https://www.ory.sh/ logo
Join Slack
Powered by
Sorry for the long post - I'm in a total muddle. I...
# general
r
Sorry for the long post - I'm in a total muddle. I'm familiar with the concepts of Oauth2, OIDC etc. and have done various implementations before, but this is my first time with Ory. Having read the basic documentation, I started out thinking I knew what I was doing, but the more I read as I attempt a trial installation, the more confused I become. Could I get a quick sanity check and some pointers, please? Situation: several client-side webapps, server-side webapps and mobile apps requiring a single sign-on solution, as well as third-party apps requiring access to users' data. We're currently using a different OIDC solution and want to move to Ory, initially self-hosted using Docker. Preferred development technologies are PHP and VueJS. From an OIDC perspective, my current understanding is that Hydra should be used with the flow described in these flow steps. Am I right to assume that for an Auth Code flow, step 8 under Flow Steps actually constitutes a redirect to the client with authorisation code so it can acquire the tokens? The next question, still on Hydra, is what the pros and cons are of using the client sdk versus just making REST calls to the API? If the sdk is advantageous, where do I find documentation of its (PHP version) methods? The documentation link doesn't seem to lead to any documentation, although there is a warning that one shouldn't use either the SDK or one's own code for handling OAuth2 flows, which surely is precisely what's being described in the flow-steps link above... Am I losing the plot? Or does this statement refer purely to the "external" aspect, i.e. the client app's interaction with the Ory/Ui combination as per any other OIDC provider? I've tried to make some SDK headway based on methods documented in examples and tutorials, but have hit a brick wall in my dev environment because I can't see how to allow self-signed certificates - see need for documentation. Moving on to Kratos, where does it fit in? I'm assuming that step 2 in the flow-steps link would involve the UI following either this approach or this one to authenticate the user before hitting Hydra's /login/accept endpoint. However, apparent contradictions and confusion abound. The first of those links warns "Never use API flows to implement Browser applications!" while the second states "All browser apps must call Ory self-service APIs". I'm not sure whether there are any dependencies of the second, but the first relies on Ory Identities and while the "Introduction to Ory Identities" page refers to it being self-hosted, I've failed to find any information on how to do that. I've also seen various references in forum threads etc. which imply there may be built mechanisms via which Kratos redirects to Hydra automatically, which would probably make my basic assumption about how to use the two together erroneous. I'd be immensely grateful of some guidance. I'm not sure now whether I'm on the right track, but confused about the details, or completely missing a fundamental point.
m
Hello @rhythmic-noon-42841 Thanks for reaching out, happy to help. 1. Read this blogpost: https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/ - the use case you describe would need both Ory Kratos (to do user mangement/self-service flows) and Ory Hydra (to give 3rd parties access to your users dat) 2. Am I right to assume that for an Auth Code flow, step 8 under Flow Steps actually constitutes a redirect to the client with authorisation code so it can acquire the tokens? - Yes that is correct. 3. what the pros and cons are of using the client sdk versus just making REST calls to the API? - SDK might be easier to use than the API directly 4. find documentation of its (PHP version) methods - SDKs are autogenerated from OpenAPI spec (https://github.com/ory/hydra/tree/master/spec) , AFAICT we dont have examples for PHP at the moment (those would need to be created manually) 5. a warning that one shouldn't use either the SDK or one's own code for handling OAuth2 flows - please use open source & battle-tested libraries to consume OAuth2 and OpenID Connect: https://www.ory.sh/docs/hydra/guides/using-oauth2 - the SDK is fit for all APIs except https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/oauth2TokenExchange - does this statement refer purely to the "external" aspect, i.e. the client app's interaction - yes 6. Ory Kratos does user management etc., the intro should give you an idea what you can do with it: https://www.ory.sh/docs/identities/ 7. Read this document to understand the difference between browser/native flows https://www.ory.sh/docs/identities/native-browser 8. Here is an example on how to use Ory Kratos + Hydra together https://github.com/ory/examples/tree/master/kratos-hydra - you have to understand both projects a bit in the beginning, but once you have it wired up should be smooth This is also a good overview of where each project sits IMO: https://www.ory.sh/docs/ecosystem/projects Feel free to ask followup questions if anything was not clear from my answers.
r
Thanks Vincent. That's done a lot to set my mind at rest! Since I've already got a set of mature REST client routines to hand, I've stuck to API calls at least for now and have a near-functional Hydra implementation. The Hydra/Kratos example you linked to looks really useful. I'll fire that up and play until i've (hopefully) worked it out.
m
Cool, let me know how it goes.
r
Hi @magnificent-energy-493 I'm back looking at this again and no luck so far.
Having got various demos at least partially running locally, I'm struggling to get them into something resembling a semi-production environment. Kratos and Hydra are working nicely on their own, but the integration is proving sticky.
I've got the oauth2_provider URL set in kratos' config and the selfservice-ui-node's login page set as the login path in hydra's config, and everything else following the demo configs as best I could work out. When I initiate a flow with hydra's oauth2/auth endpoint, it redirects me to _http//serveraddressSSUIport/login?login_challenge=7b17cdb22fc04c4bad9d924c71c0ed68_ which responds with a 303 to _http//serveraddressKratosPublicPort/self-service/login/browser?_aal=&refresh=&return_to=&organization=&via=&login_challenge=7b17cdb22fc04c4bad9d924c71c0ed68 That redirects me to http//serveraddressSSUIport/error?id=27a2df2c-9231-4588-8f80-ca12b7a637fe with the error:
Copy code
{
  "id": "27a2df2c-9231-4588-8f80-ca12b7a637fe",
  "error": {
    "code": 400,
    "status": "Bad Request",
    "reason": "Unable to get OAuth 2.0 Login Challenge.",
    "debug": "undefined response type",
    "details": {
      "status_code": 400
    },
    "message": "The request was malformed or contained invalid parameters"
  },
  "created_at": "2024-10-19T23:20:18.813116Z",
  "updated_at": "2024-10-19T23:20:18.813116Z"
}
The underlying problem seems to be (according to kratos' logs):
Copy code
/usr/local/go/src/net/http/server.go:2220 status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-GB,en;q=0.5 cache-control:no-cache connection:keep-alive cookie:[csrf_token_24a28077ad0f97738ab88138eef8a5f089df5db2e601877157d39fe8aee7f337=WBTZVKNPYqg9+sJcl8ejRB0Qkko6KXS4SRrZSVWM/xE=] pragma:no-cache priority:u=0, i upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0] host:serveraddress:KratosPublicPort method:GET path:/self-service/login/browser query:aal=&refresh=&return_to=&organization=&via=&login_challenge=413b14f4001f4fa48d04ea03a74d759f remote:clientaddress:51274 scheme:http] service_name=Ory Kratos service_version=v1.3.0
I suspect some of those parameters in the query string shouldn't be missing/blank, but that's just a guess. Any idea what I might have missed/got incorrect in the config of which bit?
Trying these URLs manually in a REST client, removing the login_challenge parameter sends me back to the SSUI login page as per a kratos-only login flow. I don't understand why kratos seems to think it can't get it, when it's right there in the query string.
This was hydra 1.10.6 and kratos 1.3.0.
Don't worry, I've got past this blockage with a clean implementation of https://github.com/shodgson/ory-kratos-hydra-integration-demo There'll be a bunch of more detailed questions coming up from me shortly, no doubt.
6 Views
Open in Slack
PreviousNext
Powered by