how to use hydra without "--dangerous-auto-logon"?

[threefoldo]

When I started hydra with '--dangerous-auto-logon', the oauth2 will work properly. When I start hydra without that option, both the cli and the http request failed with the same error message:

Could not retrieve access token: Error: Bad Request

The start command is:

SYSTEM_SECRET=passwordtutorial CONSENT_URL=http://localhost:3000 DATABASE_URL=rethinkdb://localhost:28015/hydra hydra host

When connecting to hydra, I tried:
1, run "hydra clients create --skip-tls-verify" with or without CLIENT_ID, CLIENT_SECRET env;
2, try the http request with the correct client_id:

https://localhost:4444/oauth2/auth?client_id=06ac3da6-2dad-4124-9c34-3da0e9b4597e&response_type=code&scope=openid&state=ddsafewer323323werwrwerdfwfwr333

The settings are:
1, ".hydra.yml" contains the correct 'cluster_url', the client_id and client_secret come from rethinkdb table 'hydra_clients';
2, rethinkdb table 'hydra_json_web_keys' has 4 pairs of keys: hydra.tls, hydra.openid.connect, consent.endpoint, consent.challenge;

I had read the document several times, didn't know what I did wrong.

I use the binary hydra 0.4. The full error message is:

INFO[1031] started handling request method=GET remote=[::1]:55737 request
=/oauth2/auth?client_id=660b80e1-c6be-4367-b4cf-126ef30357ce&response_type=code&scope=openid&s
tate=ddsafewer323323werwrwerdfwfwr333
INFO[1031] completed handling request measure#web.latency=73959118 method=G
ET remote=[::1]:55737 request=/oauth2/auth?client_id=660b80e1-c6be-4367-b4cf-126ef30357ce&resp
onse_type=code&scope=openid&state=ddsafewer323323werwrwerdfwfwr333 status=302 text_status=Foun
d took=73.959118ms
INFO[1041] started handling request method=POST remote=127.0.0.1:55753 re
quest=/oauth2/token
INFO[1041] An error occured error=Client authentication failed (e
.g., unknown client, no client authentication included, or unsupported authentication method)
github.com/ory-am/hydra/vendor/github.com/ory-am/fosite.init
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/ory-am/fosit
e/errors.go:21
github.com/ory-am/hydra/client.init
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/client/manager_rethinkdb.go:15
8
github.com/ory-am/hydra/cmd/server.init
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/cmd/server/helper_keys.go:39
github.com/ory-am/hydra/cmd.init
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/cmd/token_validate.go:19
main.init
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/main.go:38
runtime.main
/usr/local/go/src/runtime/proc.go:172
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:2086
github.com/ory-am/hydra/vendor/github.com/ory-am/fosite.(_Fosite).NewAccessRequest
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/ory-am/fosit
e/access_request_handler.go:68: : crypto/bcrypt: hashedPassword is not the hash of the given p
assword stack=
github.com/ory-am/hydra/vendor/github.com/ory-am/fosite.(_Fosite).NewAccessRequest
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/ory-am/fosit
e/access_request_handler.go:68
github.com/ory-am/hydra/oauth2.(_Handler).TokenHandler
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/oauth2/handler.go:77
github.com/ory-am/hydra/oauth2.(_Handler).TokenHandler-fm
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/oauth2/handler.go:39
github.com/ory-am/hydra/vendor/github.com/julienschmidt/httprouter.(_Router).ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/julienschmid
t/httprouter/router.go:299
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.Wrap.func1
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:41
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:24
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:33
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:33
net/http.HandlerFunc.ServeHTTP
/usr/local/go/src/net/http/server.go:1726
github.com/ory-am/hydra/cmd/server.(_Handler).rejectInsecureRequests
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/cmd/server/handler.go:118
github.com/ory-am/hydra/cmd/server.(_Handler).(github.com/ory-am/hydra/cmd/server.rejectInsecu
reRequests)-fm
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/cmd/server/handler.go:41
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.HandlerFunc.ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:24
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:33
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.(middleware).ServeHTTP-fm
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:33
github.com/ory-am/hydra/vendor/github.com/meatballhat/negroni-logrus.(_Middleware).ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/meatballhat/
negroni-logrus/middleware.go:135
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.middleware.ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:33
github.com/ory-am/hydra/vendor/github.com/urfave/negroni.(_Negroni).ServeHTTP
/Users/aeneas/workspaces/go/src/github.com/ory-am/hydra/vendor/github.com/urfave/negro
ni/negroni.go:73
net/http.serverHandler.ServeHTTP
/usr/local/go/src/net/http/server.go:2202
net/http.(_conn).serve
/usr/local/go/src/net/http/server.go:1579
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:2086
INFO[1041] completed handling request measure#web.latency=85724185 method=$
OST remote=127.0.0.1:55753 request=/oauth2/token status=400 text_status=Bad Request took=85.7$
4185ms

[aeneasr]

Please use hydra connect to enter the client credentials and avoid editing hydra.yml manually.

1, ".hydra.yml" contains the correct 'cluster_url', the client_id and client_secret come from rethinkdb table 'hydra_clients';

The secret is hashed in the rethinkdb table, that's why your access is denied. You must extract the client id and secret from the hydra logs as described here.

[threefoldo]

Thanks. I know the logs contain client id and secret when running with docker, but I used binary hydra which only print the following message:

INFO[0000] DATABASE_URL set, connecting to RethinkDB.
INFO[0000] Connecting with RethinkDB: @localhost:28015/hydra
INFO[0000] Connected to RethinkDB!
INFO[0000] Setting up http server on :4444

So, I have to look up rethinkdb tables for the client id and secret. The client id is correct, the secret is hashed or crypted, cannot pass the check in access_request_handler.go:

    // Enforce client authentication
    if err := f.Hasher.Compare(client.GetHashedSecret(), []byte(clientSecret)); err != nil {
        return accessRequest, errors.Wrap(ErrInvalidClient, err.Error())
    }

[aeneasr]

Thanks. I know the logs contain client id and secret when running with docker, but I used binary hydra which only print the following message:

It should not matter if you use hydra from source or binary. The client credentials will always be printed. It looks to me as if you are connecting to existing hydra tables in rethink db. On existing hydra installations (hydra checks if it already connected to your database in the past) the client is not regenerated and thus not printed to logs.

The client id is correct, the secret is hashed or crypted, cannot pass the check in access_request_handler.go:

Yes, the secret is being hashed which is why you can't look it up in rethink.

[threefoldo]

Thank you! The problem is solved. I delete the database, then everything works as expected.

[aeneasr]

Glad to hear that!