-
Notifications
You must be signed in to change notification settings - Fork 1
Trying the Device Flow
This document is a tutorial for setting up hydra and trying out the device flow using skaffold or docker-compose.
To run the device flow we are going to use a dummy client found on https://github.com/canonical/hydra-rock/tree/IAM-597/hack/flow-test. We are going to use Kratos as a Identity Broker and Github as our Identity Provider.
First of all we need to register a Github application to use, to do this you need to:
- Go to https://github.com/settings/applications/new. The application name and homepage URL do not matter, but the Authorization callback URL must be https://iam.internal:8443/self-service/methods/oidc/callback/github if using
skaffold
- Generate a client secret
- Save your client_id and client_secret so that you can use them later
You will need to have (skaffold)[https://skaffold.dev/docs/install/#standalone-binary], helm, rockcraft and microk8s installed.
Enable the microk8s registry:
microk8s enable registry
Configure kubectl:
# ensure kubectl is configured to use microk8s
microk8s.kubectl config view --raw > $HOME/.kube/config
# Alias kubectl so that it can be used by Skaffold
snap alias microk8s.kubectl kubectl
In order to deploy using skaffold you will need to fetch the IAM-597 branch from the hydra-rock repo:
git clone -b IAM-597 git@github.com:canonical/hydra-rock.git
Then you need to update hack/helm/kratos.yaml
to use the client_id and client_secret you created on the previous step (see https://github.com/canonical/hydra-rock/blob/IAM-597/hack/helm/kratos.yaml#L64)
To make networking and the certs work you will need to add this line to your /etc/hosts
:
127.0.0.1 iam.internal
Now you can run make dev
from the hydra-rock
repo root folder. This will deploy hydra, kratos, postgres and the login UI, and then perform the device flow. In order to make the flow easier to run, we suggest that you trust the tls certificates used by the ingress. To do this you need to:
- run `kubectl get secret -o yaml iam-tls | yq '.data'
- copy the ca.crt and tls.crt into /usr/local/share/ca-certificates/
- run
update-ca-certificates
On your terminal you should see instructions to perform the device flow:
Once you have completed the browser flow (by logging in with github) you should be able to see the generated tokens on your terminal