I'm working on a OAuth2 project for school using ORI Hydra.
I've followed the 5 min tutorial and my server is working "pretty" well. I'm using the Hydra PHP Client (https://github.com/ory/hydra-client-php) to make my own login, consent pages.
This client is able to send HTTP request to the Hydra API set up on my server.
My server got the public API on the port 4444 and the Admin one on the port 4445.
I'm able to create and get the OAuth2 Client list from the PHP client, but i'm thinking about security. How can i limit the access to the API Admin of my server ?
I tried to find how to set up a "password" or a security rule to avoid external people to make Admin API request too but i found nothing.
Hydra Config :
serve:
cookies:
same_site_mode: Lax
admin:
# The port to listen on. Defaults to 4445
port: 4445
# The interface or unix socket ORY Hydra should listen and handle administrative API requests on.
# Use the prefix "unix:" to specify a path to a unix socket.
# Leave empty to listen on all interfaces.
host: localhost # leave this out or empty to listen on all devices which is the default
# host: unix:/path/to/socket
# socket:
# owner: hydra
# group: hydra
# mode: 0775
# cors configures Cross Origin Resource Sharing for admin endpoints.
cors:
# set enabled to true to enable CORS. Defaults to false.
enabled: true
# allowed_origins is a list of origins (comma separated values) a cross-domain request can be executed from.
# If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
# to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
#
# If empty or undefined, this defaults to `*`, allowing CORS from every domain (if cors.enabled: true).
allowed_origins:
- https://example.com
- https://*.example.com
# allowed_methods is list of HTTP methods the user agent is allowed to use with cross-domain
# requests. Defaults to GET and POST.
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
# A list of non simple headers the client is allowed to use with cross-domain requests. Defaults to the listed values.
allowed_headers:
- Authorization
- Content-Type
# Sets which headers (comma separated values) are safe to expose to the API of a CORS API specification. Defaults to the listed values.
exposed_headers:
- Content-Type
# Sets whether the request can include user credentials like cookies, HTTP authentication
# or client side SSL certificates.
allow_credentials: true
# Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request
# is preceded by a preflight request. Defaults to 0.
max_age: 10
# If set to true, adds additional log output to debug server side CORS issues. Defaults to false.
debug: true
# Access Log configuration for admin server.
access_log:
# Disable access log for health endpoints.
disable_for_health: false
urls:
self:
issuer: http://127.0.0.1:4444
consent: http://127.0.0.1:3000/consent
login: http://127.0.0.1:3000/login
logout: http://127.0.0.1:3000/logout
secrets:
system:
- youReallyNeedToChangeThis
oidc:
subject_identifiers:
supported_types:
- pairwise
- public
pairwise:
salt: youReallyNeedToChangeThis
PHP Client code :
<?php
require_once(__DIR__ . '/vendor/autoload.php');
$apiInstance = new Ory\Hydra\Client\Api\AdminApi(
// If you want use custom http client, pass your client which implements `GuzzleHttp\ClientInterface`.
// This is optional, `GuzzleHttp\Client` will be used as default.
new GuzzleHttp\Client()
);
$config = $apiInstance->getConfig();
$config->setHost("http://localhost:4445");
/*$body = new \Ory\Hydra\Client\Model\OAuth2Client(); // \Ory\Hydra\Client\Model\OAuth2Client
$body->setClientId("fromphp");
$body->setClientSecret("fromphp");
$body->setRedirectUris(array("http://localhost:8010/result.php"));
$body->setGrantTypes(array("authorization_code"));
$body->setResponseTypes(array("code"));
$body->setScope("openid");*/
try {
$result = $apiInstance->listOAuth2Clients();
print_r($result);
} catch (Exception $e) {
echo 'Exception when calling AdminApi->createOAuth2Client: ', $e->getMessage(), PHP_EOL;
}
?>
Any idea ?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Find the answer in similar questions on our website.
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.
PHP (from the English Hypertext Preprocessor - hypertext preprocessor) is a scripting programming language for developing web applications. Supported by most hosting providers, it is one of the most popular tools for creating dynamic websites.
The PHP scripting language has gained wide popularity due to its processing speed, simplicity, cross-platform, functionality and distribution of source codes under its own license.
https://www.php.net/
Welcome to the Q&A site for web developers. Here you can ask a question about the problem you are facing and get answers from other experts. We have created a user-friendly interface so that you can quickly and free of charge ask a question about a web programming problem. We also invite other experts to join our community and help other members who ask questions. In addition, you can use our search for questions with a solution.
Ask about the real problem you are facing. Describe in detail what you are doing and what you want to achieve.
Our goal is to create a strong community in which everyone will support each other. If you find a question and know the answer to it, help others with your knowledge.