These are the steps (both up and down) to get get the Hydra Consent Flow example working locally on a Mac.
Infrastructure
Create Database
Up
echo "create database hydra" | mysql -uroot -proot
Down
echo "drop database hydra" | mysql -uroot -proot
Export Stuff
Up
export DATABASE_URL=mysql://root:root@tcp(docker.for.mac.localhost:3306)/hydra?parseTime=true
export SYSTEM_SECRET=yJFLIU44byGmmKLwJHvrIamNknAmSQR27C
Down
Nothing.
Migrations
Up
docker run -it --rm \
oryd/hydra:v0.10.10 \
migrate sql $DATABASE_URL
Down
Nothing.
Run Hydra Container
Up
docker run -d \
--name ory-hydra-example--hydra \
--network hydraguide \
-p 9000:4444 \
-e SYSTEM_SECRET=$SYSTEM_SECRET \
-e DATABASE_URL=$DATABASE_URL \
-e ISSUER=https://localhost:9000/ \
-e CONSENT_URL=http://localhost:9020/consent \
-e FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password \
oryd/hydra:v0.10.10
Down
docker rm -f ory-hydra-example--hydra
Create Client for Consent App
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
-p 9010:4445 \
oryd/hydra:v0.10.10 \
clients create --skip-tls-verify \
--id consent-app \
--secret consent-secret \
--name "Consent App Client" \
--grant-types client_credentials \
--response-types token \
--allowed-scopes hydra.consent
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
clients delete consent-app --skip-tls-verify
Create Policy for Consent App
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
-p 9010:4445 \
oryd/hydra:v0.10.10 \
policies create --skip-tls-verify \
--actions get,accept,reject \
--description "Allow consent-app to manage OAuth2 consent requests." \
--allow \
--id consent-app-policy \
--resources "rn:hydra:oauth2:consent:requests:<.*>" \
--subjects consent-app
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
policies delete consent-app-policy --skip-tls-verify
Run the Express Consent App
Up
docker run -d \
--name ory-hydra-example--consent \
-p 9020:3000 \
--network hydraguide \
-e HYDRA_CLIENT_ID=consent-app \
-e HYDRA_CLIENT_SECRET=consent-secret \
-e HYDRA_URL=https://ory-hydra-example--hydra:4444 \
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
oryd/hydra-consent-app-express
Down
docker rm -f ory-hydra-example--consent
Flow
Create the Consumer Client
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
clients create --skip-tls-verify \
--id some-consumer \
--secret consumer-secret \
--grant-types authorization_code,refresh_token,client_credentials,implicit \
--response-types token,code,id_token \
--allowed-scopes openid,offline,hydra.clients \
--callbacks http://localhost:9010/callback
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
clients delete some-consumer --skip-tls-verify
OpenID Connect Policy
Up
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
policies create --skip-tls-verify \
--actions get \
--description "Allow everyone to read the OpenID Connect ID Token public key" \
--allow \
--id openid-id_token-policy \
--resources rn:hydra:keys:hydra.openid.id-token:public \
--subjects "<.*>"
Down
docker run --rm -it \
-e CLUSTER_URL=https://ory-hydra-example--hydra:4444 \
-e CLIENT_ID=admin \
-e CLIENT_SECRET=demo-password \
--network hydraguide \
oryd/hydra:v0.10.10 \
policies delete openid-id_token-policy --skip-tls-verify
Sample Code Flow
Up
docker run --rm -it \
--network hydraguide \
-p 9010:4445 \
oryd/hydra:v0.10.10 \
token user --skip-tls-verify \
--auth-url https://localhost:9000/oauth2/auth \
--token-url https://ory-hydra-example--hydra:4444/oauth2/token \
--id some-consumer \
--secret consumer-secret \
--scopes openid,offline,hydra.clients \
--redirect http://localhost:9010/callback
Down
Nothing.
In the example, first you go to a url on 9000
. The Hydra command with token user
gives you that.
Upon going to that, you are immediately redirected to 9020
and you get the login page.
After you login and submit, you are redirected to 9010
. I need to know how 9010
fits in to this.