Tools: openssl, nodejs, hydra v1.10.2, oathkeeper v0.38.11-beta.1
export HYDRA_ADMIN_URL=http://localhost:4445
export DSN=postgres://postgres:@localhost:5432/hydra?sslmode=disable
hydra migrate sql -y $DSNGenerate password.
export SECRETS_SYSTEM=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
echo $SECRETS_SYSTEMStart admin server.
hydra serve admin --dangerous-force-httpexport HYDRA_ADMIN_URL=http://localhost:4445
export CLIENT_SECRET=change-me-now
# https://www.ory.sh/hydra/docs/next/cli/hydra-clients-create
hydra clients create --id my-client --secret $CLIENT_SECRET \
-g client_credentials --token-endpoint-auth-method client_secret_post \
--audience abc,xyz --scope read,writeStart Hydra, API and client.
# see: export DSN=... and SECRETS_SYSTEM=...
hydra serve public --dangerous-force-http -c jwt/hydra.yaml
node jwt/api.js
# see: export CLIENT_SECRET=...
node jwt/client.jsStart Hydra, Oathkeeper, API and client.
# see: export DSN=... and SECRETS_SYSTEM=...
hydra serve all --dangerous-force-http -c opaque/hydra.yaml
oathkeeper serve -c opaque/oathkeeper.yml
node opaque/api.js
# see: export CLIENT_SECRET=...
node opaque/client.jsThis scenario is very similar to #1 above, except it uses a signed JWT token to request access key.
Generate JWK key and copy content of the private key into file keypair/key.json (this file is read by the client application).
node keypairs/gen-key.jshydra serve admin --dangerous-force-httpNote, at the time of this writing, Hydra CLI does not support
jwksparameter.
Issue the following HTTP request.
POST /clients HTTP/1.1
Host: localhost:4445
Content-Type: application/json
{
"client_id": "client-2",
"grant_types": [
"client_credentials"
],
"scope": "read write",
"audience": [
"abc",
"xyz"
],
"jwks": {
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "xc4d2XSeF_iYDUCIdzsCujenHC6Gh6r_nwoZAhfplxM",
"alg": "RS256",
"n": "2gveXesJbXIPl1wclt1bhHf7zasb5TNEymtBKJZnAmZfeNGO-jcaRphAmRZQo33jYpl3Ww5KiEEvEzgoDuX72SXVOFKWUed90LdUAmeJbu7By6vHRo7eaRZ4hWA9dpqh5YRj4ZpKH7Hhvcik-aquZhW-SONOIPk54aRkJwOt1XJgUnHdM4Lp-1s-aEDn4KEpeXfSI1UP0txgRv8hcW4-KZDMXX4AuVdszKGj_4jX4p2YvuhGNBkRKs0Uw6vaYVTvYWBLKie87msu9qrwwsVG0SvxMx0ceJU2PspzIL9uT1COlIFANVIYJJBo41npFWpKVyocAdOe3wC2DoShxsINww",
"e": "AQAB"
}
]
},
"token_endpoint_auth_method": "private_key_jwt"
}Start Hydra, API and client.
# see: export DSN=... and SECRETS_SYSTEM=...
hydra serve public --dangerous-force-http -c jwt/hydra.yaml
node jwt/api.js
node keypairs/client.jsGenerate a certificate authority (CA), client and server keys.
The CA is a private key (ca.key) and public key (wrapped up in a self-signed X.509 certificate) in the PEM format.
sh mtls/keys/gen-keys.shStart API and client.
node mtls/api.js
node mtls/client.js{
"aud": [
"abc",
"xyz"
],
"exp": 1622988104,
"iat": 1622988044,
"iss": "http://localhost:4444/",
"jti": "cb3f2165-a0cf-48df-9d8c-8656307856c5",
"nbf": 1622988044,
"scp": "read write",
"sub": "my-client"
}Access Token
POST /oauth2/token HTTP/1.1
Host: localhost:4444
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
grant_type=client_credentials&client_id=my-client&client_secret=change-me-now&scope=read%20write&audience=abc%20xyzexport TRACING_PROVIDER=jaeger
export TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=localhost:6831- ORY Hydra, Oathkeeper.
- openssl req, genrsa, x509.