F… Now follow step run, Get level=error msg=“An error occurred” debug=“No CSRF value available in the session cookie” description=“The request is not allowed” error=request_forbidden hint=“You are not allowed to perform this action.”

If you run same broswer and restart docker or clear cookie, do many way. Just try broswer private mode.

Try dex docker or binary failed, it’s be pass.

Hydra docker-compose

1、get https://github.com/ory/hydra

  
docker-compose -f quickstart.yml -f quickstart-postgres.yml up --build  

注意 quickstart.yml

run docker on host or run binary on host. hydra 5 minutes demo “IP Used” is 127.0.0.1

  
version: '3'  
  
services:  
  
  hydra:  
    image: oryd/hydra:latest  
    ports:  
      - "4444:4444" # Public port  
      - "4445:4445" # Admin port  
      - "5555:5555" # Port for hydra token user  
    command:  
      serve all --dangerous-force-http  
    environment:  
      - URLS_SELF_ISSUER=http://127.0.0.1:4444  
      - URLS_CONSENT=http://127.0.0.1:3000/consent  
      - URLS_LOGIN=http://127.0.0.1:3000/login  
      - URLS_LOGOUT=http://127.0.0.1:3000/logout  
      - DSN=memory  
      - SECRETS_SYSTEM=youReallyNeedToChangeThis  
      - OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise  
      - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis  
    restart: unless-stopped  
  
  consent:  
    environment:  
      - HYDRA_ADMIN_URL=http://hydra:4445  
    image: oryd/hydra-login-consent-node:latest  
    ports:  
      - "3000:3000"  
    restart: unless-stopped  

run VM or real server is real ip. Ex: 192.168.99.100 (docker-machine)

  
version: '3'  
  
services:  
  
  hydra:  
    image: oryd/hydra:latest  
    ports:  
      - "4444:4444" # Public port  
      - "4445:4445" # Admin port  
      - "5555:5555" # Port for hydra token user  
    command:  
      serve all --dangerous-force-http  
    environment:  
      - URLS_SELF_ISSUER=http://192.168.99.100:4444  
      - URLS_CONSENT=http://192.168.99.100:3000/consent  
      - URLS_LOGIN=http://192.168.99.100:3000/login  
      - URLS_LOGOUT=http://192.168.99.100:3000/logout  
      - DSN=memory  
      - SECRETS_SYSTEM=youReallyNeedToChangeThis  
      - OIDC_SUBJECT_TYPES_SUPPORTED=public,pairwise  
      - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=youReallyNeedToChangeThis  
    restart: unless-stopped  
  
  consent:  
    environment:  
      - HYDRA_ADMIN_URL=http://hydra:4445  
    image: oryd/hydra-login-consent-node:latest  
    ports:  
      - "3000:3000"  
    restart: unless-stopped  

If have cors problems. see https://github.com/ory/hydra/blob/master/quickstart-cors.yml

Check hydra OpenID startup or not 確認是否正常啟動

http://192.168.99.100:4444/.well-known/jwks.json 

Create clients

Download hydra binary.

https://www.ory.sh/docs/next/hydra/install#download-binaries
https://github.com/ory/hydra/releases
https://github.com/ory/hydra/releases/tag/v1.0.0-rc.15

PS: Maybe version renew, so try to get best new.

  
hydra clients create --endpoint http://192.168.99.100:4445/ --id auth-code-client --secret secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope openid,offline --callbacks http://127.0.0.1:5555/callback  

! new version use endpoint, different before auth-url and token-url, But I think you still can use old way… Maybe

! scope “openid,offline” next step must use same. So scope is definend by yourself.

Thanks https://dotblogs.com.tw/liguobao/2018/12/30/132746

Check clients 查看clients

hydra clients list --endpoint http://192.168.99.100:4445 

Emu all step OpenID

Fllow website that run command pop website. If no pop, http://127.0.0.1:5555/

  
hydra token user --client-id auth-code-client --client-secret secret --endpoint http://192.168.99.100:4444 --port 5555 --scope openid,offline  

This step will run server on port 5555

! here scope “openid,offline” must same before create.

Get userinfo. Copy Access Token replace string after Bearer

  
curl -X GET http://192.168.99.100:4444/userinfo -H 'Accept: application/json' -H 'Authorization: Bearer MmadDHs3VdWC7LZTIdBKUHyzgsWHe2XbzHpwjKrF7Rs.tXlg7rShEEbkcczNWJGS84sIvokTF6Ae7bhSQZfHMgA'   
  
Get json  
{"sid":"c7d5665b-76e7-475a-95a8-cc521352663b","sub":"foo@bar.com"}  

Modify edit add userinfo info.

https://github.com/ory/hydra-login-consent-node/blob/master/routes/login.js
subject: ‘foo@bar.com’, -> subject: ‘foo@bar.com-success’,

This docker test
1. docker ps
2. get oryd/hydra-login-consent-node:v1.0.0-rc.10 containerid
3. docker exec -it containerid /bin/sh
4. vi bin/www change port 3000 - > 3001
5. vi routes/login.js subject: ‘foo@bar.com’, => subject: ‘foo@bar.com--success’,
5. node ./bin/www &
6. ps
7. kill old node (be exit container)
8. docker exec -it containerid /bin/sh
9. vi bin/www change port 3001 - > 3000
10. node ./bin/www &
11. kill old node (be exit container)
12. docker exec -it containerid /bin/sh
13. netstat -nlp (check port 3000)

====================
https://mileschou.github.io/auth-notes/src/hydra/user-login-and-consent-flow.html#oauth-2-0-%E8%88%87-open-id-connect
====================
https://dotblogs.com.tw/liguobao/2018/12/30/132746
OAUTH2_ISSUER_URL hydra所在的地址
OAUTH2_CONSENT_URL 授权页面地址
OAUTH2_LOGIN_URL 登录页面地址

XX应用请求授权
-> 跳转到OAUTH2_LOGIN_URL地址
-> 登录成功
->跳转到OAUTH2_CONSENT_URL授权页面
-> 授权成功
->回调XX应用地址并且返回相关授权code/token
-> XX应用使用code/token获取用户信息或者其他操作