Unsecured Protocol Error using localhost suffix

#1

Hello everyone,

I am testing Hydra locally,

I have an identity provider service implementing login and consent flow, it interacts correctly with Hydra.
At the end of the flow, the final redirection, Hydra returns an error saying I am using an insecure protocol, which is the case, it also tells me I can use an unsecure protocol using localhost suffix in the URL.

“The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed” error=invalid_request hint="Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix localhost, for example: http://myapp.localhost/."

My problem is I am using the exact URL the hint suggests and I have still the same error.

This is the performed request with the redirect_uri parameters (which is saved as `http://myapp.localhost/ in the database):

GET on /oauth2/auth?client_id=my-client&grant_type=authorization_code&scope=read&redirect_uri=http%3A%2F%2Fmyapp%2Elocahost%2F&response_type=code&state=thisisarandomstring`

Did I miss some Hydra configuration to allow correctly unsecure protocol or something else ?

Thanks for you help !

#2

Please state the version you’re running

#3

My bad, I am running the latest version 1.0.0-rc.6+oryOS.10 (using the docker image: oryd/hydra:v1.0.0-rc.6_oryOS.10)

#4

Can you show your configuration? Including the way you’re starting hydra?

#5

Of course, I am using docker-compose:

  hydra:
    image: oryd/hydra:v1.0.0-rc.6_oryOS.10
    links:
      - postgresd
    depends_on:
      - hydra-migrate
    ports:
      # Public port
      - 4444:4444
      # Admin port
      - 4445:4445
      # Port for hydra token user
      - 5555:5555
    command:
      serve all --dangerous-force-http
    environment:
      - OAUTH2_ISSUER_URL=http://localhost:4444
      - OAUTH2_CONSENT_URL=http://localhost:3000/consent
      - OAUTH2_LOGIN_URL=http://localhost:3000/login
      - DATABASE_URL=postgres://hydra:[email protected]:5432/hydra?sslmode=disable
      - SYSTEM_SECRET=youReallyNeedToChangeThis
      - OAUTH2_SHARE_ERROR_DEBUG=1
      - OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise
      - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis
    restart: unless-stopped

I have also a container for the sql server, sql migration, and the identity provider which are basically also a copy/paste of the official repo docker-compose.yml.

Logs after the start seems to reflect the configuration:

Attaching to identity-provider_hydra_1
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up tracing middleware"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="No tracer configured - skipping tracing setup"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Connecting with postgres://*:*@postgresd:5432/hydra?sslmode=disable"
hydra_1            | Thank you for using ORY Hydra v1.0.0-rc.6+oryOS.10!
hydra_1            |
hydra_1            | Take security seriously and subscribe to the ORY Security Newsletter. Stay on top of new patches and security insights.
hydra_1            |
hydra_1            | >> Subscribe now: http://eepurl.com/di390P <<
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Connected to SQL!"
hydra_1            | time="2019-03-25T12:05:05Z" level=warning msg="Could not parse login and consent request lifespan value (). Defaulting to 15m"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up Prometheus middleware"
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up http server on :4445"
hydra_1            | time="2019-03-25T12:05:05Z" level=warning msg="HTTPS disabled. Never do this in production."
hydra_1            | time="2019-03-25T12:05:05Z" level=info msg="Setting up http server on :4444"
hydra_1            | time="2019-03-25T12:05:05Z" level=warning msg="HTTPS disabled. Never do this in production."
#6

What’s the result of hydra clients get my-client?

#7

Here is the basic configuration of my unique client:

docker-compose exec hydra hydra clients --endpoint http://localhost:4445 get my-client
{
	"client_id": "my-client",
	"grant_types": [
		"authorization_code"
	],
	"jwks": {},
	"redirect_uris": [
		"http://myapp.locahost/"
	],
	"response_types": [
		"code"
	],
	"scope": "read",
	"subject_type": "public",
	"token_endpoint_auth_method": "client_secret_basic",
	"userinfo_signed_response_alg": "none"
}
#8

Thank you for the trace! That does seem kind of strange, I’ll investigate.

1 Like
#9

The behaviour disappeared upgrading to version 8.

#10

That was an easy fix! :smiley:

#11

Hi everybody, I’m using this latest version (v1.0.0-rc.11) and I have the same problem.
Ory hydra is behind Kong, and I’m using the nokia oidc as kong’s oidc plugin.
Here is the request forwarded from this API Gateway to Ory Hydra :
https://[ory_hydra_admin_uri]/oauth2/auth?response_type=code&client_id=[my_client]&state=0d7f9ed00555a16609876a8553ef3d30&redirect_uri=http://[callback_uri]/cb&nonce=4eefc6c4581c118636c977f46ae6bf3f&scope=openid
Here is my client’s configuration :
hydra clients get --endpoint https://[ory_hydra_admin_uri]/ WGuili3ulUZePcq0p4gYxdogglPflO0M
{
“allowed_cors_origins”: [],
“audience”: [],
“client_id”: “[my_client]”,
“contacts”: [],
“created_at”: “2019-05-17T07:07:39.000Z”,
“grant_types”: [
“authorize_code”,
“refresh_token”,
“client_credentials”,
“implicit”
],
“client_name”: “taiga”,
“post_logout_redirect_uris”: null,
“redirect_uris”: [
“http://[callback_uri]/cb”
],
“request_uris”: null,
“response_types”: [
“token”,
“code”,
“id_token”
],
“scope”: “openid offline”,
“subject_type”: “public”,
“token_endpoint_auth_method”: “client_secret_basic”,
“updated_at”: “2019-05-17T07:07:39.000Z”,
“userinfo_signed_response_alg”: “none”
}

Ory Hydra redirect me to my Identity Provider and when I accept the consent (https://[ory_hydra_admin_uri]/oauth2/auth/requests/consent/accept?consent_challenge=47903881742241b3b9afe6c50bbd26f6)), Ory Hydra redirect me to the callback uri with the same error as querystring ( The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed” error=invalid_request hint="Redirect URL is using an insecure protocol, http is only allowed for hosts with suffix localhost , for example: http://myapp.localhost/.)

Please, help me!