Integrating Hydra and Kratos

[k9ert]

Related issue

Having Kratos as the user-DB for Hydra is quite useful. This PR is based on code from @jpbogle announcing his work here:
https://community.ory.sh/t/ory-hydra-with-ory-kratos-as-idp/1845

Also related is this issue:
ory/kratos#273

@aeneasr

Proposed changes

• The self-service-ui gets the functionality from the hydra-login-consent-node
• On top it gets a new endpoint which initiates and manages a hydra-specific login-flow

More details and discussions in the forum:
https://community.ory.sh/t/ory-hydra-with-ory-kratos-as-idp/1845

UPDATE:
Here is a sequence-diagram of how this is supposed to work. Note that an integrated registration-flow is not possible in the PR.
Although it increased the complexity of the diagram, i've included redirect-arrows back to the browser and used to them to show when and which cookies are set.

Checklist

• I have read the contributing guidelines
• I have read the security policy
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation within the code base (if appropriate)

Further comments

Removing the necessity for a cookie might be a quite good idea.
UPDATE: cookies no longer necessary.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 3 committers have signed the CLA.

✅ k9ert
✅ aeneasr
❌ Jeremy Bogle

---

Jeremy Bogle seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[aeneasr]

Logging can be quite useful to find errors, but using console.log is an anti-pattern. Instead, we could probably use winston to help with logging, which also supports structured logging. Log messages should generally not be prefixed but simply plain strings :)

[aeneasr]

@jpbogle for this to be merged into master we would need you to sign the CLA (see first comment on this PR). Would you be ok with that?

[aeneasr]

I have not looked into the logic of the login flow itself too much yet. It looks to me as if there could be some serious session hijaking vulnerabilities. I'll give it another pass once the review comments are addressed.

Regarding workflows, I highly recommend using the following pattern - this will help you keep your fork clean. Committing on your fork's master is bad practice because you want the master of your fork and the origin to stay in sync.

Here's how I generally work with forks:

# First you clone the original repository
git clone [email protected]:ory/kratos-selfservice-ui-node.git

# Next you add a git remote that is your fork:
git remote add fork [email protected]:k9ert/kratos-selfservice-ui-node.git

# Next you fetch the latest changes from origin for master:
git fetch origin
git checkout master
git pull --rebase

# Next you create a new feature branch off of master:
git checkout my-feature-branch

# Now you do your work and commit your changes:
git add -A # <füge alle files hinzu
git commit -a -m "fix: this is the subject line" -m "This is the body line. Closes #123"

# And the last step is pushing this to your fork
git push -u fork my-feature-branch

[aeneasr]

If we apply the return we don't need to catch here because the catch is executed further down.

[programmador]

I also encounter redirect loop on Jeremy's fork from time to time until I delete EVERYTHING from browser. Everything - because I have no idea which domain keeps an outdated cookie. I think that it's Hydra's one.

[programmador]

I also encounter redirect loop on Jeremy's fork from time to time until I delete EVERYTHING from browser. Everything - because I have no idea which domain keeps an outdated cookie. I think that it's Hydra's one.

Oh, I've got it! Redirect loop goes away when I restart Hydra sample auth which I use for testing.
The one from this tutorial https://www.ory.sh/hydra/docs/5min-tutorial

So probably it's the app itself storing session.
Actually I don't know whether this info is valid or not.

[programmador]

@k9ert I'm trying this branch in my domain-based environment and always getting strange redirect related errors similar to what I've already fixed in /session/whoami Kratos request.

At first I've got errors with Kratos. After entering password it shows an error with request/response description and a subject of an error is actually return of 302 redirect.
I thought that it's Traefik's response again but after experimenting a bit I've got a similar error with Hydra:

{
  "response": {
    "statusCode": 307,
    "headers": {
      "content-length": "0",
      "date": "Fri, 31 Jul 2020 18:23:41 GMT",
      "location": "/oauth2/auth/requests/login/accept?login_challenge=cb845b72a1494e81877c233f6de138ab",
      "connection": "close"
    },
    "request": {
      "uri": {
        "protocol": "https:",
        "slashes": true,
        "auth": null,
        "host": "admin.hydra.local",
        "port": null,
        "hostname": "admin.hydra.local",
        "hash": null,
        "search": "?login_challenge=cb845b72a1494e81877c233f6de138ab",
        "query": "login_challenge=cb845b72a1494e81877c233f6de138ab",
        "pathname": "//oauth2/auth/requests/login/accept",
        "path": "//oauth2/auth/requests/login/accept?login_challenge=cb845b72a1494e81877c233f6de138ab",
        "href": "https://admin.hydra.local//oauth2/auth/requests/login/accept?login_challenge=cb845b72a1494e81877c233f6de138ab"
      },
      "method": "PUT",
      "headers": {
        "Accept": "application/json",
        "content-type": "application/json",
        "content-length": 760
      }
    }
  },
  "statusCode": 307,
  "name": "HttpError"
}

As You can see it's 307 and not 302. It is definitely not Traefik.
Do You have any ideas in which direction should I dig?

[aeneasr]

I think your problem is a duplicate // in the url

https://admin.hydra.local//oauth2/auth/requests/login/accept?login_challenge=cb845b72a1494e81877c233f6de138ab"

which causes a redirect. Most likely coming from a misconfigured env var or something.

[programmador]

I think your problem is a duplicate // in the url

https://admin.hydra.local//oauth2/auth/requests/login/accept?login_challenge=cb845b72a1494e81877c233f6de138ab"

which causes a redirect. Most likely coming from a misconfigured env var or something.

Definitely yes. I was inconsiderate.