I have a problem using the access token I get from exchanging the authorization_code. I created a simple hydra service with a docker-compose config like this:
hydra:
image: oryd/hydra:v1.5.0-alpine
ports:
- 9000:4444
- 9001:4445
environment:
SECRETS_SYSTEM: ak2387tfh238rgfaifh38
DSN: memory
URLS_SELF_ISSUER: https://localhost:9000/
URLS_CONSENT: http://localhost:9020/consent
URLS_LOGIN: http://localhost:9020/login
URLS_LOGOUT: http://localhost:9020/logout
Then I create a client
docker-compose exec hydra \
hydra clients create \
--skip-tls-verify \
--id klient \
--secret geheim \
--endpoint https://hydra:4445 \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,offline \
--callbacks http://localhost:8085/logincb
Then I use my own app to start the auth flow. I am successfully navigating through the login and consent screen of the hydra demo authorization provider ([email protected] login) and I get redirected to my app with an authorization code. My app (python) exchanges this successfully into an access token:
{'access_token': 'ARLEJ8BM2b4J1gbEvw9f1Jm5zZ0xMNT_byRd8kY38aI.3vJrhKXV9zuw5ElUbxJ2HyuXcOsUm7lcOnP2Hctxzis',
'expires_at': 1590170597.26878,
'expires_in': 3599,
'id_token': 'eyJ.shortened...Z-t',
'scope': ['openid'],
'token_type': 'bearer'}
Then I want to use the access token to get data from the userinfo endpoint. I do this right after I got the token. Or I just want to introspect the token with this:
docker-compose exec hydra \
hydra token introspect \
--skip-tls-verify \
--endpoint https://hydra:4444 \
--client-id klient \
--client-secret geheim \
ARLEJ8BM2b4J1gbEvw9f1Jm5zZ0xMNT_byRd8kY38aI.3vJrhKXV9zuw5ElUbxJ2HyuXcOsUm7lcOnP2Hctxzis
In both cases I get “Not Found” as response.
hydra_1 | time="2020-05-22T17:32:59Z" level=info msg="started handling request" method=POST remote="172.18.0.4:39650" request=/oauth2/token
hydra_1 | time="2020-05-22T17:32:59Z" level=info msg="completed handling request" measure#hydra/public: https://localhost:9000/.latency=105771500 method=POST remote="172.18.0.4:39650" request=/oauth2/token status=200 text_status=OK took=105.7715ms
hydra_1 | time="2020-05-22T17:32:59Z" level=info msg="started handling request" method=GET remote="172.18.0.4:39650" request=/oauth2/userinfo
hydra_1 | time="2020-05-22T17:32:59Z" level=info msg="completed handling request" measure#hydra/public: https://localhost:9000/.latency=148400 method=GET remote="172.18.0.4:39650" request=/oauth2/userinfo status=404 text_status="Not Found" took="148.4µs"
I expect to get a json response with userinfo.
I went into the hydra_db container and looked at the table hydra_oauth2_access
and saw an entry
select * from hydra_oauth2_access;
signature | request_id | requested_at | client_id | scope | granted_scope | form_data |
session_data
| subject | active | requested_audience | granted_audience | challenge_id
---------------------------------------------+----------------------------------+----------------------------+-----------+--------+---------------+-----------+------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------+-------------+--------+--------------------+------------------+----------------------------------
pEd4_etYALpOPQ-Wspd8naPKcox-7suXBGSsA_1xobU | 877a70fc6bf94daaad62482f2dec642e | 2020-05-23 11:48:01.328474 | repods | openid | openid | | UNARPrU2wIGnGQhubfhOIB6Jb5bS5GwBLH7JpannoToCz-R
QnWHD8sOXMbcRuEOdm_V1WqUfgJTClg1UlZWPoEn74oRl_s8Gz1c6h8l7IajD-2maEkrvFjaDfhDZBI4OESUyoljRwdGGSS23N3k95bkGWrd998ZTXe9tc2_zcktsG74UoJv6BhqopBYVKk2Ry4N8hq95S76XYzo8rWlx-2LOG1liFEDYAnPoH-Lv6shp7nmeroBchjADdEVntF
NncI3EUlhCs2Y_CAMLsCCSquRlv4bWPTqCwvOet3CahOpx1gLqKWwT00Rn4odMhqGnNlvy7M1pjaz5gygDnIquGXfFgfkCt__n3mexXzWFJ2Bwe1mSQahXAID-POR-imEn-YU_heCXfn3zmwClMp6jpvdH86ltT54AFQdKPiRzRSrpg0c4Bdw5kct59wjLPVn7zcvPw2zzC6MBE
GjdT9HnR4M9vAIqR45t3RbTsyw5MNW-F-iXcsu3HlvltMSuCKIWPtNP7xuChsNyEyUfsQFhQ4sPdudObkGfmB0dmfMBMfn52SCqQsgu6mGE0tqmDb_wqCB6JLXzbSrRCOgubkISuKriC0sZT0tuPV6NvY1TlKoTd8q5g4vZWgwCQHzUbUYJZt-6lW4X2I6gMDFvCdzNaoZV5cDC
5R0XMZdRdmt7fVvVr0lSUQNcJjXw7DNOjIWx7gEpN6mxyAOx-ul7OA6OUo5zOKM4ZVUIi-m143oTQHFTrVGv27dIpRMwERZtWUfno531yIhjNPhmy-hPusVOS5HEb-jxQVaFXlFqT0Zdy4mnWTLSz8RB-lmBEpp9pPIkwRX0F_8ud-Q_jtUhA23ftLjGenPycizH3965-Gri-MK
ZY5ysSTaOJ_0AzWJFj_NAq8D9cR8ZNMkOiULxJYsq3d47QoGexne2Lvy1AlPgCieAaHtGhW2PiBp_qC_Xe5MGZ9wsNApOk-SOmzIGJ8EDM63x1guS1AouIMVff6Rby5fO9JPUQoeKUYmk8da_CdImrZ28MX2T0XgjXAJV9uyoK6n6SuV-O_cgKkF3bJ63yjGfPz7x7uZXnLYdTA
t1BwS6FvPYCv8= | [email protected] | t | | | 877a70fc6bf94daaad62482f2dec642e
but I really don’t know what I’m doing here.