https://www.ory.sh/ logo
#talk-oathkeeper
Title
# talk-oathkeeper
r

rhythmic-holiday-67222

03/14/2022, 3:39 PM
Hi 👋 I’m trying to use Hydra as an authenticator in Oathkeeper. I can create clients, get tokens and introspect them (using hydra cli tool - client credentials flow), however when I set
oauth2_client_credentials
to use hydra’s endpoints I keep getting connection refused.. I’m using http://127.0.0.1 and my docker compose already has driver set to ‘bridge’ and hydra cli tool can communicate with corresponding docker container, but oathkeeper cannot. Any ideas?
d

damp-sunset-69236

03/14/2022, 3:51 PM
Hello. Do you use docker in your setup?
Yep. I see. Could you share your docker-compose file configuration? Please remove sensitive data before posting
🙏 1
r

rhythmic-holiday-67222

03/14/2022, 5:54 PM
Copy code
version: '3.7'
services:
  consent:
    environment:
      - HYDRA_ADMIN_URL=<http://hydra:4445>
    image: oryd/hydra-login-consent-node:v1.11.7
    networks:
      - intranet
    ports:
      - '3000:3000'
    restart: unless-stopped
  hydra:
    command: serve -c /etc/config/hydra/hydra.yaml all --dangerous-force-http
    depends_on:
      - hydra-migrate
    environment:
      - TRACING_PROVIDER=jaeger
      - TRACING_PROVIDERS_JAEGER_PROPAGATION=jaeger
      - TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<http://jaeger:5778/sampling>
      - TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=jaeger:6831
      - TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=const
      - TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=1
      - TRACING_SERVICE_NAME="Ory Hydra"
    image: oryd/hydra:v1.11.7
    networks:
      - intranet
    ports:
      - '4444:4444' # Public port
      - '4445:4445' # Admin port
      - '5555:5555' # Port for hydra token user
    restart: unless-stopped
    volumes:
      - type: bind
        source: ./configs/hydra
        target: /etc/config/hydra
  hydra-migrate:
    command: migrate -c /etc/config/hydra/hydra.yaml sql -e --yes
    image: oryd/hydra:v1.11.7
    environment:
      - DSN=<postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4>
    networks:
      - intranet
    restart: on-failure
    volumes:
      - type: bind
        source: ./configs/hydra
        target: /etc/config/hydra
  jaeger:
    image: jaegertracing/all-in-one
    networks:
      - intranet
    ports:
      - 6831:6831/udp
      - 5778:5778/tcp
      - 16686:16686
  oathkeeper:
    command: serve --config=/etc/config/oathkeeper/oathkeeper.yaml
    depends_on:
      - jaeger
    environment:
      - TRACING_PROVIDER=jaeger
      - TRACING_PROVIDERS_JAEGER_PROPAGATION=jaeger
      - TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<http://jaeger:5778/sampling>
      - TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=jaeger:6831
      - TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=const
      - TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=1
      - TRACING_SERVICE_NAME="Ory Oathkeeper"
    image: oryd/oathkeeper:v0.38.23-beta.1
    networks:
      - intranet
    ports:
      - '4455:4455'
      - '4456:4456'
    restart: on-failure
    volumes:
      - type: bind
        source: ./configs/oathkeeper
        target: /etc/config/oathkeeper
  postgresd:
    environment:
      - POSTGRES_USER=hydra
      - POSTGRES_PASSWORD=secret
      - POSTGRES_DB=hydra
    image: postgres:9.6
    networks:
      - intranet
    ports:
      - '5432:5432'

networks:
  intranet:
    driver: bridge
Copy code
[
    {
        "id": "my-client",
        "upstream": {
            "url": "<https://www.ory.sh/>"
        },
        "match": {
            "url": "http://<127.0.0.1|localhost>:4455/oauth2-ccf",
            "methods": [
                "GET"
            ]
        },
        "authenticators": [
            {
                "handler": "oauth2_client_credentials"
            }
        ],
        "authorizer": {
            "handler": "allow"
        },
        "mutators": [
            {
                "handler": "noop"
            }
        ]
    },
    {
        "id": "auth-code-client",
        "upstream": {
            "url": "<https://www.ory.sh/>"
        },
        "match": {
            "url": "http://<127.0.0.1|localhost>:4455/oauth2-acgf",
            "methods": [
                "GET"
            ]
        },
        "authenticators": [
            {
                "handler": "oauth2_introspection",
                "config": {
                    "required_scope": [
                        "tickets"
                    ],
                    "target_audience": [
                        "<https://www.ory.sh/>"
                    ]
                }
            }
        ],
        "authorizer": {
            "handler": "allow"
        },
        "mutators": [
            {
                "handler": "noop"
            }
        ]
    }
]
Copy code
access_rules:
  repositories:
    - file:///etc/config/oathkeeper/rules.json

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest
  oauth2_client_credentials:
    enabled: true
    config:
      token_url: <http://127.0.0.1:4444/oauth2/token>
  oauth2_introspection:
    enabled: true
    config:
      introspection_url: <http://127.0.0.1:4445/oauth2/introspect>
      scope_strategy: exact
      trusted_issuers:
        - <http://127.0.0.1:4445>
      pre_authorization:
        enabled: true
        client_id: auth-code-client
        client_secret: secret
        scope:
          - introspect
        token_url: <http://127.0.0.1:4444/oauth2/token>
      retry:
        max_delay: 300ms
        give_up_after: 2s
      cache:
        enabled: true
        ttl: 60s

authorizers:
  allow:
    enabled: true
  deny:
    enabled: true

errors:
  fallback:
    - json
  handlers:
    json:
      enabled: true
      config:
        verbose: true
    redirect:
      enabled: true
      config:
        to: <https://www.ory.sh/docs>

mutators:
  header:
    enabled: true
    config:
      headers:
        X-User: '{{ print .Subject }}'
  noop:
    enabled: true

serve:
  proxy:
    port: 4455 # run the proxy at port 4455
  api:
    port: 4456 # run the api at port 4456

tracing:
  service_name: Ory Oathkeeper
  providers:
    jaeger:
      propagation: jaeger
      max_tag_value_length: 0
      sampling:
        type: const
        value: 1
        server_url: <http://jaeger:5778/sampling>
      local_agent_address: jaeger:6831
  provider: jaeger
Copy code
# DSN
dsn: '<postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4>'

oauth2:
  # OAUTH2_EXPOSE_INTERNAL_ERRORS
  expose_internal_errors: true

oidc:
  subject_identifiers:
    pairwise:
      # OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT
      salt: .....

    # OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES
    supported_types:
      - pairwise
      - public

secrets:
  # SECRETS_SYSTEM
  system:
    - ....

serve:
  cookies:
    # SERVE_COOKIES_SAME_SITE_MODE
    same_site_mode: Lax

  admin:
    cors:
      # SERVE_ADMIN_CORS_ALLOW_CREDENTIALS
      allow_credentials: true

      # SERVE_ADMIN_CORS_ALLOWED_HEADERS
      allowed_headers:
        - '*'

      # SERVE_ADMIN_CORS_ALLOWED_METHODS
      allowed_methods:
        - POST
        - GET
        - PUT
        - DELETE
        - OPTIONS

      # SERVE_ADMIN_CORS_ALLOWED_ORIGINS
      allowed_origins:
        - '*'

      # SERVE_ADMIN_CORS_ENABLED
      enabled: true
  public:
    cors:
      # SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS
      allow_credentials: true

      # SERVE_PUBLIC_CORS_ALLOWED_HEADERS
      allowed_headers:
        - '*'

      # SERVE_PUBLIC_CORS_ALLOWED_METHODS
      allowed_methods:
        - POST
        - GET
        - PUT
        - DELETE
        - OPTIONS

      # SERVE_PUBLIC_CORS_ALLOWED_ORIGINS
      allowed_origins:
        - '*'

      # SERVE_PUBLIC_CORS_ENABLED
      enabled: true

tracing:
  service_name: Ory Hydra
  providers:
    jaeger:
      propagation: jaeger
      max_tag_value_length: 0
      sampling:
        type: const
        value: 1
        server_url: <http://127.0.0.1:5778/sampling>
      local_agent_address: 127.0.0.1:6831
  provider: jaeger

urls:
  self:
    # URLS_SELF_ISSUER
    issuer: <http://127.0.0.1:4444>

  # URLS_CONSENT
  consent: <http://127.0.0.1:3000/consent>

  # URLS_LOGIN
  login: <http://127.0.0.1:3000/login>

  # URLS_LOGOUT
  logout: <http://127.0.0.1:3000/logout>
These are: docker compose, hydra config yaml file, oathkeeper config yaml file and oathkeeper access rules
@User thanks for reaching out. Looking forward for your feedback 👌
d

damp-sunset-69236

03/14/2022, 7:32 PM
Try to use hydra hostname for oathkeeper setup
6 Views