https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> I'm using Hydra to create client an...
# ory-copilot
f
@chilly-king-10285 I'm using Hydra to create client and then I want to create token with grant type client_credentials
b
A message from kapa.ai
To create a client with Hydra, you can use the 
hydra create client
command. Here is an example of how to create a client with the 
client_credentials
grant type:
Copy code
bash hydra create client \   --endpoint <http://127.0.0.1:4445> \   --grant-type client_credentials \   --token-endpoint-auth-method client_secret_post
This command will output the client details including the 
client_id
and 
client_secret
which you will need for the next step. To perform the client credentials grant and get a token, you can use the 
hydra perform client-credentials
command. Replace 
{INSERT-CLIENT-ID_HERE}
and 
{INSERT-CLIENT-SECRET-HERE}
with your actual 
client_id
and `client_secret`:
Copy code
bash docker run --rm -it --network hydraguide oryd/hydra:v2.0.1 \   perform client-credentials \     --client-id {INSERT-CLIENT-ID_HERE} \     --client-secret "{INSERT-CLIENT-SECRET-HERE}" \     --endpoint <http://ory-hydra-example--hydra:4444>
This command will output an access token. Sources: - [5 minute tutorial Part 3](https://www.ory.sh/docs/hydra/5min-tutorial) - [Performing the OAuth2 Client Credentials Flow](https://www.ory.sh/run-oauth2-server-open-source-api-security/#performing-the-oauth2-client-credentials-flow) - [hydra create client](https://www.ory.sh/docs/hydra/cli/hydra-create-client)
f
How can I choose a specific jwk set for each client to generate my tokens.
@chilly-king-10285 How can I choose a specific jwk set for each client to generate my tokens.
b
A message from kapa.ai
To specify a specific JSON Web Key (JWK) set for each client, you can use the 
jwks_uri
parameter when creating or updating a client. The 
jwks_uri
parameter should point to the URL of the client's JWK Set document. This JWK Set contains the signing key(s) the server uses to validate signatures from the client and may also contain the client's encryption keys, which are used by the server to encrypt responses to the client. Here is an example of how to create a client with a specific `jwks_uri`:
Copy code
bash hydra create client \   --endpoint <http://127.0.0.1:4445> \   --grant-type client_credentials \   --token-endpoint-auth-method client_secret_post \   --jwks-uri "<http://your-jwks-url>"
Replace 
"<http://your-jwks-url>"
with the actual URL of your JWK Set. Please note that the JWK Set at the specified URL should be in the correct format and contain the necessary keys for signing and/or encryption. You can use the Ory CLI to create and manage JWK Sets. Sources: - [Hydra API Reference - setOidcDynamicClient](https://www.ory.sh/docs/hydra/reference/api) - [Ory CLI - ory create jwk](https://www.ory.sh/docs/cli/ory-create-jwk)
f
@chilly-king-10285 I can use this url as jwks-uri: hydra:4445/admin/keys/sandbox_key ?
b
A message from kapa.ai
Yes, you can use that URL as the 
jwks_uri
if it points to a valid JSON Web Key Set (JWK Set) that is accessible by the Hydra server. The URL 
hydra:4445/admin/keys/sandbox_key
suggests that you have a JWK Set named 
sandbox_key
stored in Hydra. When creating or updating a client, you can specify this `jwks_uri`:
Copy code
bash hydra create client \   --endpoint <http://127.0.0.1:4445> \   --grant-type client_credentials \   --token-endpoint-auth-method client_secret_post \   --jwks-uri "<http://hydra:4445/admin/keys/sandbox_key>"
Please ensure that the Hydra server can reach the specified 
jwks_uri
. Source: - [Hydra API Reference - getJsonWebKeySet](https://www.ory.sh/docs/hydra/reference/api)
f
@chilly-king-10285 I can use client_credentials when calling /oauth2/token ?
b
A message from kapa.ai
Yes, you can use the 
client_credentials
grant type when making a request to the 
/oauth2/token
endpoint. This is part of the OAuth 2.0 Client Credentials Grant flow, where the client authenticates with the authorization server and requests an access token. Here's an example of how to make a request to the 
/oauth2/token
endpoint using `client_credentials`:
Copy code
bash curl -X POST \   <https://your-ory-hydra-instance.com/oauth2/token> \   -H 'Content-Type: application/x-www-form-urlencoded' \   -d 'grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&scope=YOUR_SCOPE'
Replace 
<https://your-ory-hydra-instance.com/oauth2/token>
, 
YOUR_CLIENT_ID
, 
YOUR_CLIENT_SECRET
, and 
YOUR_SCOPE
with your actual Hydra instance URL, client ID, client secret, and the scope you want to request, respectively. Please note that the client must be configured to allow the 
client_credentials
grant type and the appropriate client authentication method (
client_secret_basic
or 
client_secret_post
). Sources: - [OAuth2 Client Credentials Flow - Basic Authentication](https://www.ory.sh/docs/oauth2-oidc/client-credentials#basic-authentication) - [OAuth2 Client Credentials Flow - Body Authentication](https://www.ory.sh/docs/oauth2-oidc/client-credentials#body-authentication) - [Hydra Debug - Client auth fails because Wrong token_endpoint_auth_method](https://www.ory.sh/docs/hydra/debug/token-endpoint-auth-method)
f
@chilly-king-10285 I gave the jwks_uri to my client but the key used to sign my jwt token is allways the same it allways used the most recent key in .well-known/jwks.json
b
A message from kapa.ai
The behavior you're observing is expected. When signing a JWT, Ory Hydra or Ory Oathkeeper will use the first key it finds in the JSON Web Key Set (JWKS) provided by the 
jwks_uri
. If the first key found is a symmetric key (using the 
HS256
algorithm), that key will be used. This key won't be broadcasted at 
/.well-known/jwks.json
. You must manually configure the upstream to be able to fetch the key (for example from an environment variable). If the first key found is an asymmetric private key (for example 
RS256
, 
ES256
, ...), that key will be used. The related public key will be broadcasted at 
/.well-known/jwks.json
. So, if you want to use a specific key to sign your JWT tokens, you should make sure that key is the first one in your JWKS. Source: - [Oathkeeper Pipeline Mutators - id_token configuration](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token-configuration)
f
@chilly-king-10285 for example my keys are something like this:
Copy code
{
    "keys": [
        {
            "use": "sig",
            "kty": "RSA",
            "kid": "sig:156fb5a9-2c3d-4448-ae73-7121269da390",
            "alg": "RS256",
            "n": "zMNXubxh763CmuFn-ZVLisiqlLQq7hsalcI0aTB7jtdPGsBF1nj2diAqBQbyO7G7zuT7uxPNfWHG5kGgo4uCpseFxrcU8vkr6j3JfgjtcofZN7N5GQs1xwGoOwFn-Fh4OuywM2v-SbZTFk3uDi_wlqDNDs_dLl0X514RXHy8q9IhGatLUxfNhf-Cjr5K6orqYqy2XC6tFkRPqmt0rMKPlxQffjssMcUgHgG5pII1DuQURdabQu2SGLjgwTGq1e2wUd9QlALGDxxX_swwLNseqG9Ab8bxhkR-nvqGePT3C_xdK2BoJS8BnkBvGEmcqfKf5bAliLt__fhFBfN0AoLDEr-aamMHCusrPl3u4Ht7CKfG91TLl4zdsl3DmpY1ct6KXh4E6tqYgTdTQmZxcnMZ7u7Pb8z9nvN6i2NffTbsIoWFS_agod00gbavoY2OFNag_m8fm1zmJuN0fOmhy7Rz30vBU1fKa-FSaryvTixEvvQke6w3BC69mzfVQceQLU-Ap_oneQqFLTKb8eTke08bI0BFdWBFTIIGEenvf78T0jxmpBya7uRZ2R8dZYcYOXpIYISJIwV0IcXQGlJbA113bq2J-_4j9BFLtsPj7l5hUOpDZ_G3zD4hafIfN94IxgGDBJT5wz3xPPJ-Eqv38NFHE5bL1cBZiRRli2QDjyiZuLM",
            "e": "AQAB",
            "d": "coypa--2PjZP0wNcfmSF4TsHKq9sAM5K3hLJ7TrBNJTA3S9JIoWDI2w09aEALGLutPym0u5uG8FyWufF7Rgj3BdsgFF1t8OrTJyKNybZZyQWYbHWgisiR5VmvrO3rVgY0qYMoIe-tw_3hVfNYERzbGDCtpGUo9ZShA282qexiNHB0LFiLzb2tArPx_kuwe062D7Uudcm33kRtD3vBKLHX3ZTc_O4cpNbt02xxBVPh2gS60r2iseK3qe2nH2jm5Af_n1Wf6bZlCSAGbuzC7T9fq7WNnHuNfXlfByc09f-yMbCfHyvZnXYiuZy__xWV0CzMPSM2uRB4xtbyct7T9hFNhyp8St0SmluPV_jm3g0KInaqaXsqDI-9AoRQmifGxHvLItRfqU-ZWnpEa1e4EXSJBAmTLVlJ4zHYz18I0QIuwp1rvxu5z-kb_uhTMLIUjL0B991rw8YvVWygKaOA_gN7erXWzhIFqllsncBQyVbaCaBOSFxnPsiTXluFQR36j342Zik66Tolk9640lRNPCXHe-ir-6tPbX-F4uDh11jWc9Xr4pv9eWbBgstRUc4a_ZiVucxTNUNrEPsMZgYweA8WCjoQWRq_4WSc53cvnRo8pDQypNVXDsDzJ7sIUyQQWmALIzP7hOXv1_PENHdAFWJLyCqTIR2QIF-qfsUmh29nME",
            "p": "51XEs52fNRkv91YsThVKRZjWlcDFNpl8kcu_1Y3P94gRp6lXl8gKFvJNge-vhtLD5a9x4EZVKqp4IYzrBmoGF_fyzfSxH-EvM9B8m7ravK8PkLAfwZ1EF1gNG5Nrfrdv2jb4OEsf_daaRlqzCrEI4dAR-sXEDZNnOkW13ZDwxwGDqr6pwlemEzq660hMXAkoZ2Wom-3XJo4CM_3bxh17mRcLfyUZ-g3nAcadqfWvbMxxb3zqW34WJHg6hd3dB6ZOvRSREniyNFuSUQmjiRWGJLAjtCoVS_oiKv9wcnNKXPz6FlqZz3x3n_Ge5iV8KLUKdC1YElm1Vfb0gZOeicdroQ",
            "q": "4phMhc6HTROtdGFPG1KCNw_OaxUVyCLjOKt_UwaWNTfryv4WKf-HpuaI978waTMGPFpomw5v-Obds71aWV61i9SLvxNo143TDxJWX4_Plo93g2hSd5WifgUOjVEMV6ho3-PmOWoI-o7wvMzJumgNkCqBn-IVwut7XFLUl1o4fbjT0bwGetzApqvt5s1_xgaPTd5w-OXX26fIelOghElROL2EB550IjMBtIWxbPEi_flNkN_P9zDynV3zzwOa80Vm33ehB8chxHUhTB5APVjCP26AOfN3hzAkzCAXdoWKxLyhRKgQuULVAh72RP0ql1dJghL41P3GRPaDxKcbf2Uj0w",
            "dp": "kHHMbX64_zWn7p8-8M54XraNHlqMiYgS8RIwyQ5QUbYDmBWz3NEKA8Ptw3k-t0d5DDydNTWVThu9AO31fj7LaUHnuNPVmRtJFuhSNgbZN8FzTZu7aHBjKNRQ8uv8zdWKIM379WJrKltKXy2Y588cxare3x-HSBbG-Oq4IQ20Wf5HEWEVrIR_7TfZqLmu_DS3psAiJKLAmZFILOCQzsZv-2oZQp2O98Sgfkpe_dWrYJrTJZLw3on_F2x-1kFvFqywM33ZC5iTZP_cf38uPpVS-iuFT6SLQbKAjSqMMtpsD13iZfzSV2zXYOZEml3DhcNtMJdzi5m6EWAu0Y20C0GaoQ",
            "dq": "aiG7ddDOPqPA0onha4Kxyuh0XmN52Eu-8YQiFtk28aZHosRvzSwKdXn1HVVHb36epRYTeMzCVWqM3OsLrmBV2DCtY8nLiWq8OIr2Obw6FuMLr1jlh21mtm_X6QjVJxmSRYuRAcNQgUsCJuwkcFLcR3IhVKmoV6vEE_IX8OwpGXnAfLP8tP9AnNBalYgbGL1p0acmcu30tMVZeTJCNLPCfzkE5iypaHtLiSo1eDlZkmt6kSjDV5xthpfC4mtl4BvZm0GFAweaIVJbTjO9Ev7HvL4dAQewLHm4QoOlebYC0TMoteeiLaPH8T5fSuDpWglgPLR2KAzVGOf9v9YlYv4UUQ",
            "qi": "WhNqVyk3HpywRZVfsXuoXgBkpHYSrzM75JW_AvzTM55QF-AzY5o_F14IYhXV0itfNxKhy_hdweAUoGfsgTiQ3q_GS_kYygBBk1Jzac7Tg4g6nQxK4sXfcXDCXJ8n0-r3p7yem6ystP1zYKNZGGK3_BZ_k82eBrtdRwt24UIxd6hTNm7MTm3L79cO2sbnn5Mh6bniioVU3-MWeQm1yJ9rMwcT5RZF8_58F3AFUbuel_JLg6_95r25clWKYuEbTs2de0kMM6PxzzLnuI1Am7Zdg0VS2HFTr7vn8LoXRcMg3qClUvmUvWPKLPDEpRGlTb08El7NMppFn36CHGKh5r5SMw"
        },
        {
            "use": "enc",
            "kty": "RSA",
            "kid": "enc:156fb5a9-2c3d-4448-ae73-7121269da390",
            "alg": "RS256",
            "n": "xYmDbvdoHzCsDeuvefycg2PnOscbDroaq0rTRyjj0u9AHI1lSrl1cMDEy9ojrYB9PwffiCjX3jWhOryemJYHNMOnkqt0GL6gPaXBZsYwlwbs1YNct9y2NfcpFKR219iWZQxG4DJByMk5OyVkZ3N3sxtllOuG7VfxnYs-ueRluF_f2hMlG5U0Jpe7PbuZ8BVjSsfpvWuJY80ifNkGbYUVxQU8hc6j62E_hDA8ARCg0FpCkR_PFFzG6wT0xOBW_zbIRypfYoC6rt0g3Z_aizHk2anQqPmMApj1b1pulT4yu6IHHgSdc0VscTLiMm4_4z0fnzSPjYlRd6e-rO8Mx6sS3UziosxlUpTqwORoK89iS2HAOGWaA-ShQ1DwuubAqlumDKvuIhej9myapl2_46xLnqPavc7zBvXZlHv_cSOM5V9xrv2JG7VqB7ZgBiwdfZ2PoK0J9T6I_Qw77PAXTvZQKOBc2pn4ivjQdfvz60gBtg8-zaCI9dDH01s6-aQfaGcl5FdSAA1aKMvGHlP-J7qFAol8egLhq3W4ZW8vLA4GqtPaizX-XBY6NCXKugHiKZWm9-PSa7mEHf9ZnAloNlJj-5SZc1Enn_dOav34vMb8aGowDrMJ2PGpe-x2899EnSUEn-PG5tcV8O9KHHXCdWq1MEwJa8Ykcni3egZNtR9oxaU",
            "e": "AQAB",
            "d": "rlivs5oTwSuhP-wcBavKrEDZzkv7eqURcsvo7C6P3hWiXVEC7NABcpIBX_bZdIIqiR420aNS2-IzunbN99i65Xwmg9Jl9o0ROzf4GfCk5DeNgumdRP49qCXMkVaTOfEE1IzgZXKWE1Re-fAHzTLhnCh7INQ8U3FCZI2IwGNw0Cl2lrA9GTo4PDPBZDwXIwqNh2woxjGKopZkcRLPlIxY6Xq0r1jx3ocHm3FDFKGLfjmb9SDBEbTNMJNAQh_LSRgd7onchEEgA8RSBKnZJu_Tj7VM4EbYp1Y_kZeccIbkGi1o4LqsCRhmHQcPE_mw06yYI1kttntTdyuLpHCctAIu86uUGF5TJAhd84yR_fLhoalOpJo9K452TiEKzL_xkuBHEnDtZ797HB_WDIs_OHpsx-YI03dxpjz2PV3ps2yMXmeXkbpV5dILtDnDytgnApE_ZCQ8dI9kHVQnAiX7HqnNwIEZN_Frksw_ZqG7DY7lTSOFNKMd0XUgHjYzrXyaxekJAGde6ef2K0k1z6FyjGjWZOKWNGObBg_GfCO9u9DSCLnKcKd8do6rlgxlr3zDBnGQFbLTCHM6k-iAI_1Ntq8N8KCHBjr0DYwvlbeRnPQKPFBshLAYiL6Mvgz_tO_aluqfGh2flPRCDukGuut4zmVjcxMaJu-5FqRiK_GAVAaShkE",
            "p": "0GjKhkF-81t3hGYj1hmAiaDhErNEzQ0_7FnZpC9VeeVkPSOKqEs938-e5snj4qAOP677ZTerz94QGPatQO1Z9VJrHlTf6TGlFItW-gIbRH5KJVpjcCRv76z91a9aQj9r58jZMVnrwI1aL9JXF8QWUm7Onw8MIChCxYqZr7qfLS30l6Nw1vYpnDwjR9Oyx2NU0kyNiR7DCEVHgHWyYMsi_oPaSAgbNPG7mG0RSLvCOXOw5H9Tamh17yKthLU9q2Z9CHFAAQzrIJykxhQo_N4DF7PAfsklIkpppDCpv4HkELkgoJm2BHR_QCd0u_Ha12R8VDUBkQBcGPVfBEUmYDJU9Q",
            "q": "8qUn2hmjEJkXD38NcdAzbzMDmhzw4ji_LCpepvTB4ob9ycpWFsLLjxSXudOZTl8Ur_RlLI7tV5xqJ5UgiIUTAdMQrw7F7SZtwIYBM30LZeXyLWE0Ct9WMOJpXp6Motajwg7q-v7PjM1o_Jllg7PbvRFR4H9t41Xvph9STMZ16F3R_z9y_EVh9Vt60YYH-OLMZSaSenaWQU356P-FARRYyKLMl0hbE1jH9-ZaoOT-jQKDVHSdUxCGaxNS_qXu2supWfvMOBNW9meN8-p84h1L7_7CUygs6qHJi78eLHSylfKmoF8SMDNFxpEnWLbweFGXLQ2XXUKvghXZOYXHMZS_8Q",
            "dp": "Bk2FAnZsnnN_s9Na9hijWIYzCFu_kuv5qO42tM5xqVQUqfyvLtPHtUMULSqh57Kre6WRGMiMO6cdmYOsTbBf7hll_-7VLro_odVs9famWHXxTBvlsfiIIhl7O8En26ULYGEkoGd1x8b-mT-lPqTBgBC10v2jgj11d3_vke707WrcYNGikf2z2HPBJWTznTAV2p5SEXmKsG9X8Dye_mpmTogyS8di-0DsSXnS8f4rq40iJmbrYOZz2p2T3dWVXd-lnGHAa8e2PLBAE3V8n9kfAtJ-2da_dsAFXd_S4mXNPew7XmAHry7OwmPvFdgEpEr3r5xCxd3a6y5Qh1KIDJS5GQ",
            "dq": "g742QA3RYo6sXaaPJy9y7bpWB1QVWc6TxagPkjisGJFQtEJesab8HOiCZMvFni6zrcFVOXc02G-9l1Y5vsX6BvCRS2sK_fLyfiiD-G-5Q48xCYCQYCLYylvz-AK_ux4s9Y1h-ftltz5D9XpYCsUZ1rLTsL-fa2JaZuj0p2jN1ecywJKznNMTF8OekKpkI7cIYRcrSsCeXkC3ItGxZl-kwPLbgHwxrvRyRl_U7yzGJMurgKx8SwBa60InuslfQX54qbm0LPIbMlgRU9EKEz7y3xCEc-AJWy-SnYScHmkSGaYQ4FweJPuBtAlVwq45LCqomTaa63DsmAXC1p-TApGQEQ",
            "qi": "lbi5C7L8c4BcdlP3NT4CbQgkpPA79AmTAF5-8sdl8ITSMsMGKuGvh3E9xf7_7AcFWp6Fs7vZkl485TiKzMZ6D4EP5sybnY6-0dXSMaCR7uC_N5_N-EDuV8-N2wZkzV59rhDbWuyoQbK6LwjPQmY-eLfoyzyECmpaIcumy6JSmIOul8x1D3Ni57ZDpKdRkha7YyaS_cprGmXCoao-QxhbkqvOn0ySTLHodBIwZx51BaTjrpPLy6dnPmE0qvNmwHO4-QOjOEKvho9uMAAjZt6oqtRyClEQkPrDuDnFgW1cFyvm2xM_8dE8Mv8w7MhxrZb-TlcAu6PArG3wKVT5ra20gw"
        },
But he doenst use any of those key
b
A message from kapa.ai
Sorry @flat-waitress-75076, I seem to be having a bit of trouble. Don't worry though, I've pinged my support folks and they will try to fix me up! 🧑‍💻 Perhaps try again in 5mins?
f
@chilly-king-10285 He doenst use any key given in my jwks_uri set.
b
A message from kapa.ai
If Ory Hydra or Ory Oathkeeper is not using the keys provided in your 
jwks_uri
, there could be a few reasons: 1. The 
jwks_uri
is not accessible: Ensure that the URL is correct and the server hosting the JWKS is accessible from the Ory Hydra or Oathkeeper instance. 2. The JWKS at the 
jwks_uri
is not in the correct format: The JWKS should be a valid JSON object containing an array of keys. Each key should have the necessary properties like 
kty
, 
alg
, 
use
, 
kid
, 
n
, and 
e
for RSA keys. 3. The client is not configured to use 
private_key_jwt
or 
client_secret_jwt
authentication: If you want to use a JWKS for client authentication, the client should be configured with 
token_endpoint_auth_method
set to 
private_key_jwt
or 
client_secret_jwt
. 4. The keys in the JWKS are not suitable for the operation: For example, if the keys are RSA keys but they don't have the private key part, they cannot be used for signing. If you've checked all these points and it's still not working, you might want to look at the logs of your Ory Hydra or Oathkeeper instance to see if there are any error messages related to JWKS or client authentication. Sources: - [Hydra API Reference - setOidcDynamicClient](https://www.ory.sh/docs/hydra/reference/api) - [Ory Oathkeeper - Mutator ID Token](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token-configuration) - [Ory Hydra - JSON Web Key Set](https://www.ory.sh/docs/hydra/concepts/jwk)
f
what is the the private key part for a jwks
@chilly-king-10285 what is the the private key part for a jwk
b
A message from kapa.ai
A JSON Web Key (JWK) is a JSON data structure that represents a cryptographic key. For asymmetric keys like RSA or ECDSA, the JWK can include both the public key part and the private key part. For an RSA key, the private key part typically includes the following parameters: - `d`: The private exponent - `p`: The first prime factor - `q`: The second prime factor - `dp`: The first factor's CRT exponent - `dq`: The second factor's CRT exponent - `qi`: The (first) CRT coefficient Here is an example of a JWK with both private and public keys included: ```json { "keys": [ { "p": "8cs6LVWfWM3_TOQZdNWG09sqq8qGbuSejp3rcvDedVh_NAO9D5byE7cpdM2_4_enh1wXoUzzpL0MSHFLAAErJywKLUgyGmjdmJdA7IFuOV4lPNydcSuyyHm4pXVSc_ZtB0MfVPdAh1TO5zyjkk5IbIC8IYOICI1dxu8namdP5MM", "kty": "RSA", "q": "uK9v3Hp3X_FESMl3Tbv1ZF-7-oAwdpSq_hMnzb0CCVJ1nVK7cs4RtYhZoVLDlPg98oe35HGjemdrk_WVduUH3H2wbbK0bE9v_yG-WPor4GPhxmmw8e7KV0qkOK3y2x8gC0P2IlY7PpuxfOIHl-z9PFaddfXxQaNOym_naiK1jnc", "d": "cGVslzyvoWR487B2gXnrg3MPFFFpyD4a7epTKFa7baGd_5oBxHDgZrZcYW6wrlHNuN_ZDXucNneZeg7m5ZLUG6Uz9cYh7aBmOXiAU3Ag7ImFEVMSIKUHSGq83eKsLS8hiowEx9LeinGHr8gEHYJ9JqYV8yZOuc0_V3MQuZnCi6Xg_WmYRN8eMBV8jPKIILQX10ifrgkVSF3xXi11jN1fUiC17xCRyUArWM7c22CfONhxIXp4inGzJjoNMU7BhLJnpdgBpm9RCmNESRP2U0Yhd659upFv9NFFWmSILTwFkdYW5puaVfkHBIZV7_g5OJV7DsE2Cti5jv3SLk4CyCj68Q", "e": "AQAB", "use": "sig", "kid": "ory-example", "qi": "4Ji4_LTZURiRJBp72ULUbEIukrXwigrGKqIMKA7M2fYB6PlZ5RjxNsdGrTttaMzKyHdDPQWY01fBNzWvaZCNndUu-PsjDj
f
@chilly-king-10285 since i'm using hydra yeah it give all fo this why I should give a url if they are in Hydra and not just the keys name
b
A message from kapa.ai
Sorry @flat-waitress-75076, I seem to be having a bit of trouble. Don't worry though, I've pinged my support folks and they will try to fix me up! 🧑‍💻 Perhaps try again in 5mins?
f
@chilly-king-10285 since i'm using hydra yeah it give all of this information. Why I should give a url if they are in Hydra and not just the keys name
b
A message from kapa.ai
The 
jwks_uri
parameter in the client configuration is used to specify the location of the JSON Web Key Set (JWKS) for the client. This JWKS contains the keys that the client uses for signing requests and that the server uses for validating signatures from the client and for encrypting responses to the client. When you specify a 
jwks_uri
, Ory Hydra will fetch the JWKS from that URL and use the keys it finds there for the client. This allows you to manage the keys for the client outside of Hydra, which can be useful in some scenarios. However, if you're storing the keys in Hydra itself, you don't necessarily need to provide a 
jwks_uri
. Instead, you can use the 
jwks
parameter to directly provide the keys in the client configuration. The 
jwks
parameter should contain a JWKS object with the keys for the client. Here's an example of how to create a client with a specific JWKS:
Copy code
bash hydra create client \   --endpoint <http://127.0.0.1:4445> \   --grant-type client_credentials \   --token-endpoint-auth-method client_secret_post \   --jwks '{"keys": [{"kty": "RSA", "use": "sig", "kid": "my-key", ...}]}'
Replace the 
...
with the rest of your key parameters. Please note that if you provide both 
jwks_uri
and 
jwks
, the 
jwks_uri
will take precedence. Sources: - [Hydra API Reference - setOidcDynamicClient](https://www.ory.sh/docs/hydra/reference/api) - [Ory Hydra - JSON Web Key Set](https://www.ory.sh/docs/hydra/concepts/jwk)
f
@chilly-king-10285 doenst matter what I do it is allways the same key used to signe my tokens and it is the key from /.well-known/jwks.json in hydra.
b
A message from kapa.ai
The behavior you're observing is expected. Ory Hydra uses the most recent key in the 
/.well-known/jwks.json
endpoint to sign the tokens. This is because Ory Hydra rotates the JSON Web Token Signing Keys and always takes the latest key from the key store to sign JSON Web Tokens. All public keys will be shown at 
<http://ory-hydra-public-api/.well-known/jwks.json>
. If you want to use a specific key to sign your tokens, you would need to manage the key rotation process to ensure that the key you want to use is the most recent one. However, this might not be practical or desirable in most cases. If you need to use different keys for different clients, you might want to consider using a different approach or a different OAuth2 server that supports this feature. Sources: - [Hydra - Secrets and key rotation](https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation) - [Hydra - Cryptographic key management and JSON Web Key Sets (JWKS)](https://www.ory.sh/docs/hydra/jwks)
f
@chilly-king-10285 So you are saying that Hydra doesnt support this feature: "If you need to use different keys for different clients, you might want to consider using a different approach or a different OAuth2 server that supports this feature."
b
A message from kapa.ai
New message text here
f
@chilly-king-10285 Give me an example for a private_key_jwt use.
b
A message from kapa.ai
The 
private_key_jwt
method is used for client authentication in OAuth 2.0. This method involves the client creating a JSON Web Token (JWT) and signing it with its private key. The signed JWT is then sent to the authorization server (in this case, Ory Hydra) as a proof of the client's identity. Here's an example of how to use 
private_key_jwt
for client authentication: 1. First, you need to create an OAuth 2.0 client with 
private_key_jwt
as the 
token_endpoint_auth_method
. You also need to provide the public key of the RSA/ECDSA signing key using the 
jwks_uri
or 
jwks
fields of the client. Here's an example command using the Ory CLI:
Copy code
bash ory create oauth2-client --project "$PROJECT_ID" \     --name "Client Credentials Demo" \     --grant-type client_credentials \     --token-endpoint-auth-method private_key_jwt \     --jwks-uri <https://example.org/path/to/clients/public_key_set.jwks>
2. When you want to authenticate the client at the token endpoint, you need to generate and sign a JWT with the following claims using the RSA/ECDSA private key: - `iss`: The 
client_id
of the OAuth Client. - `sub`: The 
client_id
of the OAuth Client. - `aud`: The URL of the Authorization Server's Token Endpoint. - `jti`: A unique identifier for the token. - `exp`: The expiration time of the token. 3. Include the signed JWT in the 
client_assertion
parameter in the request to the 
/oauth2/token
endpoint. Sources: - [Ory Hydra - JWTs for client authentication](https://www.ory.sh/docs/hydra/guides/jwt#jwts-for-client-authentication) - [Ory Hydra - Registering the client's public key](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key)
f
@chilly-king-10285 "When you want to authenticate the client at the token endpoint, you need to generate and sign a JWT with the following claims using the RSA/ECDSA private key." The hydra token endpoint or a custome one ?
b
A message from kapa.ai
When using the 
private_key_jwt
method for client authentication, the JWT should be sent to the Ory Hydra's token endpoint. This is the endpoint where the OAuth 2.0 client sends a request to get an access token. The 
aud
(audience) claim in the JWT should be the URL of the Ory Hydra's token endpoint. The Ory Hydra server will verify that it's an intended audience for the token. Here's an example of how to make a request to the Ory Hydra's token endpoint (
/oauth2/token
):
Copy code
javascript const requestOptions = {     method: "POST",   headers: { "Content-Type": "application/x-www-form-urlencoded" },   body: qs.toString(),   redirect: "follow" };  fetch("<https://your-ory-hydra-instance/oauth2/token>", requestOptions)   .then(response => response.text())   .then(result => console.log(result))   .catch(error => console.log('error', error));
In this example, replace 
"<https://your-ory-hydra-instance/oauth2/token>"
with the actual URL of your Ory Hydra's token endpoint. Sources: - [Ory Hydra - JWTs for client authentication](https://www.ory.sh/docs/hydra/guides/jwt#jwts-for-client-authentication) - [Ory Hydra - Registering the client's public key](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key) - [Ory Hydra - OAuth2 client credentials flow](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication)
f
@chilly-king-10285 what JWT your are talking about ? when i call the the oauth2/token endpoint is to get a JWT not to give one.
b
A message from kapa.ai
In the context of 
private_key_jwt
client authentication, the JWT being referred to is not the access token that you receive from the 
/oauth2/token
endpoint. Instead, it's a JWT that the client creates and signs using its private key, and then sends to the Ory Hydra's token endpoint to authenticate itself. Here's a brief overview of the process: 1. The client creates a JWT with specific claims (like 
iss
, 
sub
, 
aud
, 
jti
, 
exp
). The 
iss
and 
sub
claims should contain the 
client_id
of the OAuth Client. The 
aud
claim should be the URL of the Authorization Server's Token Endpoint. 2. The client signs this JWT with its private key. 3. The client sends a request to the Ory Hydra's token endpoint (
/oauth2/token
). In this request, the client includes the signed JWT in the 
client_assertion
parameter, and the 
client_assertion_type
parameter is set to 
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
. 4. Ory Hydra verifies the JWT's signature and claims, and if everything is valid, it authenticates the client and responds with an access token. This method of client authentication is an alternative to methods like 
client_secret_basic
or 
client_secret_post
, where the client authenticates by sending its 
client_id
and 
client_secret
to the token endpoint. Sources: - [Ory Hydra - JWTs for client authentication](https://www.ory.sh/docs/hydra/guides/jwt#jwts-for-client-authentication) - [Ory Hydra - Registering the client's public key](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key) - [Ory Hydra - OAuth2 client credentials flow](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication)
f
@chilly-king-10285 I'm fine with the client_secret_basic so the jwks_uri is for the client authentication with hydra ?
b
A message from kapa.ai
Yes, the 
jwks_uri
is used in the context of client authentication methods that involve JSON Web Keys (JWKs), such as 
private_key_jwt
. In the 
private_key_jwt
method, the client creates and signs a JWT using its private key, and then sends this JWT to the Ory Hydra's token endpoint to authenticate itself. The 
jwks_uri
is a URL that points to the client's public JWK set. Ory Hydra uses the keys in this JWK set to verify the signature of the JWT sent by the client. If you're using the 
client_secret_basic
method for client authentication, you don't need to provide a 
jwks_uri
. In the 
client_secret_basic
method, the client sends its 
client_id
and 
client_secret
to the token endpoint using HTTP Basic Authentication, and Ory Hydra verifies these credentials to authenticate the client. Sources: - [Ory Hydra - JWTs for client authentication](https://www.ory.sh/docs/hydra/guides/jwt#jwts-for-client-authentication) - [Ory Hydra - Registering the client's public key](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key) - [Ory Hydra - OAuth2 client credentials flow](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication)
A message from kapa.ai
Sorry @flat-waitress-75076, I seem to be having a bit of trouble. Don't worry though, I've pinged my support folks and they will try to fix me up! 🧑‍💻 Perhaps try again in 5mins?
Open in Slack
PreviousNext
Powered by