Support for ory hydra oauth2

[salmanisd]

Hello,

I am using the ory hydra as oauth provider (https://www.ory.sh/hydra/docs/). While its oauth flow works fine with my nodejs apps,I want to integrate it with nginx.

I am guessing vouch-proxy is not going to work out of the box with it? Can anyone tell me what I can do to maybe add support for hydra?

[bnfinet]

@salmanisd Assuming that they are OIDC compliant (and it would appear that they are), the only thing necessary to add to VP would be a provider/ory/ory.go pkg with a GetUserInfo function that manages the call and response to the configured (ORY's) oauth.user_info_url

A quick review of their docs makes it seem fairly straight forward. There would need to be a little work around retrieving and storing the data for custom claims.
https://www.ory.sh/hydra/docs/oauth2/#userinfo

@salmanisd The existing VP providers should provided enough examples to get you 95% of the way there. Would you care to work on a PR to support ORY?

[salmanisd]

I would be definitely interested. Let me first try with the default openid provider and see how far I can go with that.

[bnfinet]

@salmanisd Thanks much!

Lets keep this one open until ORY hydra support is implemented as part of your work or otherwise.

[mig5]

Hi,

I just wanted to note for the record that I tried Vouch today with an Ory Hydra installation, and it Just Worked with the native oidc provider configuration in Vouch!

This was my config:

# Ory Hydra
provider: oidc
  client_id: changeme
  client_secret: changeme
  auth_url: https://hydra.yourdomain.com/oauth2/auth
  token_url: https://hydra.yourdomain.com/oauth2/token
  user_info_url: https://hydra.yourdomain.com/userinfo
  end_session_endpoint: https://hydra.yourdomain.com/oauth2/sessions/logout
  scopes:
    - openid
    - email
    - profile
 # Be sure to create your Ory Hydra oAuth2.0 client with the below URL as the --callbacks parameter.
 # Note that you will get errors if your client has multiple callback URLs registered and uses the 'pairwise' subject identifier.
 callback_url: https://vouch.yourdomain.com/auth

It even Just Worked with custom claims. I could ingest them as HTTP headers just like usual in Vouch (and the webapp that uses it)

The only 'gotcha' was that last note. I was using an oAuth2.0 client that had another callback URL registered to it along with the Vouch one above, and I'm using the 'pairwise' subject identifier algorithm (which is not the default in Hydra) as per these notes: https://www.ory.sh/hydra/docs/advanced/#subject-identifier-algorithms

Upon login, consent and redirection back to the Vouch callback, I got a HTTP 400 error in Vouch with an error message from Hydra "OAuth 2.0 Client has multiple redirect_uris but no sector_identifier_uri was set which is not allowed when performing using subject type pairwise. Please reconfigure the OAuth 2.0 client properly".

This may not be a problem with Vouch as such, and no problem in my case, I just made a new oAuth2.0 client in Hydra with just the one callback (the Vouch URL) and it works perfectly. So I think the above config is fine for most Hydra setups, not sure Vouch needs to do anything else at the Go level? Would you like a PR simply for your config.yml examples to contain the above?

[bnfinet]

@mig5 thanks for that note. I've gone ahead and added Ory Hydra to the list of supported providers in the README.