Basic configuration - Hydra crash


#1

Hello everyone :grinning: I’m trying to setup hydra for a simple Identity Provider application.
I read the documentation and I’m not sure to understand everything
I have setup hydra with docker compose:

 version: '3'

services:  
  oauth2:
    image: oryd/hydra:v0.9.10-http
    ports:
      - "4444:4444"
    environment:
      - DATABASE_URL=memory
      - ISSUER=https://localhost:4444/
      - CONSENT_URL=http://localhost:8080/consent
      - SYSTEM_SECRET=jf89-jgklAS9gk3rkAF90dfsk
      - FORCE_ROOT_CLIENT_CREDENTIALS=admin:abcdefghijklmnopqrstuvwxyz

Once the container is set up, as explained in the “Secure Consent App”, I use the command line client to create a client and a policy:

 {
    "id": "consent_app",
    "client_secret": "some_super_secret_key",
    "client_name": "consent",
    "redirect_uris": ["http://localhost:8080/callback"],
    "grant_types": [
        "client_credentials"
    ],
    "response_types": [
        "token"
    ],
    "scope": "hydra.keys.get"
}

And for the policy:

 {
    "actions": [
        "get"
    ] ,
    "conditions": {},
    "description": "Allow consent app to access hydra's keys" ,
    "effect": "allow" ,
    "id": "consent_keys" ,
    "resources": [
        "rn:hydra:keys:hydra.consent.challenge:public",
        "rn:hydra:keys:hydra.consent.response:private"
    ] ,
    "subjects": [
        "consent_app"
    ]
}

Then I trigger a request to create a challenge: http://localhost:4444/oauth2/auth?response_type=code&client_id=consent_app&redirect_uri=http://localhost:8080/callback&scope=read&state=1234567890
I’m called back on my server to try to solve the challenge
I need to retrieve the key to check the signature of the token
As explained in the documentation, I should find this information here: http://localhost:4444/keys/hydra.openid.id-token/public

But Impossible to retrieve something as Hydra is crashing:

 " request=&{rn:hydra:keys:hydra.openid.id-token:public get map[]}
oauth2_1  | time="2017-06-29T18:51:25Z" level=info msg="Access denied" error="Request was denied by default: The request is not allowed" reason="The policy decision point denied the request" request=&{rn:hydra:keys:hydra.openid.id-token:public get  map[]} subject=
oauth2_1  | time="2017-06-29T18:51:25Z" level=error msg="An error occurred while handling a request" code=500 details=[] error="Request was denied by default: The request is not allowed" reason= request-id= status= trace="Stack trace:
oauth2_1  | github.com/ory/hydra/warden.(*LocalWarden).isAllowed
oauth2_1  |     /go/src/github.com/ory/hydra/warden/warden_local.go:127
oauth2_1  | github.com/ory/hydra/warden.(*LocalWarden).IsAllowed
oauth2_1  |     /go/src/github.com/ory/hydra/warden/warden_local.go:37
oauth2_1  | github.com/ory/hydra/jwk.(*Handler).GetKey
oauth2_1  |     /go/src/github.com/ory/hydra/jwk/handler.go:172
oauth2_1  | github.com/ory/hydra/jwk.(*Handler).GetKey-fm
oauth2_1  |     /go/src/github.com/ory/hydra/jwk/handler.go:42
oauth2_1  | github.com/ory/hydra/vendor/github.com/julienschmidt/httprouter.(*Router).ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/julienschmidt/httprouter/router.go:299
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.Wrap.func1
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:41
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:24
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
oauth2_1  | net/http.HandlerFunc.ServeHTTP
oauth2_1  |     /usr/local/go/src/net/http/server.go:1942
oauth2_1  | github.com/ory/hydra/cmd/server.(*Handler).rejectInsecureRequests
oauth2_1  |     /go/src/github.com/ory/hydra/cmd/server/handler.go:167
oauth2_1  | github.com/ory/hydra/cmd/server.(*Handler).(github.com/ory/hydra/cmd/server.rejectInsecureRequests)-fm
oauth2_1  |     /go/src/github.com/ory/hydra/cmd/server/handler.go:81
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:24
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
oauth2_1  | github.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/meatballhat/negroni-logrus/middleware.go:135
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
oauth2_1  | github.com/ory/hydra/metrics.(*MetricsManager).ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/metrics/middleware.go:133
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:33
oauth2_1  | github.com/ory/hydra/vendor/github.com/urfave/negroni.(*Negroni).ServeHTTP
oauth2_1  |     /go/src/github.com/ory/hydra/vendor/github.com/urfave/negroni/negroni.go:73
oauth2_1  | github.com/ory/hydra/vendor/github.com/gorilla/context.ClearHandler.func1
oauth2_1  |     /go/src/gith

Is this crash normal ? What do I miss to access the key ? Do I need to provide the challenge of the token to access the public key ?


#2

to retrieve the openid token you need a different policy set up, in particular this one: https://github.com/ory/hydra/blob/master/docs/access-control/policies/everyone-can-read-public-keys.json


#3

I started a PR which explains a basic set up: https://github.com/ory/hydra/pull/544