Cadoles
/
debian-hydra
18
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Commit initial

This commit is contained in:
wpetit 2020-06-17 13:17:15 +02:00
commit c94ba39062
8 changed files with 1637 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
/tmp
/bin

1176
conf/hydra.yml Normal file
View File

@ -0,0 +1,1176 @@
## ORY Hydra Configuration
#
## log ##
#
# Configures the logger
#
log:
## level ##
#
# Sets the log level.
#
# Default value: info
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export LOG_LEVEL=<value>
# - Windows Command Line (CMD):
# > set LOG_LEVEL=<value>
#
level: info
## format ##
#
# Sets the log format.
#
# Default value: text
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export LOG_FORMAT=<value>
# - Windows Command Line (CMD):
# > set LOG_FORMAT=<value>
#
format: text
## serve ##
#
# Controls the configuration for the http(s) daemon(s).
#
serve:
## public ##
#
# Controls the public daemon serving public API endpoints like /oauth2/auth, /oauth2/token, /.well-known/jwks.json
#
public:
## port ##
#
# Default value: 4444
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_PORT=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_PORT=<value>
#
port: 4444
## host ##
#
# The interface or unix socket ORY Hydra should listen and handle public API requests on. Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces.
#
# Examples:
# - localhost
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_HOST=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_HOST=<value>
#
host: ""
## cors ##
#
# Configures Cross Origin Resource Sharing for public endpoints.
#
cors:
## enabled ##
#
# Sets whether CORS is enabled.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_ENABLED=<value>
#
enabled: false
## allowed_origins ##
#
# A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
#
# Default value: *
#
# Examples:
# - - https://example.com
# - https://*.example.com
# - https://*.foo.example.com
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=<value>
#
allowed_origins:
- "*"
## allowed_methods ##
#
# A list of HTTP methods the user agent is allowed to use with cross-domain requests.
#
# Default value: POST,GET,PUT,PATCH,DELETE
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_ALLOWED_METHODS=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_ALLOWED_METHODS=<value>
#
allowed_methods:
- TRACE
- GET
- HEAD
- GET
- HEAD
## allowed_headers ##
#
# A list of non simple headers the client is allowed to use with cross-domain requests.
#
# Default value: Authorization,Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_ALLOWED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_ALLOWED_HEADERS=<value>
#
allowed_headers:
- ea
- exercitation consectetur
- exercitation
## exposed_headers ##
#
# Sets which headers are safe to expose to the API of a CORS API specification.
#
# Default value: Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_EXPOSED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_EXPOSED_HEADERS=<value>
#
exposed_headers:
- Excepteur adipisicing
## allow_credentials ##
#
# Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
#
# Default value: true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_ALLOW_CREDENTIALS=<value>
#
allow_credentials: false
## options_passthrough ##
#
# TODO
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_OPTIONS_PASSTHROUGH=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_OPTIONS_PASSTHROUGH=<value>
#
options_passthrough: false
## max_age ##
#
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_MAX_AGE=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_MAX_AGE=<value>
#
max_age: 77402945
## debug ##
#
# Adds additional log output to debug server side CORS issues.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_CORS_DEBUG=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_CORS_DEBUG=<value>
#
debug: false
## access_log ##
#
# Access Log configuration for public server.
#
access_log:
## disable_for_health ##
#
# Disable access log for health endpoints.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_PUBLIC_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
# - Windows Command Line (CMD):
# > set SERVE_PUBLIC_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
#
disable_for_health: true
## admin ##
#
admin:
## port ##
#
# Default value: 4445
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_PORT=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_PORT=<value>
#
port: 4445
## host ##
#
# The interface or unix socket ORY Hydra should listen and handle administrative API requests on. Use the prefix "unix:" to specify a path to a unix socket. Leave empty to listen on all interfaces.
#
# Examples:
# - localhost
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_HOST=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_HOST=<value>
#
host: localhost
## cors ##
#
# Configures Cross Origin Resource Sharing for public endpoints.
#
cors:
## enabled ##
#
# Sets whether CORS is enabled.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ENABLED=<value>
#
enabled: false
## allowed_origins ##
#
# A list of origins a cross-domain request can be executed from. If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
#
# Default value: *
#
# Examples:
# - - https://example.com
# - https://*.example.com
# - https://*.foo.example.com
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_ORIGINS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_ORIGINS=<value>
#
allowed_origins:
- "*"
## allowed_methods ##
#
# A list of HTTP methods the user agent is allowed to use with cross-domain requests.
#
# Default value: POST,GET,PUT,PATCH,DELETE
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_METHODS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_METHODS=<value>
#
allowed_methods:
- POST
- PUT
- DELETE
- TRACE
- PUT
## allowed_headers ##
#
# A list of non simple headers the client is allowed to use with cross-domain requests.
#
# Default value: Authorization,Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOWED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOWED_HEADERS=<value>
#
allowed_headers:
# - in ex mollit
# - mollit velit ad
## exposed_headers ##
#
# Sets which headers are safe to expose to the API of a CORS API specification.
#
# Default value: Content-Type
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_EXPOSED_HEADERS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_EXPOSED_HEADERS=<value>
#
exposed_headers:
# - consectetur sed commodo cupidatat
# - consequat anim id
# - aute dolor ipsum irure
## allow_credentials ##
#
# Sets whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
#
# Default value: true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_ALLOW_CREDENTIALS=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_ALLOW_CREDENTIALS=<value>
#
allow_credentials: false
## options_passthrough ##
#
# TODO
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_OPTIONS_PASSTHROUGH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_OPTIONS_PASSTHROUGH=<value>
#
options_passthrough: true
## max_age ##
#
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request is preceded by a preflight request.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_MAX_AGE=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_MAX_AGE=<value>
#
max_age: 6684720
## debug ##
#
# Adds additional log output to debug server side CORS issues.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_CORS_DEBUG=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_CORS_DEBUG=<value>
#
debug: false
## access_log ##
#
# Access Log configuration for admin server.
#
access_log:
## disable_for_health ##
#
# Disable access log for health endpoints.
#
# Default value: false
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_ADMIN_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
# - Windows Command Line (CMD):
# > set SERVE_ADMIN_ACCESS_LOG_DISABLE_FOR_HEALTH=<value>
#
disable_for_health: false
## tls ##
#
# Configures HTTPS (HTTP over TLS). If configured, the server automatically supports HTTP/2.
#
tls:
## key ##
#
# Configures the private key (pem encoded).
#
key:
## path ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_KEY_PATH=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_KEY_PATH=<value>
#
# path: /path/to/file.pem
## cert ##
#
# Configures the private key (pem encoded).
#
cert:
## base64 ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_CERT_BASE64=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_CERT_BASE64=<value>
#
# base64: b3J5IGh5ZHJhIGlzIGF3ZXNvbWUK
## allow_termination_from ##
#
# Whitelist one or multiple CIDR address ranges and allow them to terminate TLS connections. Be aware that the X-Forwarded-Proto header must be set and must never be modifiable by anyone but your proxy / gateway / load balancer. Supports ipv4 and ipv6. Hydra serves http instead of https when this option is set.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_TLS_ALLOW_TERMINATION_FROM=<value>
# - Windows Command Line (CMD):
# > set SERVE_TLS_ALLOW_TERMINATION_FROM=<value>
#
allow_termination_from:
- 127.0.0.1/32
- 127.0.0.1/32
- 127.0.0.1/32
## cookies ##
#
cookies:
## same_site_mode ##
#
# Specify the SameSite mode that cookies should be sent with.
#
# Default value: None
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_COOKIES_SAME_SITE_MODE=<value>
# - Windows Command Line (CMD):
# > set SERVE_COOKIES_SAME_SITE_MODE=<value>
#
same_site_mode: None
## same_site_legacy_workaround ##
#
# Some older browser versions dont work with SameSite=None. This option enables the workaround defined in https://web.dev/samesite-cookie-recipes/ which essentially stores a second cookie without SameSite as a fallback.
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=<value>
# - Windows Command Line (CMD):
# > set SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=<value>
#
same_site_legacy_workaround: true
## dsn ##
#
# Sets the data source name. This configures the backend where ORY Hydra persists data. If dsn is "memory", data will be written to memory and is lost when you restart this instance. ORY Hydra supports popular SQL databases. For more detailed configuration information go to: https://www.ory.sh/docs/hydra/dependencies-environment#sql
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export DSN=<value>
# - Windows Command Line (CMD):
# > set DSN=<value>
#
dsn: memory
## webfinger ##
#
# Configures ./well-known/ settings.
#
webfinger:
## jwks ##
#
# Configures the /.well-known/jwks.json endpoint.
#
jwks:
## broadcast_keys ##
#
# A list of JSON Web Keys that should be exposed at that endpoint. This is usually the public key for verifying OpenID Connect ID Tokens. However, you might want to add additional keys here as well.
#
# Default value: hydra.openid.id-token
#
# Examples:
# - hydra.jwt.access-token
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_JWKS_BROADCAST_KEYS=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_JWKS_BROADCAST_KEYS=<value>
#
broadcast_keys:
- hydra.jwt.access-token
## oidc_discovery ##
#
# Configures OpenID Connect Discovery (/.well-known/openid-configuration).
#
oidc_discovery:
## client_registration_url ##
#
# Examples:
# - https://my-service.com/clients
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_CLIENT_REGISTRATION_URL=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_OIDC_DISCOVERY_CLIENT_REGISTRATION_URL=<value>
#
client_registration_url: https://my-service.com/clients
## supported_claims ##
#
# A list of supported claims to be broadcasted. Claim "sub" is always included.
#
# Examples:
# - - email
# - username
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS=<value>
#
supported_claims:
- email
- username
## supported_scope ##
#
# The scope OAuth 2.0 Clients may request. Scope `offline`, `offline_access`, and `openid` are always included.
#
# Examples:
# - - email
# - whatever
# - read.photos
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPE=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPE=<value>
#
supported_scope:
- email
- whatever
- read.photos
## userinfo_url ##
#
# A URL of the userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to ORY Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.
#
# Examples:
# - https://example.org/my-custom-userinfo-endpoint
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export WEBFINGER_OIDC_DISCOVERY_USERINFO_URL=<value>
# - Windows Command Line (CMD):
# > set WEBFINGER_OIDC_DISCOVERY_USERINFO_URL=<value>
#
userinfo_url: https://example.org/my-custom-userinfo-endpoint
## oidc ##
#
# Configures OpenID Connect features.
#
oidc:
## subject_identifiers ##
#
# Configures the Subject Identifier algorithm. For more information please head over to the documentation: https://www.ory.sh/docs/hydra/advanced#subject-identifier-algorithms
#
# Examples:
# - enabled:
# - public
# - pairwise
# pairwise:
# salt: some-random-salt
#
subject_identifiers:
## enabled ##
#
# A list of algorithms to enable.
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OIDC_SUBJECT_IDENTIFIERS_ENABLED=<value>
# - Windows Command Line (CMD):
# > set OIDC_SUBJECT_IDENTIFIERS_ENABLED=<value>
#
enabled:
- public
- pairwise
## pairwise ##
#
# Configures the pairwise algorithm.
#
pairwise:
## salt ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=<value>
# - Windows Command Line (CMD):
# > set OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=<value>
#
salt: some-random-salt
## dynamic_client_registration ##
#
# Configures OpenID Connect Dynamic Client Registration (exposed as admin endpoints /clients/...).
#
dynamic_client_registration:
## default_scope ##
#
# The OpenID Connect Dynamic Client Registration specification has no concept of whitelisting OAuth 2.0 Scope. If you want to expose Dynamic Client Registration, you should set the default scope enabled for newly registered clients. Keep in mind that users can overwrite this default by setting the "scope" key in the registration payload, effectively disabling the concept of whitelisted scopes.
#
# Examples:
# - - openid
# - offline
# - offline_access
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE=<value>
# - Windows Command Line (CMD):
# > set OIDC_DYNAMIC_CLIENT_REGISTRATION_DEFAULT_SCOPE=<value>
#
default_scope:
- openid
- offline
- offline_access
## urls ##
#
urls:
## self ##
#
self:
## issuer ##
#
# This value will be used as the "issuer" in access and ID tokens. It must be specified and using HTTPS protocol, unless --dangerous-force-http is set. This should typically be equal to the public value.
#
# Examples:
# - https://localhost:4444/
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_SELF_ISSUER=<value>
# - Windows Command Line (CMD):
# > set URLS_SELF_ISSUER=<value>
#
issuer: https://localhost:4444/
## public ##
#
# This is the base location of the public endpoints of your ORY Hydra installation. This should typically be equal to the issuer value. If left unspecified, it falls back to the issuer value.
#
# Examples:
# - https://localhost:4444/
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_SELF_PUBLIC=<value>
# - Windows Command Line (CMD):
# > set URLS_SELF_PUBLIC=<value>
#
public: https://localhost:4444/
## login ##
#
# Sets the login endpoint of the User Login & Consent flow. Defaults to an internal fallback URL.
#
# Examples:
# - https://my-login.app/login
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_LOGIN=<value>
# - Windows Command Line (CMD):
# > set URLS_LOGIN=<value>
#
login: https://my-login.app/login
## consent ##
#
# Sets the consent endpoint of the User Login & Consent flow. Defaults to an internal fallback URL.
#
# Examples:
# - https://my-consent.app/consent
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_CONSENT=<value>
# - Windows Command Line (CMD):
# > set URLS_CONSENT=<value>
#
consent: https://my-consent.app/consent
## logout ##
#
# Sets the logout endpoint. Defaults to an internal fallback URL.
#
# Examples:
# - https://my-logout.app/logout
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_LOGOUT=<value>
# - Windows Command Line (CMD):
# > set URLS_LOGOUT=<value>
#
logout: https://my-logout.app/logout
## error ##
#
# Sets the error endpoint. The error ui will be shown when an OAuth2 error occurs that which can not be sent back to the client. Defaults to an internal fallback URL.
#
# Examples:
# - https://my-error.app/error
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_ERROR=<value>
# - Windows Command Line (CMD):
# > set URLS_ERROR=<value>
#
error: https://my-error.app/error
## post_logout_redirect ##
#
# When a user agent requests to logout, it will be redirected to this url afterwards per default.
#
# Examples:
# - https://my-example.app/logout-successful
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export URLS_POST_LOGOUT_REDIRECT=<value>
# - Windows Command Line (CMD):
# > set URLS_POST_LOGOUT_REDIRECT=<value>
#
post_logout_redirect: https://my-example.app/logout-successful
## strategies ##
#
strategies:
## scope ##
#
# Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes
#
# Default value: wildcard
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export STRATEGIES_SCOPE=<value>
# - Windows Command Line (CMD):
# > set STRATEGIES_SCOPE=<value>
#
scope: exact
## access_token ##
#
# Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export STRATEGIES_ACCESS_TOKEN=<value>
# - Windows Command Line (CMD):
# > set STRATEGIES_ACCESS_TOKEN=<value>
#
access_token: opaque
## ttl ##
#
# Configures time to live.
#
ttl:
## login_consent_request ##
#
# Configures how long a user login and consent flow may take.
#
# Default value: 1h
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TTL_LOGIN_CONSENT_REQUEST=<value>
# - Windows Command Line (CMD):
# > set TTL_LOGIN_CONSENT_REQUEST=<value>
#
login_consent_request: 1h
## access_token ##
#
# Configures how long access tokens are valid.
#
# Default value: 1h
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TTL_ACCESS_TOKEN=<value>
# - Windows Command Line (CMD):
# > set TTL_ACCESS_TOKEN=<value>
#
access_token: 1h
## refresh_token ##
#
# Configures how long refresh tokens are valid. Set to -1 for refresh tokens to never expire.
#
# Default value: 720h
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TTL_REFRESH_TOKEN=<value>
# - Windows Command Line (CMD):
# > set TTL_REFRESH_TOKEN=<value>
#
refresh_token: 1h
## id_token ##
#
# Configures how long id tokens are valid.
#
# Default value: 1h
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TTL_ID_TOKEN=<value>
# - Windows Command Line (CMD):
# > set TTL_ID_TOKEN=<value>
#
id_token: 1h
## auth_code ##
#
# Configures how long auth codes are valid.
#
# Default value: 10m
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TTL_AUTH_CODE=<value>
# - Windows Command Line (CMD):
# > set TTL_AUTH_CODE=<value>
#
auth_code: 1h
## oauth2 ##
#
oauth2:
## expose_internal_errors ##
#
# Set this to true if you want to share error debugging information with your OAuth 2.0 clients. Keep in mind that debug information is very valuable when dealing with errors, but might also expose database error codes and similar errors.
#
# Default value: false
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_EXPOSE_INTERNAL_ERRORS=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_EXPOSE_INTERNAL_ERRORS=<value>
#
expose_internal_errors: true
## hashers ##
#
# Configures hashing algorithms. Supports only BCrypt at the moment.
#
hashers:
## bcrypt ##
#
# Configures the BCrypt hashing algorithm used for hashing Client Secrets.
#
bcrypt:
## cost ##
#
# Sets the BCrypt cost. The higher the value, the more CPU time is being used to generate hashes.
#
# Default value: 10
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_HASHERS_BCRYPT_COST=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_HASHERS_BCRYPT_COST=<value>
#
cost: 40935632
## pkce ##
#
pkce:
## enforced ##
#
# Sets whether PKCE should be enforced for all clients.
#
# Examples:
# - true
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export OAUTH2_PKCE_ENFORCED=<value>
# - Windows Command Line (CMD):
# > set OAUTH2_PKCE_ENFORCED=<value>
#
enforced: true
## secrets ##
#
# The secrets section configures secrets used for encryption and signing of several systems. All secrets can be rotated, for more information on this topic go to: https://www.ory.sh/docs/hydra/advanced#rotation-of-hmac-token-signing-and-database-and-cookie-encryption-keys
#
secrets:
## system ##
#
# The system secret must be at least 16 characters long. If none is provided, one will be generated. They key is used to encrypt sensitive data using AES-GCM (256 bit) and validate HMAC signatures. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.
#
# Examples:
# - - this-is-the-primary-secret
# - this-is-an-old-secret
# - this-is-another-old-secret
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SECRETS_SYSTEM=<value>
# - Windows Command Line (CMD):
# > set SECRETS_SYSTEM=<value>
#
system:
- this-is-the-primary-secret
- this-is-an-old-secret
- this-is-another-old-secret
## cookie ##
#
# A secret that is used to encrypt cookie sessions. Defaults to secrets.system. It is recommended to use a separate secret in production. The first item in the list is used for signing and encryption. The whole list is used for verifying signatures and decryption.
#
# Examples:
# - - this-is-the-primary-secret
# - this-is-an-old-secret
# - this-is-another-old-secret
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export SECRETS_COOKIE=<value>
# - Windows Command Line (CMD):
# > set SECRETS_COOKIE=<value>
#
cookie:
- this-is-the-primary-secret
- this-is-an-old-secret
- this-is-another-old-secret
## profiling ##
#
# Enables profiling if set. For more details on profiling, head over to: https://blog.golang.org/profiling-go-programs
#
# Examples:
# - cpu
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export PROFILING=<value>
# - Windows Command Line (CMD):
# > set PROFILING=<value>
#
profiling: cpu
## tracing ##
#
# ORY Hydra supports distributed tracing.
#
tracing:
## provider ##
#
# Set this to the tracing backend you wish to use. Currently supports jaeger. If omitted or empty, tracing will be disabled.
#
# Examples:
# - jaeger
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDER=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDER=<value>
#
provider: jaeger
## service_name ##
#
# Specifies the service name to use on the tracer.
#
# Examples:
# - ORY Hydra
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_SERVICE_NAME=<value>
# - Windows Command Line (CMD):
# > set TRACING_SERVICE_NAME=<value>
#
service_name: ORY Hydra
## providers ##
#
providers:
## jaeger ##
#
# Configures the jaeger tracing backend.
#
jaeger:
## local_agent_address ##
#
# The address of the jaeger-agent where spans should be sent to.
#
# Examples:
# - 127.0.0.1:6831
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=<value>
#
local_agent_address: 127.0.0.1:6831
## propagation ##
#
# The tracing header format
#
# Examples:
# - jaeger
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_PROPAGATION=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_PROPAGATION=<value>
#
propagation: jaeger
## sampling ##
#
# Examples:
# - type: const
# value: 1
# server_url: http://localhost:5778/sampling
#
sampling:
## type ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=<value>
#
type: const
## value ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=<value>
#
value: 1
## server_url ##
#
# Set this value using environment variables on
# - Linux/macOS:
# $ export TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<value>
# - Windows Command Line (CMD):
# > set TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=<value>
#
server_url: http://localhost:5778/sampling

1
debian/compat vendored Normal file
View File

@ -0,0 +1 @@
9

14
debian/control vendored Normal file
View File

@ -0,0 +1,14 @@
Source: hydra
Section: unknown
Priority: optional
Maintainer: William Petit <wpetit@cadoles.com>
Build-Depends: debhelper (>= 8.0.0), wget, ca-certificates, tar
Standards-Version: 3.9.4
Homepage: http://forge.cadoles.com/wpetit/debian-hydra
Vcs-Git: http://forge.cadoles.com/wpetit/debian-hydra.git
Vcs-Browser: http://forge.cadoles.com/wpetit/debian-hydra
Package: hydra
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Serveur OpenID Connect

11
debian/hydra.service vendored Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Serveur OpenID Connect Hydra
After=network-online.target
[Service]
Type=simple
ExecStart=/usr/bin/hydra --config /etc/hydra/hydra.yml serve all
Restart=on-failure
[Install]
WantedBy=multi-user.target

26
debian/rules vendored Normal file
View File

@ -0,0 +1,26 @@
#!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
export DH_VERBOSE=1
HYDRA_VERSION := v1.5.1
%:
dh $@ --with systemd
override_dh_auto_build: $(GOPATH)
./script/install.sh -b bin -d $(HYDRA_VERSION)
override_dh_auto_install:
mkdir -p debian/hydra/usr/bin
mkdir -p debian/hydra/etc/hydra
cp bin/hydra debian/hydra/usr/bin/hydra
cp conf/hydra.yml debian/hydra/etc/hydra
install -d debian/hydra
override_dh_strip:
override_dh_auto_test:

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (native)

406
script/install.sh Executable file
View File

@ -0,0 +1,406 @@
#!/bin/sh
set -e
# Code generated by godownloader on 2020-04-25T10:38:57Z. DO NOT EDIT.
#
usage() {
this=$1
cat <<EOF
$this: download go binaries for ory/hydra
Usage: $this [-b] bindir [-d] [tag]
-b sets bindir or installation directory, Defaults to ./bin
-d turns on debug logging
[tag] is a tag from
https://github.com/ory/hydra/releases
If tag is missing, then the latest will be used.
Generated by godownloader
https://github.com/goreleaser/godownloader
EOF
exit 2
}
parse_args() {
#BINDIR is ./bin unless set be ENV
# over-ridden by flag below
BINDIR=${BINDIR:-./bin}
while getopts "b:dh?x" arg; do
case "$arg" in
b) BINDIR="$OPTARG" ;;
d) log_set_priority 10 ;;
h | \?) usage "$0" ;;
x) set -x ;;
esac
done
shift $((OPTIND - 1))
TAG=$1
}
# this function wraps all the destructive operations
# if a curl|bash cuts off the end of the script due to
# network, either nothing will happen or will syntax error
# out preventing half-done work
execute() {
tmpdir=$(mktemp -d)
log_debug "downloading files into ${tmpdir}"
http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
srcdir="${tmpdir}"
(cd "${tmpdir}" && untar "${TARBALL}")
test ! -d "${BINDIR}" && install -d "${BINDIR}"
for binexe in $BINARIES; do
if [ "$OS" = "windows" ]; then
binexe="${binexe}.exe"
fi
install "${srcdir}/${binexe}" "${BINDIR}/"
log_info "installed ${BINDIR}/${binexe}"
done
rm -rf "${tmpdir}"
}
get_binaries() {
case "$PLATFORM" in
darwin/386) BINARIES="hydra" ;;
darwin/amd64) BINARIES="hydra" ;;
darwin/arm64) BINARIES="hydra" ;;
darwin/armv5) BINARIES="hydra" ;;
darwin/armv6) BINARIES="hydra" ;;
darwin/armv7) BINARIES="hydra" ;;
freebsd/386) BINARIES="hydra" ;;
freebsd/amd64) BINARIES="hydra" ;;
freebsd/arm64) BINARIES="hydra" ;;
freebsd/armv5) BINARIES="hydra" ;;
freebsd/armv6) BINARIES="hydra" ;;
freebsd/armv7) BINARIES="hydra" ;;
linux/386) BINARIES="hydra" ;;
linux/amd64) BINARIES="hydra" ;;
linux/arm64) BINARIES="hydra" ;;
linux/armv5) BINARIES="hydra" ;;
linux/armv6) BINARIES="hydra" ;;
linux/armv7) BINARIES="hydra" ;;
windows/386) BINARIES="hydra" ;;
windows/amd64) BINARIES="hydra" ;;
windows/arm64) BINARIES="hydra" ;;
windows/armv5) BINARIES="hydra" ;;
windows/armv6) BINARIES="hydra" ;;
windows/armv7) BINARIES="hydra" ;;
*)
log_crit "platform $PLATFORM is not supported. Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
exit 1
;;
esac
}
tag_to_version() {
if [ -z "${TAG}" ]; then
log_info "checking GitHub for latest tag"
else
log_info "checking GitHub for tag '${TAG}'"
fi
REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
if test -z "$REALTAG"; then
log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
exit 1
fi
# if version starts with 'v', remove it
TAG="$REALTAG"
VERSION=${TAG#v}
}
adjust_format() {
# change format (tar.gz or zip) based on OS
case ${OS} in
windows) FORMAT=zip ;;
esac
true
}
adjust_os() {
# adjust archive name based on OS
case ${OS} in
386) OS=32-bit ;;
amd64) OS=64-bit ;;
darwin) OS=macOS ;;
esac
true
}
adjust_arch() {
# adjust archive name based on ARCH
case ${ARCH} in
386) ARCH=32-bit ;;
amd64) ARCH=64-bit ;;
darwin) ARCH=macOS ;;
esac
true
}
cat /dev/null <<EOF
------------------------------------------------------------------------
https://github.com/client9/shlib - portable posix shell functions
Public domain - http://unlicense.org
https://github.com/client9/shlib/blob/master/LICENSE.md
but credit (and pull requests) appreciated.
------------------------------------------------------------------------
EOF
is_command() {
command -v "$1" >/dev/null
}
echoerr() {
echo "$@" 1>&2
}
log_prefix() {
echo "$0"
}
_logp=6
log_set_priority() {
_logp="$1"
}
log_priority() {
if test -z "$1"; then
echo "$_logp"
return
fi
[ "$1" -le "$_logp" ]
}
log_tag() {
case $1 in
0) echo "emerg" ;;
1) echo "alert" ;;
2) echo "crit" ;;
3) echo "err" ;;
4) echo "warning" ;;
5) echo "notice" ;;
6) echo "info" ;;
7) echo "debug" ;;
*) echo "$1" ;;
esac
}
log_debug() {
log_priority 7 || return 0
echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
}
log_info() {
log_priority 6 || return 0
echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
}
log_err() {
log_priority 3 || return 0
echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
}
log_crit() {
log_priority 2 || return 0
echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
}
uname_os() {
os=$(uname -s | tr '[:upper:]' '[:lower:]')
case "$os" in
cygwin_nt*) os="windows" ;;
mingw*) os="windows" ;;
msys_nt*) os="windows" ;;
esac
echo "$os"
}
uname_arch() {
arch=$(uname -m)
case $arch in
x86_64) arch="amd64" ;;
x86) arch="386" ;;
i686) arch="386" ;;
i386) arch="386" ;;
aarch64) arch="arm64" ;;
armv5*) arch="armv5" ;;
armv6*) arch="armv6" ;;
armv7*) arch="armv7" ;;
esac
echo ${arch}
}
uname_os_check() {
os=$(uname_os)
case "$os" in
darwin) return 0 ;;
dragonfly) return 0 ;;
freebsd) return 0 ;;
linux) return 0 ;;
android) return 0 ;;
nacl) return 0 ;;
netbsd) return 0 ;;
openbsd) return 0 ;;
plan9) return 0 ;;
solaris) return 0 ;;
windows) return 0 ;;
esac
log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
return 1
}
uname_arch_check() {
arch=$(uname_arch)
case "$arch" in
386) return 0 ;;
amd64) return 0 ;;
arm64) return 0 ;;
armv5) return 0 ;;
armv6) return 0 ;;
armv7) return 0 ;;
ppc64) return 0 ;;
ppc64le) return 0 ;;
mips) return 0 ;;
mipsle) return 0 ;;
mips64) return 0 ;;
mips64le) return 0 ;;
s390x) return 0 ;;
amd64p32) return 0 ;;
esac
log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib"
return 1
}
untar() {
tarball=$1
case "${tarball}" in
*.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
*.tar) tar --no-same-owner -xf "${tarball}" ;;
*.zip) unzip "${tarball}" ;;
*)
log_err "untar unknown archive format for ${tarball}"
return 1
;;
esac
}
http_download_curl() {
local_file=$1
source_url=$2
header=$3
if [ -z "$header" ]; then
code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
else
code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
fi
if [ "$code" != "200" ]; then
log_debug "http_download_curl received HTTP status $code"
return 1
fi
return 0
}
http_download_wget() {
local_file=$1
source_url=$2
header=$3
if [ -z "$header" ]; then
wget -q -O "$local_file" "$source_url"
else
wget -q --header "$header" -O "$local_file" "$source_url"
fi
}
http_download() {
log_debug "http_download $2"
if is_command curl; then
http_download_curl "$@"
return
elif is_command wget; then
http_download_wget "$@"
return
fi
log_crit "http_download unable to find wget or curl"
return 1
}
http_copy() {
tmp=$(mktemp)
http_download "${tmp}" "$1" "$2" || return 1
body=$(cat "$tmp")
rm -f "${tmp}"
echo "$body"
}
github_release() {
owner_repo=$1
version=$2
test -z "$version" && version="latest"
giturl="https://github.com/${owner_repo}/releases/${version}"
json=$(http_copy "$giturl" "Accept:application/json")
test -z "$json" && return 1
version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
test -z "$version" && return 1
echo "$version"
}
hash_sha256() {
TARGET=${1:-/dev/stdin}
if is_command gsha256sum; then
hash=$(gsha256sum "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command sha256sum; then
hash=$(sha256sum "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command shasum; then
hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command openssl; then
hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f a
else
log_crit "hash_sha256 unable to find command to compute sha-256 hash"
return 1
fi
}
hash_sha256_verify() {
TARGET=$1
checksums=$2
if [ -z "$checksums" ]; then
log_err "hash_sha256_verify checksum file not specified in arg2"
return 1
fi
BASENAME=${TARGET##*/}
want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
if [ -z "$want" ]; then
log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
return 1
fi
got=$(hash_sha256 "$TARGET")
if [ "$want" != "$got" ]; then
log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
return 1
fi
}
cat /dev/null <<EOF
------------------------------------------------------------------------
End of functions from https://github.com/client9/shlib
------------------------------------------------------------------------
EOF
PROJECT_NAME="hydra"
OWNER=ory
REPO="hydra"
BINARY=hydra
FORMAT=tar.gz
OS=$(uname_os)
ARCH=$(uname_arch)
PREFIX="$OWNER/$REPO"
# use in logging routines
log_prefix() {
echo "$PREFIX"
}
PLATFORM="${OS}/${ARCH}"
GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
uname_os_check "$OS"
uname_arch_check "$ARCH"
parse_args "$@"
get_binaries
tag_to_version
adjust_format
adjust_os
adjust_arch
log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
NAME=${PROJECT_NAME}_${VERSION}_${OS}_${ARCH}
TARBALL=${NAME}.${FORMAT}
TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
execute