Hydra

If you use consent website(official login&consent) run all step, routes/consent.js session part need remove mark, surely you can get session data. @token= xLPcJ3tobDqGUDxIVTxWt2p7w_odZSV22IAlUf5QPZU.YD6R_xKQ2ldCLbEV7mmc01E6ZLzemzdEC5H4-otTMPg ### userinfo GET https://openid.hydra:9001/userinfo Authorization: Bearer {{token}} ### introspect POST https://openid.hydra:9002/oauth2/introspect Content-Type: application/x-www-form-urlencoded token={{token}} &scope=openid+photos.read PS：&scope=openid+photos.read can remove. But you use REST Client need fix. Put session data by yourself. ### accept conent scope PUT https://192.168.99.100:9002/oauth2/auth/requests/consent/accept?consent_challenge={{consent_challenge}} Content-Type: application/json { "grant_scope": ["openid", "photos.read"], "session": { "access_token": { "foo": "bar" }, "id_token": { "baz": "bar" } } } Try and watch many document. Can’t get real why. Official Website no any discuss. ...

https://www.ory.sh/docs/next/hydra/oauth2#oauth-20-scope A OAuth 2.0 Scope is not a permission: A permission allows an actor to perform a certain action in a system: Bob is allowed to delete his own photos. OAuth 2.0 Scope implies that an end-user granted certain privileges to a client: Bob allowed the OAuth 2.0 Client to delete all users. The OAuth 2.0 Scope can be granted without the end-user actually having the right permissions. In the examples above, Bob granted an OAuth 2.0 Client the permission (“scope”) to delete all users in his name. However, since Bob is not an administrator, that permission (“access control”) is not actually granted to Bob. Therefore any request by the OAuth 2.0 Client that tries to delete users on behalf of Bob should fail. ...

hydra login consent node https://github.com/ory/hydra-login-consent-node When login success, context data be saved . Can use GET https://openid.hydra:9002/oauth2/auth/sessions/consent?subject=foo@bar.com HTTP/1.1 check by subject. routes/login.js hydra.acceptLoginRequest(challenge, { context: { "test1": "test1", "test2": { "test2i": "test2i"} }, Database keep context Table name: hydra_oauth2_consent_request save context data. Here is Postgresql (pg). ===== Postgresql command ==== 1. Login Postgresql (pg) docker psql hydra -U hydra #login pg (already in db cmd) \dt; select * from hydra_oauth2_consent_request; =============== userinfo =============== ...

https://github.com/ory/examples/blob/master/full-stack/docker-compose.yml Maybe use 5 min quickstart.yml better.

1、use docker-machine create vm get ip: 192.168.99.100 2、deploy https://www.ory.sh/docs/next/hydra/configure-deploy docker network create hydraguide docker run \ --network hydraguide \ --name ory-hydra-example--postgres \ -e POSTGRES_USER=hydra \ -e POSTGRES_PASSWORD=secret \ -e POSTGRES_DB=hydra \ -d postgres:9.6 export SECRETS_SYSTEM=this_needs_to_be_the_same_always_and_also_very_$3cuR3-._ export DSN=postgres://hydra:secret@ory-hydra-example--postgres:5432/hydra?sslmode=disable docker pull oryd/hydra:latest docker run -it --rm \ --network hydraguide \ oryd/hydra:latest \ migrate sql --yes $DSN =====creat ssl cert and key==== ！！注意！！ 產生方式改用 https://sueboy.blogspot.com/2019/08/openssl-self-signed-certificate.html 較為保險，不容易發生 ERR_SSL_VERSION_OR_CIPHER_MISMATCH 錯誤！ create two cert. 1. t.tt 2. openid.hydra In vm openssl genrsa -out t.tt.key 2048 openssl ecparam -genkey -name secp384r1 -out t.tt.key openssl req -new -x509 -sha256 -key t.tt.key -out t.tt.crt -days 3650 Important!! t.tt.crt step: Common Name (e.g. server FQDN or YOUR name) []: t.tt openssl genrsa -out openid.hydra.key 2048 openssl ecparam -genkey -name secp384r1 -out openid.hydra.key openssl req -new -x509 -sha256 -key openid.hydra.key -out openid.hydra.crt -days 3650 Important!! openid.hydra.crt step: Common Name (e.g. server FQDN or YOUR name) []: openid.hydra Use openid.hydra.key and openid.hydra.crt to base64 code https://www.base64encode.org/ ...