Ory keto to ory hydra integration

ORY Hydra
#1

Hi All,
I’m new to ory platform and I want to something like this.
I have two spring boot applications.

  1. First app is directing to hydra once a user tries to login , and hydra will generate the access token and sends back to callback URL provided.

  2. My second application is having two resources secured by ORY Keto. So user is trying to access with the access token taken by first service.

I was using latest stable ory keto version and i found that there is no api to check the access policies with token, only the subject is allowed in latest one. But in an older version I found that there is a warden api which allows this.
What i want actually is use the access token to call ory keto API. Is this possible with latest Keto version ? If possible what is the best approach for this.

Can anybody please help me on this since i’m stuck here.

#2

Hi, this was changed. There was a discussion regarding this change and it’s also in the upgrade guide: https://github.com/ory/keto/blob/master/UPGRADE.md#conceptual-changes

You can still achieve the same by using Hydra, Oathkeeper, and Keto together.

#3

Thanks @hackerman . I will look into that approach.

#4

Hi @hackerman,
I integrated oathkeepr with spring boot and the integration works fine. But when I tried to use “oauth2_introspection” using ory hydra introspection URL i’m getting this error. Could you please help me on this.
This is my oathkeeper config file:

serve:
proxy:
port: 4455 # run the proxy at port 4455
api:
port: 4456 # run the api at port 4456

access_rules:
repositories:
- file:///rules.json

mutators:
header:
enabled: true
noop:
enabled: true
id_token:
enabled: true
issuer_url: http://localhost:4455/

authorizers:
allow:
enabled: true
deny:
enabled: true

authenticators:
oauth2_introspection:
# Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
enabled: true

# REQUIRED IF ENABLED - The OAuth 2.0 Token Introspection endpoint.
introspection_url: https:<my introspect url>

# Sets the strategy to be used to validate/match the token scope. Supports "hierarchic", "exact", "wildcard", "none". Defaults
# to "none".
scope_strategy: exact

pre_authorization:
# Enable pre-authorization. Defaults to false.
enabled: true

  # REQUIRED IF ENABLED - The OAuth 2.0 Client ID to be used for the OAuth 2.0 Client Credentials Grant.
  client_id: sampleClient9

  # REQUIRED IF ENABLED - The OAuth 2.0 Client Secret to be used for the OAuth 2.0 Client Credentials Grant.
  client_secret: sampleClient9

This is my rules.json file

[

{
“id”: “allow-anonymous-with-header-x”,
“upstream”: {
“url”: “https://httpbin.org/anything/header
},
“match”: {
“url”: “http://<127.0.0.1|localhost>:4455/test/a”,
“methods”: [
“GET”
]
},
“authenticators”: [
{
“handler”: “oauth2_introspection”
}
],
“authorizer”: {
“handler”: “allow”
},
“mutator”: {
“handler”: “id_token”,
“config”: {
“headers”: {
“X-User”: “{{ print .Subject }}”
}
}
}
}
]

Error receiving in oathkeeper side

net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)" granted=false reason_id=authentication_handler_error
time=“2019-07-01T01:48:56Z” level=warning msg=“Access request denied”

I have put only a part of error because the forum post is failing saying only two links can be published in a post.

#5

“Client.Timeout exceeded while awaiting headers” means that the url could not be called - e.g. the port is closed, the url has a typo, etc

#6

@hackerman
I can directly call the ory hydra introspect url , it happens only when calling through oathkeeper. Do I need to configure certificate file since it is a https url.

#7

Is the certificate self-signed?

#8

No . When using ory hydra introspect URL we don’t need to add a certificate right ?

#9

So I’m not sure what’s going on, maybe the firewall is blocking the request or there is a typo. The error you showed definitely says that the URL is not accessible. Maybe try to ssh into the container and execute curl https://the-hydra-path/ to see if connectivity is there. Keep in mind that the introspection URL is on the admin endpoint and usually not publicly available

#10

Hi @hackerman,

You are correct, even port 9001 is open outside docker containers, to access from a container i had to use 4445 port. But now i’m getting this error in hydra log.

2019/07/03 08:50:26 http: TLS handshake error from 172.18.0.4:33712: remote error: tls: bad certificate .

Highly appreciate your help to solve this issue.

#11

The certificate you are using is invalid. You’re probably using a self-signed certificate. It’s currently not possible to skip TLS Certificate Checks in Oathkeeper, so you would have to either provide a valid certificate, run Hydra without TLS (--dangerous-force-http - DO NOT DO THIS IN PRODUCTION) or with run Hydra behind a Load Balancer or API Gateway that has a valid TLS Certificate.

#12

@hackerman
i have the similar issue with hydra and oathkeeper

which both are deployed into kubernetes, thus we should use internal service endpoint to communicate for the introspection_url

however i got the same error as @tharakadumidu2 did

it is working fine if i expose the admin api of hydra to public and use the public endpoint to introspection_url

it is not working with internal service endpoint (http://service-endpoint:4445/oauth2/introspect/)

in addtional
i can success curl/ping the internal service endpoint from the oathkeeper pod, but dont know why it wont work while it call from the application, i guess becoz of net/http package ?