Run Hydra on a Mac for Testing

Technology
oauth / oauth2 / bash / go / express / hydra

These are the steps (both up and down) to get get the Hydra Consent Flow example working locally on a Mac.

Infrastructure

Create Database

Up
echo "create database hydra" | mysql -uroot -proot
Down
echo "drop database hydra" | mysql -uroot -proot

Export Stuff

Up
export DATABASE_URL=mysql://root:[email protected](docker.for.mac.localhost:3306)/hydra?parseTime=true
export SYSTEM_SECRET=yJFLU44byGmmKLwJHvramNknAmSQR27C
Down
Nothing.

Migrations

Up
docker run -it --rm \
  oryd/hydra:v0.10.10 \
  migrate sql $DATABASE_URL
Down
Nothing.

Run Hydra Container

Up
docker run -d \
  --name ory-hydra-example--hydra \
  --network hydraguide \
  -p 9000:4444 \
  -e SYSTEM_SECRET=$SYSTEM_SECRET \
  -e DATABASE_URL=$DATABASE_URL \
  -e ISSUER=https://localhost:9000/ \
  -e CONSENT_URL=http://localhost:9020/consent \
  -e FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password \
  oryd/hydra:v0.10.10
Down
docker rm -f ory-hydra-example--hydra
Up
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  -p 9010:4445 \
  oryd/hydra:v0.10.10 \
  clients create --skip-tls-verify \
    --id consent-app \
    --secret consent-secret \
    --name "Consent App Client" \
    --grant-types client_credentials \
    --response-types token \
    --allowed-scopes hydra.consent
Down
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  oryd/hydra:v0.10.10 \
  clients delete consent-app --skip-tls-verify
Up
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  -p 9010:4445 \
  oryd/hydra:v0.10.10 \
  policies create --skip-tls-verify \
    --actions get,accept,reject \
    --description "Allow consent-app to manage OAuth2 consent requests." \
    --allow \
    --id consent-app-policy \
    --resources "rn:hydra:oauth2:consent:requests:<.*>" \
    --subjects consent-app
Down
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  oryd/hydra:v0.10.10 \
  policies delete consent-app-policy --skip-tls-verify
Up
docker run -d \
  --name ory-hydra-example--consent \
  -p 9020:3000 \
  --network hydraguide \
  -e HYDRA_CLIENT_ID=consent-app \
  -e HYDRA_CLIENT_SECRET=consent-secret \
  -e HYDRA_URL=https://ory-hydra-example--hydra:4444 \
  -e NODE_TLS_REJECT_UNAUTHORIZED=0 \
  oryd/hydra-consent-app-express
Down
docker rm -f ory-hydra-example--consent

Flow

Create the Consumer Client

Up
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  oryd/hydra:v0.10.10 \
  clients create --skip-tls-verify \
    --id some-consumer \
    --secret consumer-secret \
    --grant-types authorization_code,refresh_token,client_credentials,implicit \
    --response-types token,code,id_token \
    --allowed-scopes openid,offline,hydra.clients \
    --callbacks http://localhost:9010/callback
Down
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  oryd/hydra:v0.10.10 \
  clients delete some-consumer --skip-tls-verify

OpenID Connect Policy

Up
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  oryd/hydra:v0.10.10 \
  policies create --skip-tls-verify \
    --actions get \
    --description "Allow everyone to read the OpenID Connect ID Token public key" \
    --allow \
    --id openid-id_token-policy \
    --resources rn:hydra:keys:hydra.openid.id-token:public \
    --subjects "<.*>"
Down
docker run --rm -it \
  -e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
  -e CLIENT_ID=admin \
  -e CLIENT_SECRET=demo-password \
  --network hydraguide \
  oryd/hydra:v0.10.10 \
  policies delete openid-id_token-policy --skip-tls-verify

Sample Code Flow

Up
docker run --rm -it \
  --network hydraguide \
  -p 9010:4445 \
  oryd/hydra:v0.10.10 \
  token user --skip-tls-verify \
    --auth-url https://localhost:9000/oauth2/auth \
    --token-url https://ory-hydra-example--hydra:4444/oauth2/token \
    --id some-consumer \
    --secret consumer-secret \
    --scopes openid,offline,hydra.clients \
    --redirect http://localhost:9010/callback
Down
Nothing.

In the example, first you go to a url on 9000. The Hydra command with token user gives you that.

https://localhost:9000/oauth2/auth?client_id=some-consumer&redirect_uri=http%3A%2F%2Flocalhost%3A9010%2Fcallback&response_type=code&scope=openid+offline+hydra.clients&state=oirtadrarbtihcedllziauqo&nonce=qrahvnrmouzkgjtptyimjqvp

Upon going to that, you are immediately redirected to 9020 and you get the login page.

After you login and submit, you are redirected to 9010. I need to know how 9010 fits in to this.