fix: consent page

josxha · Dec 6, 2023 · e3e80c8 · e3e80c8
1 parent 1710d00
commit e3e80c8
Show file tree

Hide file tree

Showing 8 changed files with 48 additions and 20 deletions.
diff --git a/KratosSelfService/Controllers/ErrorController.cs b/KratosSelfService/Controllers/ErrorController.cs
@@ -4,13 +4,14 @@
 
 namespace KratosSelfService.Controllers;
 
-public class ErrorController(ApiService api) : Controller
+public class ErrorController(ILogger<ErrorController> logger, ApiService api) : Controller
 {
     [HttpGet("error")]
     [AllowAnonymous]
     public async Task<IActionResult> Error([FromQuery(Name = "id")] Guid? flowId)
     {
         var error = await api.Frontend.GetFlowErrorAsync(flowId.ToString());
+        logger.LogError(error.ToString());
         return View("Error", error);
     }
 }
diff --git a/KratosSelfService/Controllers/OAuth2Controller.cs b/KratosSelfService/Controllers/OAuth2Controller.cs
@@ -11,7 +11,7 @@ public class OAuth2Controller(ILogger<OAuth2Controller> logger, ApiService api,
     [HttpGet("consent")]
     public async Task<IActionResult> ConsentGet([FromQuery(Name = "consent_challenge")] string challenge)
     {
-        if (!HydraEnabled()) return NotFound();
+        if (env.HydraAdminUrl == null) return NotFound();
         var oAuth2Api = api.HydraOAuth2!;
 
         // This section processes consent requests and either shows the consent UI or accepts
@@ -47,7 +47,7 @@ public async Task<IActionResult> ConsentGet([FromQuery(Name = "consent_challenge
     [HttpPost("consent")]
     public async Task<IActionResult> ConsentPost([FromBody] ConsentBody body)
     {
-        if (!HydraEnabled()) return NotFound();
+        if (env.HydraAdminUrl == null) return NotFound();
         var oAuth2Api = api.HydraOAuth2!;
 
         // extractSession only gets the session data from the request
@@ -157,11 +157,6 @@ private HydraAcceptOAuth2ConsentRequestSession OidcConformityMaybeFakeSession(Li
         return new HydraAcceptOAuth2ConsentRequestSession(session.AccessToken, idToken);
     }
 
-    private bool HydraEnabled()
-    {
-        return env is { HydraCsrfCookieSecret: not null, HydraCsrfCookieName: not null, HydraAdminUrl: not null };
-    }
-
     private bool CanSkipConsent(HydraOAuth2ConsentRequest challenge)
     {
         if (challenge.Skip || challenge._Client.SkipConsent) return true;

diff --git a/KratosSelfService/Properties/launchSettings.json b/KratosSelfService/Properties/launchSettings.json
@@ -15,7 +15,9 @@
       "launchBrowser": true,
       "applicationUrl": "http://localhost:5110",
       "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "TRUSTED_CLIENT_IDS": "4ea5bc94-e443-4da1-bfd4-f1d739fce50e",
+        "HYDRA_ADMIN_URL": "http://127.0.0.1:4445"
       }
     },
     "https": {

diff --git a/KratosSelfService/Services/ApiService.cs b/KratosSelfService/Services/ApiService.cs
@@ -12,11 +12,11 @@ public class ApiService(EnvService env)
         BasePath = env.KratosPublicUrl
     });
 
-    public readonly OAuth2Api? HydraOAuth2 = env.HydraOidcUrl == null
+    public readonly OAuth2Api? HydraOAuth2 = env.HydraAdminUrl == null
         ? null
         : new OAuth2Api(new Ory.Hydra.Client.Client.Configuration
         {
-            BasePath = env.HydraOidcUrl
+            BasePath = env.HydraAdminUrl
         });
 
     public string GetUrlForBrowserFlow(string flow, Dictionary<string, string?>? query = null)

diff --git a/KratosSelfService/Services/EnvService.cs b/KratosSelfService/Services/EnvService.cs
@@ -10,15 +10,17 @@ public class EnvService
     public readonly string? HydraAdminUrl =
         Environment.GetEnvironmentVariable("HYDRA_ADMIN_URL");
 
-    public readonly string? HydraCsrfCookieName =
-        Environment.GetEnvironmentVariable("CSRF_COOKIE_NAME");
-
-    public readonly string? HydraCsrfCookieSecret =
-        Environment.GetEnvironmentVariable("CSRF_COOKIE_SECRET");
-
+    /// <summary>
+    ///     REMEMBER_CONSENT_SESSION_FOR_SECONDS (optional): Sets the remember_for value of the accept consent
+    ///     request in seconds. The default is 3600 seconds.
+    /// </summary>
     public readonly int HydraRememberConsentSessionForSeconds =
         int.Parse(Environment.GetEnvironmentVariable("REMEMBER_CONSENT_SESSION_FOR_SECONDS") ?? "3600");
 
+    /// <summary>
+    ///     TRUSTED_CLIENT_IDS (optional): A list of trusted client ids.
+    ///     They can be set to skip the consent screen.
+    /// </summary>
     public readonly string? HydraTrustedClientIds =
         Environment.GetEnvironmentVariable("TRUSTED_CLIENT_IDS");
 

diff --git a/ory/hydra-client.md b/ory/hydra-client.md
@@ -0,0 +1,25 @@
+Let's create the OAuth 2.0 Client:
+```bash
+docker exec ory-hydra-1 hydra create client --endpoint http://127.0.0.1:4445/ --format json --grant-type client_credentials
+```
+
+Let's perform the client credentials grant:
+```bash
+docker exec ory-hydra-1 hydra perform client-credentials --endpoint http://127.0.0.1:4444/ --client-id "6cc3d412-55f5-45c1-980d-836f6bae0a7c" --client-secret "SNET7CauIJ5Zi~Th~0eeNA8dda"
+```
+
+Let's perform token introspection on that token. Make sure to copy the token you just got and not the dummy value.
+```bash
+docker exec ory-hydra-1 hydra introspect token --format json-pretty --endpoint http://127.0.0.1:4445/ ory_at_Wrb6h5D4NwQ3LbZ0NifZ1RdIFtD_V21RKXtmDnFAHcw.TZ0rK23CRu3CED13l_wZUF8Kz4GKZ6dtj8M55mfsDy0
+```
+
+Next, we will perform the OAuth 2.0 Authorization Code Grant. For that, we must first 
+create a client that's capable of performing that grant:
+```bash
+docker exec ory-hydra-1 hydra create client --endpoint http://127.0.0.1:4445 --grant-type authorization_code,refresh_token --response-type code,id_token --format json --scope openid --scope offline --redirect-uri http://127.0.0.1:5555/callback
+```
+
+The following command starts a server that serves an example web application. The application will perform the OAuth 2.0 Authorization Code Flow using Ory Hydra. The web server runs on http://127.0.0.1:5555.
+```bash
+docker exec ory-hydra-1 hydra perform authorization-code --client-id 4ea5bc94-e443-4da1-bfd4-f1d739fce50e --client-secret uewqOuMdojDOMh70EZ6oR4PqIQ --endpoint http://127.0.0.1:4444/ --port 5555 --scope openid --scope offline
+```
diff --git a/ory/hydra/hydra.yml b/ory/hydra/hydra.yml
@@ -5,9 +5,9 @@ serve:
 urls:
   self:
     issuer: http://127.0.0.1:4444
-  consent: http://127.0.0.1:4455/consent
-  login: http://127.0.0.1:4455/login
-  logout: http://127.0.0.1:4455/logout
+  consent: http://127.0.0.1:5110/consent
+  login: http://127.0.0.1:4433/self-service/login/browser
+  logout: http://127.0.0.1:4433/self-service/logout/browser
 
 secrets:
   system:

diff --git a/ory/kratos/kratos.yml b/ory/kratos/kratos.yml
@@ -94,6 +94,9 @@ identity:
     - id: alternative
       url: file:///etc/config/kratos/identity-alternative.schema.json
 
+oauth2_provider:
+  url: http://ory-hydra-1:4445
+
 courier:
   smtp:
     connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true