php - ORI Hydra Admin API Security

View Original

one text

I'm working on a OAuth2 project for school using ORI Hydra.

I've followed the 5 min tutorial and my server is working "pretty" well. I'm using the Hydra PHP Client (https://github.com/ory/hydra-client-php) to make my own login, consent pages.

This client is able to send HTTP request to the Hydra API set up on my server.

My server got the public API on the port 4444 and the Admin one on the port 4445.

I'm able to create and get the OAuth2 Client list from the PHP client, but i'm thinking about security. How can i limit the access to the API Admin of my server ?

I tried to find how to set up a "password" or a security rule to avoid external people to make Admin API request too but i found nothing.

Hydra Config :

serve:
  cookies:
    same_site_mode: Lax
admin:
    # The port to listen on. Defaults to 4445
    port: 4445
    # The interface or unix socket ORY Hydra should listen and handle administrative API requests on.
    # Use the prefix "unix:" to specify a path to a unix socket.
    # Leave empty to listen on all interfaces.
    host: localhost # leave this out or empty to listen on all devices which is the default
    # host: unix:/path/to/socket
    # socket:
    #   owner: hydra
    #   group: hydra
    #   mode: 0775

    # cors configures Cross Origin Resource Sharing for admin endpoints.
    cors:
      # set enabled to true to enable CORS. Defaults to false.
      enabled: true
      # allowed_origins is a list of origins (comma separated values) a cross-domain request can be executed from.
      # If the special * value is present in the list, all origins will be allowed. An origin may contain a wildcard (*)
      # to replace 0 or more characters (i.e.: http://*.domain.com). Only one wildcard can be used per origin.
      #
      # If empty or undefined, this defaults to `*`, allowing CORS from every domain (if cors.enabled: true).
      allowed_origins:
        - https://example.com
        - https://*.example.com
      # allowed_methods is list of HTTP methods the user agent is allowed to use with cross-domain
      # requests. Defaults to GET and POST.
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE

      # A list of non simple headers the client is allowed to use with cross-domain requests. Defaults to the listed values.
      allowed_headers:
        - Authorization
        - Content-Type

      # Sets which headers (comma separated values) are safe to expose to the API of a CORS API specification. Defaults to the listed values.
      exposed_headers:
        - Content-Type

      # Sets whether the request can include user credentials like cookies, HTTP authentication
      # or client side SSL certificates.
      allow_credentials: true

      # Sets how long (in seconds) the results of a preflight request can be cached. If set to 0, every request
      # is preceded by a preflight request. Defaults to 0.
      max_age: 10

      # If set to true, adds additional log output to debug server side CORS issues. Defaults to false.
      debug: true

    # Access Log configuration for admin server.
    access_log:
      # Disable access log for health endpoints.
      disable_for_health: false

urls:
  self:
    issuer: http://127.0.0.1:4444
  consent: http://127.0.0.1:3000/consent
  login: http://127.0.0.1:3000/login
  logout: http://127.0.0.1:3000/logout

secrets:
  system:
    - youReallyNeedToChangeThis

oidc:
  subject_identifiers:
    supported_types:
      - pairwise
      - public
    pairwise:
      salt: youReallyNeedToChangeThis

PHP Client code :

<?php
    require_once(__DIR__ . '/vendor/autoload.php');
    
    $apiInstance = new Ory\Hydra\Client\Api\AdminApi(
        // If you want use custom http client, pass your client which implements `GuzzleHttp\ClientInterface`.
        // This is optional, `GuzzleHttp\Client` will be used as default.
        new GuzzleHttp\Client()
    );
    $config = $apiInstance->getConfig();
    $config->setHost("http://localhost:4445");

    /*$body = new \Ory\Hydra\Client\Model\OAuth2Client(); // \Ory\Hydra\Client\Model\OAuth2Client
    $body->setClientId("fromphp");
    $body->setClientSecret("fromphp");
    $body->setRedirectUris(array("http://localhost:8010/result.php"));
    $body->setGrantTypes(array("authorization_code"));
    $body->setResponseTypes(array("code"));
    $body->setScope("openid");*/
   
    try {
        $result = $apiInstance->listOAuth2Clients();
        print_r($result);
    } catch (Exception $e) {
        echo 'Exception when calling AdminApi->createOAuth2Client: ', $e->getMessage(), PHP_EOL;
    }

?>

Any idea ?

Source
© 2021
E-mail: contact@webdevask.com
Back to top