ory / docs Goto Github PK

Currently in the swagger docs for Hydra, the pattern for grant_types is client_credentials|authorize_code|implicit|refresh_token, however authorize_code should be authorization_code.

Hello,

The link to the "5 Minute Tutorial" from the "Install, Configure and Run ORY Hydra" section is broken.

Before starting with this section, please check out the --> tutorial <--...

Regards,
David

See feedback from: ory/hydra#1100 (comment)

From guides/hydra/README.md

https://github.com/ory/docs/blob/master/guides/hydra/README.md

Hydra is not something that manages user accounts. Hydra does not offer user registration, password reset, user login, sending confirmation emails. This is what the Identity Provider is responsible for. The communication between Hydra and the Identity Provider is called Consent Flow.

The link on "Consent Flow." is broken: https://ory.gitbooks.io/hydra/content/oauth2/consent.html

One thing that could be good to mention in the production documentation, is to configure error pages beforehand.
I haven't had the time yet to check how to configure this. But noticed it was mentioned on the current "default" error page(edited)

See comment ory/hydra#1616 (comment)

Talk about proxies, TLS termination, etc

See ory/hydra#1367

• Add warden use case so it's easy to understand how this helps improve the product
• Add note that if there are concerns about this an issue should be created

Hi there, (again with right account :)
the oathkeeper docs for OS12 reflect the current state of 0.16, but the swagger api docs still state the /judge instead of the new /decision endpoint. This took me a bit to realize, since it is only mentioned in the upgrade docs, so maybe this should be updated :)
If you point out docs or recipe on how to regenerate, I'd be happy to do this myself.
Cheers and thanks for the great tool!
Ref:
https://www.ory.sh/docs/oathkeeper/sdk/api

See https://community.ory.sh/t/q-about-possible-bug-in-remembering-consent/637

When implementing a custom login/consent app I went based of the pseudo node code, which indicates that the remember property will be ignored of skip was true, but it's not ignored. If its value is true, the request will bomb out with an error

In the Implementing a Login & Consent Provider section of the developer guide, the Hydra API URLs mentioned are wrong.

For example, the following snippet is there —

// This is node-js pseudo code and will not work if you copy it 1:1

router.get('/login', function (req, res, next) {
    challenge = req.url.query.login_challenge;

    fetch('https://hydra/oauth2/auth/requests/login/challenge' + challenge).
        then(function (response) {
            // ...
        })
})

Here the URL should have been https://hydra/oauth2/auth/requests/login/ + challenge.

I cannot navigate to any topics under https://www.ory.sh/docs/guides/latest/oathkeeper/ . The links are broken.

The image tags from e.g. oryd/hydra:v1.0.0-beta.2 should be updated to oryd/hydra:$CIRCLE_TAG when a new release is published. This should be done for the other images as well.

Hi there,
the oathkeeper docs for OS12 reflect the current state of 0.16, but the swagger api docs still state the /judge instead of the new /decision endpoint. This took me a bit to realize, since it is only mentioned in the upgrade docs, so maybe this should be updated :)
If you point out docs or recipe on how to regenerate, I'd be happy to do this myself.
Cheers and thanks for the great tool!
Ref:
https://www.ory.sh/docs/oathkeeper/sdk/api

It appears to be an issue with minification?

I'm rather confused on versioning scheme and release cycle for ory ecosystem of products.

Just yesterday I was working with keto and had been deploying with 1.0.0 tagged releases but today it seems like all the docs are completely different and now they're based off a 0.2.2 release.

See tags here: https://hub.docker.com/r/oryd/keto/tags

See docs here: https://www.ory.sh/docs/keto/sdk/api

Did the wrong docs get built for a sandbox/unstable release?

Or what would be recommended to work off of?

Are there docs related to this?

in https://github.com/ory/docs/blob/master/docs/oathkeeper/configure-deploy.md#dockerfile there is a statement, "It would also be possible to mount the directory instead, but adding these definitions to the Dockerfile itself and making the build process a part of your CI pipeline is considered good practice!"

Who says it is a good practice to embed configuration and keypairs in an image? A lot of people would consider it a bad practice. Many people who work in container space treat them as simple binaries and execution environments while configuration remains a concern of the orchestration engine. That way a binary can be promoted across many configurations from dev, integration, uat, and prod without changes. In addition, putting sensitive assets like the jwk key pair in revision control or outside of a secured operating environment seems like a patently bad and insecure approach. Contrary to your unsupported recommendation, creating the files in a secured volume that your orchestration engine can mount to the container at runtime seems like it would be the better approach given the potential security sensitivity of the access control configuration and signing key pair.

Again, who says embedding this configuration in your container image is a good idea? Do they have counter-arguments to the concerns I've raised?

What do you think about setting up delete merged branches bot to automatically delete feature branches once they are merged? This prevents building up old branches. This repo for example has a few old branches:

In the jwt section from Guides > api access rule of oathkeeper doc, value of require_audience and trusted_issuers field in example authenticator config not follow statement claimed above it:

The following rule allows requests to GET http://my-app/some-route if valid a JSON Web Token was provided and if that token has scope scope-a and scope-b, audience aud-1 and was issued by iss-1. All configuration items are optional and ignored if left out.

{
    "id": "some-id",
    "upstream": {
        "url": "http://my-backend-service"
    },
    "match": {
        "url": "http://my-app/some-route",
        "methods": [
            "GET"
        ]
    },
    "authenticators": [{
        "handler": "jwt",
        "config": {
            "required_scope": ["scope-a", "scope-b"],
            "require_audience": ["scope-a", "scope-b"],
            "trusted_issuers": ["scope-a", "scope-b"],
        }
    }],
    /* ... */
}

This has been asked over and over again, see: https://community.ory.sh/t/how-to-get-refresh-token-or-increase-timeout-of-access-token/748

problem

The Prettier options to format the documentation (proseWrap: always, single-quote, etc) are hardcoded into the format NPM script.

proposed solution

Extract the Prettier options into a Prettier configuration file.

advantages

• auto-formatters embedded in IDEs (for example Prettier for VSCode) and auto-format bots can find and use the Prettier options
• the same Prettier options are used throughout the code base
• calling Prettier manually still uses the right config options

I think that the /oauth/revoke endpoint documentation could be improved. I have found that:

• if the client is not public, then one MUST use the client ID and secret. It seems the oauth2 authentication mentioned there is an option at all.
• if the client is public, then it is an opposite - since there is no password, then basic authentication is not an option. But then it seems that the client MUST send "cliend_id" form field or it will fail

By the way, I have tested all this with JWT token, not the opaque one. Maybe the behavior is even more complex.

Hi all,
I am using the ORY hydra for authentication and authorization. I followed the exact steps as in ory hydra login-consent from node. I got a redirect URL from backend which is giving me access token I want to store it in my browser storage so that I can use to authenticate the API which is called from browser end. I use docker hydra I run the server

docker run -it --rm --name dream-app-login -p 4444:4444 -p 4445:4445 \
    -e OAUTH2_SHARE_ERROR_DEBUG=1 \
    -e LOG_LEVEL=debug \
    -e OAUTH2_CONSENT_URL=http://localhost:4200/consent \
    -e OAUTH2_LOGIN_URL=http://localhost:4200/login \
    -e OAUTH2_ISSUER_URL=http://localhost:4444 \
    -e DATABASE_URL=memory \
    -e CORS_ALLOWED_ORIGINS=* \
    oryd/hydra:v1.0.0-beta.9 serve all --dangerous-force-http

Where the login and consent URL is my front end URL.
Next, I created client

docker run --link dream-app-login:hydra oryd/hydra:v1.0.0-beta.9 clients create \
    --endpoint http://hydra:4445 \
    --id test-client \
    --secret test-secret \
    --response-types code,id_token \
    --grant-types refresh_token,authorization_code \
    --scope openid,offline \
    --callbacks http://127.0.0.1:4446/callback

In the above i want to change the callback url to my front end url which is localhost:4200 but when i tried the application was not running.

And now running the authorization grant flow with this

docker run -p 4446:4446 --link dream-app-login:hydra oryd/hydra:v1.0.0-beta.9 token user \
    --token-url http://hydra:4444/oauth2/token \
    --auth-url http://localhost:4444/oauth2/auth \
    --scope openid,offline \
    --client-id test-client \
    --client-secret test-secret 

After this, I open the browser and did the login and consent flow and got the tokens but I want to store them in my browser storage like session storage or local storage. So is there any way to do that.

see https://news.ycombinator.com/item?id=17508758

Usually the consent app doesn't send that the offline scope was granted.

This has come up time and time again, should be explained in the docs

• Explain how to validate (./well-known/jwks.json)
• Explain that you can introspect tokens and revoked tokens will be revoked there too
• Explain that it's still beta
• Explain that extra data is set in the token too
• Explain the claims

See https://www.ory.sh/docs/oathkeeper/sdk/api#judge-if-a-request-should-be-allowed-or-not - which should be /decisions

The provided API specs are in version 2.0, but most of modern tools are already moving to OpenAPI 3.x.
That are some available tool that helps a lot in such task:
https://mermade.org.uk/openapi-converter

Because this question comes up time and time and time again, short summary from chat:

Add a secure chapter for CSP etc

See https://community.ory.sh/t/high-availability-and-scaling/664/11

It's really hidden in some piece of code example. Instead, this should have it's own section and explain a bit more how all of that works (userinfo, id token, access token). That would also be a good place to say why JWT as access tokens is not cool

See ory/hydra#817 (comment)

On the install page documentation says to pull hydra-consent-app-express:v0.10.10 but tag "v0.10.10" does not exist