My understanding of hydra is that, I can have an app which can decide whether to authorize or not, then offload the work to hydra to generate the token etc.
i.e browser login page -> some backend API -> (checks if it meets its requirements) -> make request to hydra to generate token.
I create a instance of hydra with
docker run -d \
--name ory-hydra-example--hydra \
--network hydraguide \
-p 9000:4444 \
-p 9001:4445 \
-e SECRETS_SYSTEM=$SECRETS_SYSTEM \
-e LOG_LEAK_SENSITIVE_VALUES=true \ #for testing purposes
-e DSN=memory \
-e LOG_LEVEL=trace \
-e URLS_SELF_ISSUER=http://127.0.0.1:9000/ \
-e URLS_CONSENT=https://webhook.site/<id>/consent \ #echo server to see what is happening
-e URLS_LOGIN=https://webhook.site/<id>/login \ #echo server to see what is happening
oryd/hydra:v1.8.5 serve all --dangerous-force-http
Now, create a client.
curl --location --request POST 'http://127.0.0.1:9001/clients' \
--header 'Content-Type: application/json' \
--data-raw '{
"client_id": "someconsumer",
"client_name": "consumerName",
"client_secret":"somesecret",
"client_uri":"example.com",
"grant_types": [
"authorization_code",
"refresh_token"
],
"scope":"additional_example_scope offline openid",
"redirect_uris": [
"https://webhook.site/<id>/redirect"
],
"response_types": [
"token",
"code",
"id_token"
],
"token_endpoint_auth_method":"client_secret_post"
}'
Next create a login request.
curl --location --request GET 'http://127.0.0.1:9000/oauth2/auth?client_id=someconsumer&code_challenge=(base64urlEncode(sha256hash(random_string_for_pkce)))&code_challenge_method=S256&redirect_uri=<exact_url_as_created_client_allows>&response_type=code&scope=openid&state=whatever_you_want_it_to_be_example_application_redirection_context&client_secret=somesecret' \
This would generate a login challenge appended to the redirect_url as query and can also be found at:
curl --location --request GET 'http://127.0.0.1:9001/oauth2/auth/requests/login?login_challenge=<login_challenge_value>'
I believe the next part is accepting login? This I believe is done by calling the auth endpoint with the login_verifier field? But from where is this login_verifier generated?
Also, is there any way to skip the Accept and Consent forms? As on register and login, on the main website, it would make very little sense to show them these pages. (I do see a prompt keyword, but not sure where and why it is applicable.)
And lastly, is the code_challenge for PKCE to be used only on the API call with consent_verifier, and code_verifier - token call? or right from the beginning (login accept)?