Access Hydra using Https in remote VM


#1

Hi

I have installed Hydra following the instructions here in a remote VM (say XYZ).
https://ory.gitbooks.io/hydra/content/install.html#perform-oauth-20-flow

It seems while installing hydra server the issuer URL always has to be ‘Https’ but the consent URL always has to be ‘Http’.
My consent URL is http://XYZ:9020/consent

After completing all the installations and trying the sample OAuth2 flow I find that the redirect or callback URL has to be Https again. If I get Http, I get error while trying out the flow. With Https, I can complete the flow but the final step when the token is forwarded to the hyder server from consent fails in the browser saying that “Https not supported”.
Here is the command, I am using to for the token flow:

hydra token user --skip-tls-verify --auth-url https://XYZ:9000/oauth2/auth --token-url https://hydra:4444/oauth2/token --id some-consumer-new --secret consumer-secret --scopes openid,offline,hydra.clients --redirect https://XYZ:9010/callback

In the above command, auth URL has to be https and the redirect URL also to be https, otherwise I get error. But when the flow complete and the redirect URL is invoked to send the access token, it doesn’t work with https. If I manually change the Https to http it works.

Any help appreciated…


#2

I think the link to the guide you gave is not correct. In the case of the guide, https://ory.gitbooks.io/hydra/content/install.html#perform-oauth-20-flow shows that we’re using an http:// callback. Please note that http-based callbacks are only possible when the host is localhost. Otherwise Hydra forces https:// as using http for the callback url is highly unsafe.


#3

Yes I am not using localhost, so while testing the oAuth 2.0 flow, I am providing a https redirect URL. But, it is failing in the browser.

hydra token user --skip-tls-verify --auth-url https://{{hostname}}:9000/oauth2/auth --token-url https://hydra:4444/oauth2/token --id some-consumer-new --secret consumer-secret --scopes openid,offline,hydra.clients --redirect https://{{hosname}}:9010/callback


#4

Ok, if you don’t use localhost as a host name you are prevented from using HTTP, you need to run the consent app on port 443 with HTTPS (TLS) enabled.