRESQL_PASSWORD}@localhost:5432/hydra_local'

webfinger:
  oidc_discovery:
    supported_claims:
      - email
      - email_verified
      - given_name
      - family_name
      - middle_name
      - name
      - birthdate
      - zoneinfo
      - locale
      - https://cacert.localhost/groups
    supported_scope:
      - profile
      - email

oauth2:
  expose_internal_errors: false

urls:
  login: https://login.cacert.localhost:3000/login
  consent: https://login.cacert.localhost:3000/consent
  logout: https://login.cacert.localhost:3000/logout
  error: https://login.cacert.localhost:3000/error
  post_logout_redirect: https://login.cacert.localhost:3000/logout-successful
  self:
    public: https://auth.cacert.localhost:4444/
    issuer: https://auth.cacert.localhost:4444/

secrets:
  system:
    - "${YOUR SECRET FOR HYDRA}"

The available configuration options are described in the Hydra configuration documentation.

Hydra needs to be able to resolve its hostnames and does not work with the systemd-nss module. You therefore need to define Hydra's hostnames in your /etc/hosts file:

::1 auth.cacert.localhost hydra.cacert.localhost

Add OpenID Connect configuration for a client

Create an OpenID Connect (OIDC) client configuration for the demo application

hydra clients create --endpoint https://hydra.cacert.localhost:4445/ \
    --callbacks https://app.cacert.localhost:4000/callback \
    --logo-uri https://register.cacert.localhost:3000/images/app.png \
    --name "Client App Demo" \
    --scope "openid offline_access profile email" \
    --post-logout-callbacks https://app.cacert.localhost:4000/after-logout \
    --client-uri https://register.cacert.localhost:3000/info/app

The command returns a client id and a client secret, that you need for the demo application configuration.

Start

Now you can start Hydra:

hydra serve all --config hydra.yaml