OpenID hydra SSL problem Finish!
1、use docker-machine create vm get ip: 192.168.99.100
2、deploy
https://www.ory.sh/docs/next/hydra/configure-deploy
docker network create hydraguide
docker run \
--network hydraguide \
--name ory-hydra-example--postgres \
-e POSTGRES_USER=hydra \
-e POSTGRES_PASSWORD=secret \
-e POSTGRES_DB=hydra \
-d postgres:9.6
export SECRETS_SYSTEM=this_needs_to_be_the_same_always_and_also_very_$3cuR3-._
export DSN=postgres://hydra:secret@ory-hydra-example--postgres:5432/hydra?sslmode=disable
docker pull oryd/hydra:latest
docker run -it --rm \
--network hydraguide \
oryd/hydra:latest \
migrate sql --yes $DSN
=====creat ssl cert and key====
!!注意!! 產生方式改用 https://sueboy.blogspot.com/2019/08/openssl-self-signed-certificate.html 較為保險,不容易發生 ERR_SSL_VERSION_OR_CIPHER_MISMATCH 錯誤!
create two cert. 1. t.tt 2. openid.hydra
In vm
openssl genrsa -out t.tt.key 2048
openssl ecparam -genkey -name secp384r1 -out t.tt.key
openssl req -new -x509 -sha256 -key t.tt.key -out t.tt.crt -days 3650
Important!! t.tt.crt step: Common Name (e.g. server FQDN or YOUR name) []: t.tt
openssl genrsa -out openid.hydra.key 2048
openssl ecparam -genkey -name secp384r1 -out openid.hydra.key
openssl req -new -x509 -sha256 -key openid.hydra.key -out openid.hydra.crt -days 3650
Important!! openid.hydra.crt step: Common Name (e.g. server FQDN or YOUR name) []: openid.hydra
Use openid.hydra.key and openid.hydra.crt to base64 code
https://www.base64encode.org/
openid.hydra.key
-—-BEGIN EC PARAMETERS—–
BgUrgQQAIg==
-—-END EC PARAMETERS—–
-—-BEGIN EC PRIVATE KEY—–
MIGkAgEBBDCKnGgVqIW7YinbQeyPGyQ44Gu6UQDzU9HCKb33MifxRXE0dnu6+7Zu
0tBTqHPDuLygBwYFK4EEACKhZANiAARnx56OcxcrEdlbe8MtRuEqXev8DDrhzebF
386R8CdPX4eQb6fYzzAT/uwI0lL7oFiDXC7CBKZfTq7EK3xO3WZZRJ2k0D7NsKwg
TJYzrqOBis0MxkokaTYUrzhJ1pJcyfY=
-—-END EC PRIVATE KEY—–
openid.hydra.crt
-—-BEGIN CERTIFICATE—–
MIICPTCCAcKgAwIBAgIJAMwF4bT4oJxtMAoGCCqGSM49BAMCMFwxCzAJBgNVBAYT
AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
aXRzIFB0eSBMdGQxFTATBgNVBAMMDG9wZW5pZC5oeWRyYTAeFw0xOTA2MTcwMTIx
MzdaFw0yOTA2MTQwMTIxMzdaMFwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21l
LVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFTATBgNV
BAMMDG9wZW5pZC5oeWRyYTB2MBAGByqGSM49AgEGBSuBBAAiA2IABGfHno5zFysR
2Vt7wy1G4Spd6/wMOuHN5sXfzpHwJ09fh5Bvp9jPMBP+7AjSUvugWINcLsIEpl9O
rsQrfE7dZllEnaTQPs2wrCBMljOuo4GKzQzGSiRpNhSvOEnWklzJ9qNQME4wHQYD
VR0OBBYEFG+vzfB1beg3UZtJXEvV9dMkXo6gMB8GA1UdIwQYMBaAFG+vzfB1beg3
UZtJXEvV9dMkXo6gMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxALPv
86EHTTTIKpBGvT+ccV7wcH/8HR+slad/YPXKRVpwdCo52eTOWpCKgFjkG4BawQIx
ALlFdX0lI6g8WKyaE5f+2FdI1aejCAmwLOM6SDRa4UGn+Ckep8IcxmBL2/Be3IVz
8g==
-—-END CERTIFICATE—–
SERVE_TLS_KEY_BASE64=LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJZz09Ci0tLS0tRU5EIEVDIFBBUkFNRVRFUlMtLS0tLQotLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KTUlHa0FnRUJCRENLbkdnVnFJVzdZaW5iUWV5UEd5UTQ0R3U2VVFEelU5SENLYjMzTWlmeFJYRTBkbnU2KzdadQowdEJUcUhQRHVMeWdCd1lGSzRFRUFDS2haQU5pQUFSbng1Nk9jeGNyRWRsYmU4TXRSdUVxWGV2OEREcmh6ZWJGCjM4NlI4Q2RQWDRlUWI2Zll6ekFUL3V3STBsTDdvRmlEWEM3Q0JLWmZUcTdFSzN4TzNXWlpSSjJrMEQ3TnNLd2cKVEpZenJxT0JpczBNeGtva2FUWVVyemhKMXBKY3lmWT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
SERVE_TLS_CERT_BASE64=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNQVENDQWNLZ0F3SUJBZ0lKQU13RjRiVDRvSnh0TUFvR0NDcUdTTTQ5QkFNQ01Gd3hDekFKQmdOVkJBWVQKQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbgphWFJ6SUZCMGVTQk1kR1F4RlRBVEJnTlZCQU1NREc5d1pXNXBaQzVvZVdSeVlUQWVGdzB4T1RBMk1UY3dNVEl4Ck16ZGFGdzB5T1RBMk1UUXdNVEl4TXpkYU1Gd3hDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWwKTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhGVEFUQmdOVgpCQU1NREc5d1pXNXBaQzVvZVdSeVlUQjJNQkFHQnlxR1NNNDlBZ0VHQlN1QkJBQWlBMklBQkdmSG5vNXpGeXNSCjJWdDd3eTFHNFNwZDYvd01PdUhONXNYZnpwSHdKMDlmaDVCdnA5alBNQlArN0FqU1V2dWdXSU5jTHNJRXBsOU8KcnNRcmZFN2RabGxFbmFUUVBzMndyQ0JNbGpPdW80R0t6UXpHU2lScE5oU3ZPRW5Xa2x6SjlxTlFNRTR3SFFZRApWUjBPQkJZRUZHK3Z6ZkIxYmVnM1VadEpYRXZWOWRNa1hvNmdNQjhHQTFVZEl3UVlNQmFBRkcrdnpmQjFiZWczClVadEpYRXZWOWRNa1hvNmdNQXdHQTFVZEV3UUZNQU1CQWY4d0NnWUlLb1pJemowRUF3SURhUUF3WmdJeEFMUHYKODZFSFRUVElLcEJHdlQrY2NWN3djSC84SFIrc2xhZC9ZUFhLUlZwd2RDbzUyZVRPV3BDS2dGamtHNEJhd1FJeApBTGxGZFgwbEk2ZzhXS3lhRTVmKzJGZEkxYWVqQ0Ftd0xPTTZTRFJhNFVHbitDa2VwOEljeG1CTDIvQmUzSVZ6CjhnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
docker run -d \
--name ory-hydra-example--hydra \
--network hydraguide \
-p 9001:4444 \
-p 9002:4445 \
-e SECRETS_SYSTEM=$SECRETS_SYSTEM \
-e DSN=$DSN \
-e URLS_SELF_ISSUER=https://openid.hydra:9001/ \
-e URLS_CONSENT=http://192.168.99.100:9020/consent \
-e URLS_LOGIN=http://192.168.99.100:9020/login \
-e LOG_LEVEL=debug \
-e OAUTH2_EXPOSE_INTERNAL_ERRORS=1 \
-e SERVE_PUBLIC_CORS_ENABLED=true \
-e SERVE_PUBLIC_CORS_ALLOWED_METHODS=POST,GET,PUT,DELETE \
-e SERVE_ADMIN_CORS_ENABLED=true \
-e SERVE_ADMIN_CORS_ALLOWED_METHODS=POST,GET,PUT,DELETE \
-e SERVE_TLS_KEY_BASE64=LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdVcmdRUUFJZz09Ci0tLS0tRU5EIEVDIFBBUkFNRVRFUlMtLS0tLQotLS0tLUJFR0lOIEVDIFBSSVZBVEUgS0VZLS0tLS0KTUlHa0FnRUJCRENLbkdnVnFJVzdZaW5iUWV5UEd5UTQ0R3U2VVFEelU5SENLYjMzTWlmeFJYRTBkbnU2KzdadQowdEJUcUhQRHVMeWdCd1lGSzRFRUFDS2haQU5pQUFSbng1Nk9jeGNyRWRsYmU4TXRSdUVxWGV2OEREcmh6ZWJGCjM4NlI4Q2RQWDRlUWI2Zll6ekFUL3V3STBsTDdvRmlEWEM3Q0JLWmZUcTdFSzN4TzNXWlpSSjJrMEQ3TnNLd2cKVEpZenJxT0JpczBNeGtva2FUWVVyemhKMXBKY3lmWT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= \
-e SERVE_TLS_CERT_BASE64=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNQVENDQWNLZ0F3SUJBZ0lKQU13RjRiVDRvSnh0TUFvR0NDcUdTTTQ5QkFNQ01Gd3hDekFKQmdOVkJBWVQKQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbgphWFJ6SUZCMGVTQk1kR1F4RlRBVEJnTlZCQU1NREc5d1pXNXBaQzVvZVdSeVlUQWVGdzB4T1RBMk1UY3dNVEl4Ck16ZGFGdzB5T1RBMk1UUXdNVEl4TXpkYU1Gd3hDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWwKTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhGVEFUQmdOVgpCQU1NREc5d1pXNXBaQzVvZVdSeVlUQjJNQkFHQnlxR1NNNDlBZ0VHQlN1QkJBQWlBMklBQkdmSG5vNXpGeXNSCjJWdDd3eTFHNFNwZDYvd01PdUhONXNYZnpwSHdKMDlmaDVCdnA5alBNQlArN0FqU1V2dWdXSU5jTHNJRXBsOU8KcnNRcmZFN2RabGxFbmFUUVBzMndyQ0JNbGpPdW80R0t6UXpHU2lScE5oU3ZPRW5Xa2x6SjlxTlFNRTR3SFFZRApWUjBPQkJZRUZHK3Z6ZkIxYmVnM1VadEpYRXZWOWRNa1hvNmdNQjhHQTFVZEl3UVlNQmFBRkcrdnpmQjFiZWczClVadEpYRXZWOWRNa1hvNmdNQXdHQTFVZEV3UUZNQU1CQWY4d0NnWUlLb1pJemowRUF3SURhUUF3WmdJeEFMUHYKODZFSFRUVElLcEJHdlQrY2NWN3djSC84SFIrc2xhZC9ZUFhLUlZwd2RDbzUyZVRPV3BDS2dGamtHNEJhd1FJeApBTGxGZFgwbEk2ZzhXS3lhRTVmKzJGZEkxYWVqQ0Ftd0xPTTZTRFJhNFVHbitDa2VwOEljeG1CTDIvQmUzSVZ6CjhnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= \
oryd/hydra:latest serve all
```LOG\_LEVEL ~ SERVE\_ADMIN\_CORS\_ALLOWED\_METHODS not important, add by yourself.
docker run -d \
–name ory-hydra-example–consent \
-p 9020:3000 \
–network hydraguide \
-e HYDRA_ADMIN_URL=https://ory-hydra-example–hydra:4445 \
-e NODE_TLS_REJECT_UNAUTHORIZED=0 \
oryd/hydra-login-consent-node:latest
docker run –rm -it \
-e HYDRA_ADMIN_URL=https://ory-hydra-example–hydra:4445 \
–network hydraguide \
oryd/hydra:latest \
clients create –skip-tls-verify \
–id auth-code-client \
–secret secret \
–grant-types authorization_code,refresh_token \
–response-types token,code,id_token \
–scope openid,offline,photos.read \
–callbacks https://t.tt:9010/callback
All become http. So last step can callback use http. This production way only use https. And token user only http. So use self OpenID client.
1\. nano /etc/hosts or windows hosts
------------------------------------
### 127.0.0.1 t.tt
### 192.168.99.100 openid.hydra
2\. use golang OpenID client + ssl
----------------------------------
https://blog.csdn.net/wangshubo1989/article/details/77980316
https://github.com/denji/golang-tls
### copy t.tt.key and t.tt.crt to go project
### main.go
package main
import (
“context”
“crypto/tls”
“fmt”
“log”
“net/http”
“strings”
“golang.org/x/oauth2”
)
const htmlIndex = `
var HydraOauthConfig = &oauth2.Config{
ClientID: “auth-code-client”,
ClientSecret: “secret”,
RedirectURL: “https://t.tt:9010/callback",
Scopes: []string{“openid”, “offline”, “photos.read”},
Endpoint: endpotin,
}
const oauthStateString = “gczxkznmjkrksgytsemvwgkf”
func main() {
http.HandleFunc("/”, handleMain)
http.HandleFunc("/HydraLogin", handleHydraLogin)
http.HandleFunc("/callback", handleCallback)
//fmt.Println(http.ListenAndServe(":9010", nil))
err := http.ListenAndServeTLS(":9010", “t.tt.crt”, “t.tt.key”, nil)
if err != nil {
log.Fatal(“ListenAndServe: “, err)
}
}
func handleMain(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, htmlIndex)
}
func handleHydraLogin(w http.ResponseWriter, r *http.Request) {
url := HydraOauthConfig.AuthCodeURL(oauthStateString)
log.Println(url)
http.Redirect(w, r, url, http.StatusTemporaryRedirect)
}
func handleCallback(w http.ResponseWriter, r *http.Request) {
// add transport for self-signed certificate to context
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
sslcli := &http.Client{Transport: tr}
ctx := context.TODO()
ctx = context.WithValue(ctx, oauth2.HTTPClient, sslcli)
state := r.FormValue(“state”)
if state != oauthStateString {
log.Printf(“invalid oauth state, expected ‘%s’, got ‘%s’\n”, oauthStateString, state)
http.Redirect(w, r, “/”, http.StatusTemporaryRedirect)
return
}
log.Println(“state:”, state)
code := r.FormValue(“code”)
log.Println(“code: “, code)
token, err := HydraOauthConfig.Exchange(ctx, code)
if err != nil {
log.Println(“Code exchange failed with:”, err)
http.Redirect(w, r, “/”, http.StatusTemporaryRedirect)
return
}
TokenMsg := “Token Info”
TokenMsg += fmt.Sprintf(“token.AccessToken : %s \n”, token.AccessToken)
TokenMsg += fmt.Sprintf(“token.TokenType : %s \n”, token.TokenType)
TokenMsg += fmt.Sprintf(“token.RefreshToken : %s \n”, token.RefreshToken)
TokenMsg += fmt.Sprintf(“token.Expiry : %s \n”, token.Expiry)
TokenMsg += fmt.Sprintf(“token Exra id_token : %s \n”, token.Extra(“id_token”))
TokenMsg += fmt.Sprintf(“token Exra scope : %s \n”, token.Extra(“scope”))
log.Println(TokenMsg)
log.Println("===========all token==========")
log.Println(“token: “, token)
log.Println(“Authentication token…. “)
client := HydraOauthConfig.Client(ctx, token)
resp, err := client.Get(“https://openid.hydra:9001/")
if err != nil {
log.Println(err)
} else {
log.Println(“Authentication successful !!")
}
defer resp.Body.Close()
// show succes page
msg := “Success!”
msg += “You are authenticated and can now return to the CLI.”
msg += strings.ReplaceAll(TokenMsg, “\n”, “")
fmt.Fprintf(w, msg)
//response, err := http.Get(“https://openid.hydra:9001/userinfo?access_token=" + token.AccessToken)
//defer response.Body.Close()
//contents, err := ioutil.ReadAll(response.Body)
//fmt.Fprintf(w, “Content: %s\n”, contents)
}
### Try https://t.tt Now can run finish all step.
[![](https://1.bp.blogspot.com/-mcLuuH9ZxbE/XQbywZJ8pxI/AAAAAAAAVOY/SggHb3krgJQ6LIeUp7bYrhS1XHQM81ZmACLcBGAs/s640/123123123.jpg)](https://1.bp.blogspot.com/-mcLuuH9ZxbE/XQbywZJ8pxI/AAAAAAAAVOY/SggHb3krgJQ6LIeUp7bYrhS1XHQM81ZmACLcBGAs/s1600/123123123.jpg)
hydra.rest
@audience = audience=
@max_age = max_age=0
@nonce = nonce=kwhqocyluutsstfouosxluqc
@prompt = prompt=
@response_type = response_type=code
@state = state=gczxkznmjkrksgytsemvwgkf
@client_id = client_id=auth-code-client
@scope = scope=openid+offline+photos.read
@redirect_url = redirect_url=https%3A%2F%2Ft.tt%3A9010%2Fcallback
@auth-tailpart = {{audience}}&{{max_age}}&{{nonce}}&{{prompt}}
@9001_auth = https://openid.hydra:9001/oauth2/auth?
get hydra login page
Get {{9001_auth}}&{{client_id}}&{{redirect_url}}&{{scope}}&{{response_type}}&{{state}}&{{auth-tailpart}}
//提醒:csrf可以不更新,challenge一定要更新
@9020_login = http://192.168.99.100:9020/login
@9020_consent = http://192.168.99.100:9020/consent
@_csrf1 = Gxa6Hip4-J_A3L2kpRc72Iclw_Ql8eIcQiTc
@login_challenge = bc55b64985f1400b90a2c2741f8780f2
@email = foo@bar.com
@password = foobar
get login
GET https://192.168.99.100:9002/oauth2/auth/requests/login?login_challenge={{login_challenge}}
login
#POST {{9020_login}}
#Content-Type: application/x-www-form-urlencoded
#_csrf={{_csrf1}}
#&challenge={{login_challenge}}
#&email={{email}}
#&password={{password}}
accept login
PUT https://192.168.99.100:9002/oauth2/auth/requests/login/accept?login_challenge={{login_challenge}}
Content-Type: application/json
{
“subject”: “foo@bar.com”,
“remember”: false,
“remember_for”: 3600
}
@login_verifier = login_verifier=1025ccb8109047668715c8162459d6de
get conent
GET {{9001_auth}}{{login_verifier}}&{{client_id}}&{{redirect_url}}&{{scope}}&{{response_type}}&{{state}}&{{auth-tailpart}}
@consent_challenge = d23b6822d88842078a0d83677e8709a8
@_csrf2 = PLSPrz8R-GqmzKwgMtNus3LiX-p9Oh0QaLnQ
requests consent
###GET {{9020_consent}}?consent_challenge={{consent_challenge}}
get conent scope
GET https://192.168.99.100:9002/oauth2/auth/requests/consent?consent_challenge={{consent_challenge}}
@submit = Allow access
accept conent scope
PUT https://192.168.99.100:9002/oauth2/auth/requests/consent/accept?consent_challenge={{consent_challenge}}
Content-Type: application/json
{
“grant_scope”: [“openid”, “photos.read”],
“session”: {
“access_token”: { “foo”: “bar” },
“id_token”: { “baz”: “bar” }
}
}
@consent_verifier = consent_verifier=ed04b20447c343338e9000b2db640f3c
get auth token
GET {{9001_auth}}{{consent_verifier}}&{{client_id}}&{{redirect_url}}&{{scope}}&{{response_type}}&{{state}}&{{auth-tailpart}}
http://192.168.99.100:4444/oauth2/auth?audience=&client_id=auth-code-client&consent_verifier=a643ae2e056543fabbd8d6f747e8a30c&max_age=0&nonce=chscixgzceuosfcocvvmjngj&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=oplovvughuyzixqdvxnortrq
@token= xLPcJ3tobDqGUDxIVTxWt2p7w_odZSV22IAlUf5QPZU.YD6R_xKQ2ldCLbEV7mmc01E6ZLzemzdEC5H4-otTMPg
userinfo
GET https://openid.hydra:9001/userinfo
Authorization: Bearer {{token}}
introspect
POST https://openid.hydra:9002/oauth2/introspect
Content-Type: application/x-www-form-urlencoded
token={{token}}
&scope=openid+photos.read
GET https://openid.hydra:9002/oauth2/auth/sessions/consent?subject=foo@bar.com HTTP/1.1
PS:&scope=openid+photos.read can remove.
PS:
Here REST Client still return login page. go main server error log:
### Post https://openid.hydra:9001/oauth2/token: x509: certificate signed by unknown authority
This is Go Server problem. See main.go Line:55-61 82-94 Fix this problem.
\========== old ==========
3、Now have problem is token user. When you run \*A, try to open web broswer. http://192.168.99.100:9010 then click "Authorize application" get error.
Because "Authorize application" still is 127.0.0.1. No way to change. So copy Link change it.
https://192.168.99.100:9001/oauth2/auth?audience=&client_id=auth-code-client&max_age=0&nonce=ylnybhabgcjllcxbfvhfjdfe&prompt=&redirect_uri=http%3A%2F%2F192.168.99.100%3A9010%2Fcallback&response_type=code&scope=openid+offline+photos.read&state=shqjytubxbrzqwtiskwwpfdp
Copy fix link to go. Fllow website.
4、The Big problem is Allow access only get error. Can't know why.
Rest Client || visual studio code
---------------------------------
Even by step to run. Still get error......