Hi Folks, I just try to cleansing data that store for the log time via hydra-cli. Normally it working fine on the stage environment but in the production data still not delete. I am not quite sure for the exactly options for command Command:

hydra janitor <postgres://db-name>:db-pass@127.0.0.1:5432/oauth?search_path=hydra --tokens --access-lifespan 3h --refresh-lifespan 1440h

Questions: 1. If I not use options --lifespan, this command will be delete all data, right? or just delete only expired data? 2. For the lifes-span option, I set to 1440h It should mean delete data that older 1440h (3 months), right? 3. Is it possible to provide example command to delete only expired data?

Hi all. Finally going to move to hydra 2.0 (from 1.11), but I’m getting a migration error.

Could not apply migrations:
Error 1832: Cannot change column 'nid': used in a foreign key constraint 'hydra_client_nid_fk_idx'
error executing migrations/20220210000001000002_nid.mysql.up.sql, sql: -- Migration generated by the command below; DO NOT EDIT.
-- hydra:generate hydra migrate gen

UPDATE hydra_client SET nid = (SELECT id FROM networks LIMIT 1);
ALTER TABLE hydra_client MODIFY `nid` char(36) NOT NULL;

The ‘nid’ column was just added by the previous migration: 20220210000001000001_nid.mysql.up.sql

ALTER TABLE `hydra_client` ADD COLUMN `nid` char(36);
ALTER TABLE `hydra_client` ADD CONSTRAINT `hydra_client_nid_fk_idx` FOREIGN KEY (`nid`) REFERENCES `networks` (`id`) ON UPDATE RESTRICT ON DELETE CASCADE;

Running this on a mysql 8.0 database. Anyone encountered this?

@dry-sunset-53391 I suggest that we set up a time to go over the migration process with you today. What time works after 10:30 CET?

@swift-chef-97535 Any time really. Just normal work busy today 🙂. Thanks!

I'm getting 404 from

/.well-known/oidc-configuration

I couldn't find a setting related to this.

/.well-known/jwks.json

works as expected. I'm running an empty hydra docker with

--dev

and the following config:

environment:
      - LOG_LEAK_SENSITIVE_VALUES=true
      - URLS_SELF_ISSUER=<http://localhost:4444>
      - URLS_SELF_PUBLIC=<http://localhost:4444>
      - URLS_CONSENT=<https://localhost:3000/consent>
      - URLS_LOGIN=<https://localhost:3000/login>
      - URLS_LOGOUT=<https://localhost:3000/login?logout=true>
      - SECRETS_SYSTEM=youReallyNeedToChangeThis
      - OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
      - OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
      - OIDC_DYNAMIC_CLIENT_REGISTRATION_ENABLED=true

So, one big change with hydra 2.0 is client ids are now generated by hydra. I have read and understood the rationale, but it creates a bit of a problem for us. We have a mobile client, and more than one server infrastructure. Currently, each infrastructure contain the same set of client ids, so clients keep track of this single client id, but can connect to any infrastructure. How are people handling this in hydra 2.0?

Hi all: I got an issue with the location in session object. When I sign in with email/password. I'll got the location from kratos service server's location. Could I update location when I sign in with email/password? or have any setting could get client's location?

Hi All: How to clear expired tokens?

Hello... have a few questions regarding key rotation in k8s: 1. How are you rotating secrets? a. I am thinking we will need to: i. read the current state from a secrets manager (vault, aws sm etc) ii. generate a new key iii. prepend the new key to the list. iv. persist the new and old keys back to the sm v. update the k8s secret with the new enc key list vi. k8s will automatically update the secrets through a volume mount vii. hydra reloads the secrets automatically? (i hope, that's my next question) 2. will hydra auto-reload the new enc key list without restarting the container

so if I am setting up kratos + hydra, I just need to configure hydra with krato's login and logout urls?

What's the proper way to persist the consent

Session

when using "Remember"/Skip? The login_session_id on the ConsentRequest is different from the originally authorized one. 1. Login with remember = false 2. Give consent with remember = true and some session data. There's now 1 consent session for the subject with login_session_id = "" 3. Login again with remember = true 4. Consent screen is properly skipped. 5. There's still only 1 consent session for the subject with login_session_id = "" That means that I cannot use the "list consent session for a subject with the login_session_id parameter" API endpoint

Hi Team, Can some one please suggest if there is a way to temporarily disable access for a Client

Is it possible to use Hydra to wrap a non-OIDC provider? I have a provider that exposes OAuth 2.0 (but not OpenID Connect), and I am trying to integrate it with Kratos which only supports OIDC

Hi, we are trying to implement Auth0 with hydra. Can someone help us on the configuration steps ?. 🙏

Hi all! I run a ory hydra local instance in my organization. It's run in an okd infraestruture. In this moment has two clients (two apps), both use the same /hydra/login endpoint to authenticate users. Can I add another client? but this app has another sets of users and authenticate against other ldap. How Can I configurate this?. Thanks!

Could anyone help me figure out how to configure Janitor properly to clean up requests? We used it successfully for token cleanup, but no luck with requests.

Hi Ory Team! I have a question regarding the OAuth client

metadata

property in Hydra. The property description states:

Store custom data on this client. The metadata field is visible publicly when performing various OAuth2 flows.

Can you please elaborate how exactly the metadata would be exposed publicly? There is the

GET /admin/clients/<client_id>

endpoint in the API, but that one is an admin (private) endpoint. Is there any other way how one could access the client info only knowing the

client_id

?

@best-napkin-88358 I am trying to find the quote above in the Ory docs without any success. can you post the link here?

Maybe the following information will help you: Metadata is a field where you can store metadata for the client including additional data e.g. address etc; sector_identifier_uri: https://curity.io/resources/tutorials/howtos/advanced/ppid/ 3 request_uris: https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter

is there any mechanism to tell what hydra clients are "active"? I couldn't find anything but was thinking metrics about number of tokens generated per client id might be beneficial

👋 Hello, team!

I am using Ory Hydra and for security venerability want to pass database password in encrypted way in hydra-config.yml file. Anyone please suggest is it possible or not?

Hi Team! We are looking at Ory Hydra as an Auth0 alternative since we already have most of the IDP functionality on our side, and Hydra is a great fit. I've been having troubles downloading the most recent Golang SDK through go.mod. The 2.x.x versions aren't resolving for me: see pkg.go.dev. The sdk github tags show v2.1.1 as the current version. Any hints?

❯ go mod download
go: errors parsing go.mod:
[REDACTED]/oauth_poc/go.mod:9:2: require <http://github.com/ory/hydra-client-go|github.com/ory/hydra-client-go>: version "v2.1.1" invalid: should be v0 or v1, not v2

Self solved: took a peek at the go.mod and the sdk gets a v2 on the end:

<http://github.com/ory/hydra-client-go|github.com/ory/hydra-client-go> => <http://github.com/ory/hydra-client-go/v2|github.com/ory/hydra-client-go/v2>

Hi there! We're trying to get access_token right away after user login. How should I do that in Ory Console?

Hi I'm trying to call the GetLoginRequest() method with hydra admin client, but it's causing issue with the hostname. So when I set the adminURL to http://hydra-admin:4445 the host becomes localhost like this

<http://localhost:4445/admin/oauth2/auth/requests/login?login_challenge=7276fa161b674c148e824ac6b51ab828>

but if I just set the host like http://hydra-admin then it host stays as it is. I'm running all in local kubernetes cluster in kind. If I make the request manually it works fine from that pod that is using client login request. So it's just calling http://localhost:4445 instead of http://hydra-admin:4445 that's why it's failing. What could be the reason? Has anyone faced this kind of issue ?

It seems the service name hydra-admin causing the problem, so I want to name the hydra admin service name to be

hydra

instead of

hydra-admin

by using helm chart how can I do that? I don't find where the service name is defined as hydra-admin.

Hi everyone, We are using Hydra self-hosted server and the Java SDK for our client apps. We encountered an unexpected breaking change in the API when upgrading from 2.0.2 to 2.1.1 (we first went with the server, which was the issue, but I think it would hit even harder for people using the cloud version) The server now exposes a

skip_consent

attribute in the client description JSON, which crashes the Java client when asking for a login challenge. The Java SDK has an allowlist of attributes that is used when validating the received JSON, which doesn't contain

skip_consent

until the 2.1.0 (see here). If an attribute outside of this list is provided by the server, it crashes the client. So we were running Server 2.1.1 and Java client 2.0.2 and couldn't get a login challenge at all anymore. We may have missed some key information about how to upgrade the client and server but didn't expect a breaking change in a minor version. For future reference, are minor client versions expected to be backwards compatible with older server versions?

Hi everyone, I'm trying to use the latest version of hydra go client but it seems it doesn't have the client sub package, how should fix this:

<http://github.com/ory/hydra-client-go/client|github.com/ory/hydra-client-go/client>: module <http://github.com/ory/hydra-client-go@latest|github.com/ory/hydra-client-go@latest> found (v1.11.8), but does not contain package <http://github.com/ory/hydra-client-go/client|github.com/ory/hydra-client-go/client>

Due to version incompatibility, I have to use this version with this image

tag: v1.10.3-alpine

But for some reason I'm getting this error:

time=2023-05-22T11:21:35Z level=fatal msg=Scheme from configuration key "urls.self.issuer" must be "https" unless --dangerous-force-http is passed but got scheme in value "<http://localhost:4444/>" is "http". To find out more, use "hydra help serve". audience=application service_name=ORY Hydra service_version=v1.10.3

Although I have set the

dangerousForceHttp

: true in values.yaml for hydra helm chart

hydra:
  # -- The ORY Hydra configuration. For a full list of available settings, check:
  #  <https://www.ory.sh/docs/hydra/reference/configuration>

  config:
    dsn: <postgres://hydra:secret@postgresd:5432/hydradb>
    serve:
      public:
        port: 4444
      admin:
        port: 4445
        
      # tls:
      #   allow_termination_from:
      #     - 10.0.0.0/8
      #     - 172.16.0.0/12
      #     - 192.168.0.0/16
    # -- The secrets have to be provided as a string slice, example:
    # system:
    #   - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa"
    #   - "foo bar 123 456 lorem"
    #   - "foo bar 123 456 lorem 1"
    #   - "foo bar 123 456 lorem 2"
    #   - "foo bar 123 456 lorem 3"
    secrets: {}

    # urls:
    #   self: 
    urls:
      self:
        issuer: <http://localhost:4444>
      login: <http://127.0.0.1:3000/login>
      consent: <http://127.0.0.1:3000/consent>
  
  dangerousForceHttp: true 
  dangerousAllowInsecureRedirectUrls: true

What is it that I am missing?

Hi everyone, We are using Hydra self-hosted but we don't menage to get the token through the Authorization Code flow in our app like we have in /callback url give by the command

hydra perform authorization-code

(docs here : https://www.ory.sh/docs/hydra/cli/hydra-perform-authorization-code). It seems that the token is only sent this way or there is another way that I can't find?