These are the steps (both up and down) to get get the Hydra Consent Flow example working locally on a Mac.
Infrastructure
Create Database
Up
echo "create database hydra" | mysql -uroot -proot
Down
echo "drop database hydra" | mysql -uroot -proot
Export Stuff
Up
export DATABASE_URL=mysql://root:[email protected](docker.for.mac.localhost:3306)/hydra?parseTime=true
export SYSTEM_SECRET=yJFLU44byGmmKLwJHvramNknAmSQR27C
Down
Nothing.
Migrations
Up
docker run -it --rm \
oryd/hydra:v0.10.10 \
migrate sql $DATABASE_URL
Down
Nothing.
Run Hydra Container
Up
docker run -d \
--name ory-hydra-example--hydra \
--network hydraguide \
-p 9000:4444 \
-e SYSTEM_SECRET=$SYSTEM_SECRET \
-e DATABASE_URL=$DATABASE_URL \
-e ISSUER=https://localhost:9000/ \
-e CONSENT_URL=http://localhost:9020/consent \
-e FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password \
oryd/hydra:v0.10.10
Down
docker rm -f ory-hydra-example--hydra
Create Client for Consent App
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
-p 9010:4445 \
oryd/hydra:v0.10.10 \
clients create --skip-tls-verify \
--id consent-app \
--secret consent-secret \
--name "Consent App Client" \
--grant-types client_credentials \
--response-types token \
--allowed-scopes hydra.consent
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
clients delete consent-app --skip-tls-verify
Create Policy for Consent App
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
-p 9010:4445 \
oryd/hydra:v0.10.10 \
policies create --skip-tls-verify \
--actions get,accept,reject \
--description "Allow consent-app to manage OAuth2 consent requests." \
--allow \
--id consent-app-policy \
--resources "rn:hydra:oauth2:consent:requests:<.*>" \
--subjects consent-app
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
policies delete consent-app-policy --skip-tls-verify
Run the Express Consent App
Up
docker run -d \
--name ory-hydra-example--consent \
-p 9020:3000 \
--network hydraguide \
-e HYDRA_CLIENT_ID=consent-app \
-e HYDRA_CLIENT_SECRET=consent-secret \
-e HYDRA_URL=https://ory-hydra-example--hydra:4444 \
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
oryd/hydra-consent-app-express
Down
docker rm -f ory-hydra-example--consent
Flow
Create the Consumer Client
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
clients create --skip-tls-verify \
--id some-consumer \
--secret consumer-secret \
--grant-types authorization_code,refresh_token,client_credentials,implicit \
--response-types token,code,id_token \
--allowed-scopes openid,offline,hydra.clients \
--callbacks http://localhost:9010/callback
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
clients delete some-consumer --skip-tls-verify
OpenID Connect Policy
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
policies create --skip-tls-verify \
--actions get \
--description "Allow everyone to read the OpenID Connect ID Token public key" \
--allow \
--id openid-id_token-policy \
--resources rn:hydra:keys:hydra.openid.id-token:public \
--subjects "<.*>"
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
policies delete openid-id_token-policy --skip-tls-verify
Sample Code Flow
Up
docker run --rm -it \
--network hydraguide \
-p 9010:4445 \
oryd/hydra:v0.10.10 \
token user --skip-tls-verify \
--auth-url https://localhost:9000/oauth2/auth \
--token-url https://ory-hydra-example--hydra:4444/oauth2/token \
--id some-consumer \
--secret consumer-secret \
--scopes openid,offline,hydra.clients \
--redirect http://localhost:9010/callback
Down
Nothing.
In the example, first you go to a url on 9000
. The Hydra command with token user
gives you that.
https://localhost:9000/oauth2/auth?client_id=some-consumer&redirect_uri=http%3A%2F%2Flocalhost%3A9010%2Fcallback&response_type=code&scope=openid+offline+hydra.clients&state=oirtadrarbtihcedllziauqo&nonce=qrahvnrmouzkgjtptyimjqvp
Upon going to that, you are immediately redirected to 9020
and you get the login page.
After you login and submit, you are redirected to 9010
. I need to know how 9010
fits in to this.