Unsecured Protocol Error using localhost suffix

SlevinWasAlreadyTake · March 25, 2019, 1:50pm

Hello everyone,

I am testing Hydra locally,

I have an identity provider service implementing login and consent flow, it interacts correctly with Hydra.
At the end of the flow, the final redirection, Hydra returns an error saying I am using an insecure protocol, which is the case, it also tells me I can use an unsecure protocol using localhost suffix in the URL.

“The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed” error=invalid_request hint="Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix localhost, for example: http://myapp.localhost/."

My problem is I am using the exact URL the hint suggests and I have still the same error.

This is the performed request with the redirect_uri parameters (which is saved as `http://myapp.localhost/ in the database):

GET on /oauth2/auth?client_id=my-client&grant_type=authorization_code&scope=read&redirect_uri=http%3A%2F%2Fmyapp%2Elocahost%2F&response_type=code&state=thisisarandomstring`

Did I miss some Hydra configuration to allow correctly unsecure protocol or something else ?

Thanks for you help !

hackerman · March 25, 2019, 10:23am

Please state the version you’re running

SlevinWasAlreadyTake · March 25, 2019, 10:54am

My bad, I am running the latest version 1.0.0-rc.6+oryOS.10 (using the docker image: oryd/hydra:v1.0.0-rc.6_oryOS.10)

hackerman · March 25, 2019, 11:34am

Can you show your configuration? Including the way you’re starting hydra?

SlevinWasAlreadyTake · March 25, 2019, 12:15pm

Of course, I am using docker-compose:

  hydra:
    image: oryd/hydra:v1.0.0-rc.6_oryOS.10
    links:
      - postgresd
    depends_on:
      - hydra-migrate
    ports:
      # Public port
      - 4444:4444
      # Admin port
      - 4445:4445
      # Port for hydra token user
      - 5555:5555
    command:
      serve all --dangerous-force-http
    environment:
      - OAUTH2_ISSUER_URL=http://localhost:4444
      - OAUTH2_CONSENT_URL=http://localhost:3000/consent
      - OAUTH2_LOGIN_URL=http://localhost:3000/login
      - DATABASE_URL=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable
      - SYSTEM_SECRET=youReallyNeedToChangeThis
      - OAUTH2_SHARE_ERROR_DEBUG=1
      - OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
      - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis
    restart: unless-stopped

I have also a container for the sql server, sql migration, and the identity provider which are basically also a copy/paste of the official repo docker-compose.yml.

Logs after the start seems to reflect the configuration:

Attaching to identity-provider_hydra_1
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up tracing middleware"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="No tracer configured - skipping tracing setup"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Connecting with postgres://*:*@postgresd:5432/hydra?sslmode=disable"
hydra_1            | Thank you for using ORY Hydra v1.0.0-rc.6+oryOS.10!
hydra_1            |
hydra_1            | Take security seriously and subscribe to the ORY Security Newsletter. Stay on top of new patches and security insights.
hydra_1            |
hydra_1            | >> Subscribe now: http://eepurl.com/di390P <<
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Connected to SQL!"
hydra_1            | time="2019-03-25T12:05:05Z" level=warning msg="Could not parse login and consent request lifespan value (). Defaulting to 15m"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up Prometheus middleware"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up http server on :4445"
hydra_1            | time="2019-03-25T12:05:05Z" level=warning msg="HTTPS disabled. Never do this in production."
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up http server on :4444"
hydra_1            | time="2019-03-25T12:05:05Z" level=warning msg="HTTPS disabled. Never do this in production."

hackerman · March 25, 2019, 12:26pm

What’s the result of hydra clients get my-client?

SlevinWasAlreadyTake · March 25, 2019, 12:28pm

Here is the basic configuration of my unique client:

docker-compose exec hydra hydra clients --endpoint http://localhost:4445 get my-client
{
	"client_id": "my-client",
	"grant_types": [
		"authorization_code"
	],
	"jwks": {},
	"redirect_uris": [
		"http://myapp.locahost/"
	],
	"response_types": [
		"code"
	],
	"scope": "read",
	"subject_type": "public",
	"token_endpoint_auth_method": "client_secret_basic",
	"userinfo_signed_response_alg": "none"
}

hackerman · March 29, 2019, 9:24am

Thank you for the trace! That does seem kind of strange, I’ll investigate.

SlevinWasAlreadyTake · April 11, 2019, 7:31am

The behaviour disappeared upgrading to version 8.

hackerman · April 11, 2019, 8:13am

That was an easy fix!

djabbar · May 17, 2019, 7:40am

Hi everybody, I’m using this latest version (v1.0.0-rc.11) and I have the same problem.
Ory hydra is behind Kong, and I’m using the nokia oidc as kong’s oidc plugin.
Here is the request forwarded from this API Gateway to Ory Hydra :
https://[ory_hydra_admin_uri]/oauth2/auth?response_type=code&client_id=[my_client]&state=0d7f9ed00555a16609876a8553ef3d30&redirect_uri=http://[callback_uri]/cb&nonce=4eefc6c4581c118636c977f46ae6bf3f&scope=openid
Here is my client’s configuration :
hydra clients get --endpoint https://[ory_hydra_admin_uri]/ WGuili3ulUZePcq0p4gYxdogglPflO0M
{
“allowed_cors_origins”: [],
“audience”: [],
“client_id”: “[my_client]”,
“contacts”: [],
“created_at”: “2019-05-17T07:07:39.000Z”,
“grant_types”: [
“authorize_code”,
“refresh_token”,
“client_credentials”,
“implicit”
],
“client_name”: “taiga”,
“post_logout_redirect_uris”: null,
“redirect_uris”: [
“http://[callback_uri]/cb”
],
“request_uris”: null,
“response_types”: [
“token”,
“code”,
“id_token”
],
“scope”: “openid offline”,
“subject_type”: “public”,
“token_endpoint_auth_method”: “client_secret_basic”,
“updated_at”: “2019-05-17T07:07:39.000Z”,
“userinfo_signed_response_alg”: “none”
}

Ory Hydra redirect me to my Identity Provider and when I accept the consent (https://[ory_hydra_admin_uri]/oauth2/auth/requests/consent/accept?consent_challenge=47903881742241b3b9afe6c50bbd26f6)), Ory Hydra redirect me to the callback uri with the same error as querystring ( The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed” error=invalid_request hint="Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix localhost , for example: http://myapp.localhost/.)

Please, help me!