Deploy Consent App and Hydra Server on different Servers


I was able to follow the instruction described here with my customized implementation of Consent App and Client App. All three parties were running on same physical server on different ports.

Now I am trying to deploy the components to AWS. My plan was to use one elastic beanstalk instance for each component. The Consent App always gets error when trying to fetch from Auth Server. The logs of Auth Server showed

"The client is not allowed to request scope hydra.keys.get"

I am quite sure that I have added the correct policy for Consent App by running

hydra policies create --skip-tls-verify \
        --actions get \
        --description "Allow consent-app to access the cryptographic keys for signing and validating the consent challenge and response" \
        --allow \
        --id consent-app-policy \
        --resources rn:hydra:keys:hydra.consent.challenge:public,rn:hydra:keys:hydra.consent.response:private \
        --subjects consent-app

I vaguely remember reading an article mentioning that Auth Server and Consent App has to reside on the same server, and the communication between them must be sent to “localhost:xxxx” but I could be wrong.

I am wondering if it’s absolutely necessary for me to deploy Auth Server and Consent App to same server. If so, I will create an EC2 instance for it.

By the way, I am talking about the “Old consent flow”, I want to deployed one old version to production while working on the “Refactored consent flow”

Thank you very much.


I have figured out. for the version I was using (v0.9.13), It is OK to deploy consent app on different physical server(although it’s not the best practice). My problem was that I was using oryd/hydra:latest, and oryd/hydra:lastest has changed to 0.10 in last a few days.