Access Hydra using Https in remote VM


#1

Hi

I have installed Hydra following the instructions here in a remote VM (say XYZ).
https://ory.gitbooks.io/hydra/content/install.html#perform-oauth-20-flow

It seems while installing hydra server the issuer URL always has to be ‘Https’ but the consent URL always has to be ‘Http’.
My consent URL is http://XYZ:9020/consent

After completing all the installations and trying the sample OAuth2 flow I find that the redirect or callback URL has to be Https again. If I get Http, I get error while trying out the flow. With Https, I can complete the flow but the final step when the token is forwarded to the hyder server from consent fails in the browser saying that “Https not supported”.
Here is the command, I am using to for the token flow:

hydra token user --skip-tls-verify --auth-url https://XYZ:9000/oauth2/auth --token-url https://hydra:4444/oauth2/token --id some-consumer-new --secret consumer-secret --scopes openid,offline,hydra.clients --redirect https://XYZ:9010/callback

In the above command, auth URL has to be https and the redirect URL also to be https, otherwise I get error. But when the flow complete and the redirect URL is invoked to send the access token, it doesn’t work with https. If I manually change the Https to http it works.

Any help appreciated…


#2

I think the link to the guide you gave is not correct. In the case of the guide, https://ory.gitbooks.io/hydra/content/install.html#perform-oauth-20-flow shows that we’re using an http:// callback. Please note that http-based callbacks are only possible when the host is localhost. Otherwise Hydra forces https:// as using http for the callback url is highly unsafe.


#3

Yes I am not using localhost, so while testing the oAuth 2.0 flow, I am providing a https redirect URL. But, it is failing in the browser.

hydra token user --skip-tls-verify --auth-url https://{{hostname}}:9000/oauth2/auth --token-url https://hydra:4444/oauth2/token --id some-consumer-new --secret consumer-secret --scopes openid,offline,hydra.clients --redirect https://{{hosname}}:9010/callback


#4

Ok, if you don’t use localhost as a host name you are prevented from using HTTP, you need to run the consent app on port 443 with HTTPS (TLS) enabled.


#5

I have implemented the OAuth on our server using Docker. I am getting the same issue as you are facing here is the Error details :
Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix 'localhost', for example: http://myapp.localhost/.

I need to convert http to https but how or is OAuth provides anything so we can convert http to https. is there any other solutions than it’s a great help


#6

Not sure if that works but you can try to map somethingsomething.localhost to the IP address. If that’s not the case you have to figure out how to run the receiveing end (callback url) with HTTPS. This is forced because if you don’t use HTTPS I (and everyone else) can hack this in probably less than 5 minutes.


#7

How can I map somethingsomething.localhost in docker container URL which is 10.10.0.10 ?


#8

I solved this by using a self-signed-certificate in development with a router like traefik or nginx.


#9

Thanks for the solution @pcdummy

I had generated the self-signed-certificate but it won’t work. same things work in http protocol but not in https.


#10

What happens if you open http://127.18.0.1:9010 (so http without the S)?


#11

Thanks for faster response @arekkas

It will give proper response without the s.but i don’t understand the why the title shows different url

image


#13

Oh ok, so you’re still using the CLI to request the oauth2 token example flow. I don’t think that cli command supports SSL yet but it would be a sensible feature request. I’ve created an issue for that: https://github.com/ory/hydra/issues/1147


#14

Thanks for the quick response @arekkas

Oh ok, so you’re still using the CLI to request the oauth2 token example flow. I don’t think that cli command supports SSL yet but it would be a sensible feature request. I’ve created an issue for that: https://github.com/ory/hydra/issues/1147

Is that mean using this tutorial I will not configure the OAuth on our server using SSL. when I had implemented the OAuth on a server using simple HTTP based but it won’t work because callback redirects URL http://172.18.0.1:9010/callback gives SSL Error.
that’s why I had implemented the SSL. is there any other way to implement it ?
Again Thanks @arekkas


#15

The CLI hydra token user is really just for examples, so I never thought about adding SSL. But it makes sense and it will fix your problems. We might even update the tutorial to add SSL info, which makes sense. Appreciate you hacking on this, that stuff can be super annoying to get right!


#16

PR is now up for this: https://github.com/ory/hydra/pull/1150 (there seems to be a GH outage right now, in case you see a 404)


#17

hi @arekkas

The CLI hydra token user is really just for examples, so I never thought about adding SSL. But it makes sense and it will fix your problems. We might even update the tutorial to add SSL info, which makes sense. Appreciate you hacking on this, that stuff can be super annoying to get right!

do you have another way to implement OAuth on the server using docker?