Questions about consent app's relationship with Hydra


#1

I’m having trouble understanding the relationship between the consent app and Hydra.

  • It is stated in a couple of places in the documentation that the consent app is a client (in the OAuth 2.0 sense of the word) of Hydra. But they don’t seem to communicate with each other in an OAuth 2.0 style. For example there is a “callback” endpoint in the “hydra-consent-app-go” project but it doesn’t seem to be used.
  • As I understand it, the consent app fetches two keys from Hydra: The public key for the consent challenge and the private key for the consent response (https://ory.gitbooks.io/hydra/content/how-to/consent-app.html). But if the consent app is able to fetch a private key from Hydra, aren’t they already able to trust each other and communicate securely? If that is true, why bother with verifying the challenge token and signing response token?

#2

Sorry for my late reply, the notification was sent to spam. Are you still looking for an answer here?


#3

Yes I’m still trying to understand this.


#4

It is stated in a couple of places in the documentation that the consent app is a client (in the OAuth 2.0 sense of the word) of Hydra. But they don’t seem to communicate with each other in an OAuth 2.0 style. For example there is a “callback” endpoint in the “hydra-consent-app-go” project but it doesn’t seem to be used.

So the consent app itself acts as a client in the sense that it requires access to the cryptographic keys which ORY Hydra stores in the database. To retrieve them, it needs OAuth 2 credentials.

The callback endpoint is just there for one of the tutorials. I should probably document that in the method.

As I understand it, the consent app fetches two keys from Hydra:

Yes, those keys are the reason why we need OAuth 2 credentials :slight_smile: It uses the client credentials grant (no user involved)

The public key for the consent challenge and the private key for the consent response (https://ory.gitbooks.io/hydra/content/how-to/consent-app.html1). But if the consent app is able to fetch a private key from Hydra, aren’t they already able to trust each other and communicate securely? If that is true, why bother with verifying the challenge token and signing response token?

That is a good question. Primarily, because the consent challenge & response is not transported via a protected channel but rather by the user’s browser. Thus, we need some form of verification that the tokens are valid and issued by a valid authority.

Of course, there would be the possibility to do this by-reference instead of by-value. So in this example, the consent app would make a request to hydra and tell it “request id 1234 is valid and contains this and that data”. Then it would redirect to hydra with the request id 1234 and hydra would look it up. There are however two issues with this approach:

  1. we would need two requests - one for polling the request info (which client id made the request, what parameters are included, …) and one for saving it. With a PKI infrastructure you can simply cache the keys and sign them without any request interaction.
  2. decoupling hydra and the consent app - you could use your own signing keys (eg issued by a real CA) and not make any requests to hydra at all, just install the certificate on one of your servers. this gives very good isolation

I hope I was able to clarify your questions