"Could not fetch signing key for OpenID Connect"

[nicerobot]

I can't reopen #439 but this is the same problem.

I shut down the container and trying to rerun fails. The problem does indeed appear to be the SYSTEM_SECRET but it's because it's not being respected from the command-line.

$ echo $SYSTEM_SECRET 
27277

The documented command does not seem to pass that SYSTEM_SECRET.

$ docker run -d \
  --name ory-hydra-example--hydra \
  --network hydraguide \
  -p 9000:4444 \
  -e SYSTEM_SECRET=${SYSTEM_SECRET} \
  -e DATABASE_URL=${DATABASE_URL} \
  -e ISSUER=https://localhost:9000/ \
  -e CONSENT_URL=http://localhost:9020/consent \
  -e FORCE_ROOT_CLIENT_CREDENTIALS=admin:demo-password \
  oryd/hydra:v0.11.6

Notice that the logs show "Generating a random system secret..." and this happened during the first run so it's actually impossible to restart the server.

$ docker logs ory-hydra-example--hydra
time="2018-03-19T04:25:55Z" level=info msg="Connecting with postgres://*:*@localhost:5432/hydra?sslmode=disable"
time="2018-03-19T04:25:55Z" level=info msg="Connected to SQL!"
time="2018-03-19T04:25:55Z" level=warning msg="Expected system secret to be at least 32 characters long, got 4 characters."
time="2018-03-19T04:25:55Z" level=info msg="Generating a random system secret..."
time="2018-03-19T04:25:55Z" level=info msg="Generated system secret: 5CedSNF4Rdh9pUs6ZeI1kzJAZcug-mYj"
time="2018-03-19T04:25:55Z" level=warning msg="WARNING: DO NOT generate system secrets in production. The secret will be leaked to the logs."
Could not fetch signing key for OpenID Connect - did you forget to run "hydra migrate sql" or forget to set the SYSTEM_SECRET? Got error: unexpected end of JSON input

If i delete the tables and run migrate again, it works again though the secret is still randomly generated.

[aeneasr]

The system secret must be 32 chars long, it says that in the logs too: ``` level=warning msg="Expected system secret to be at least 32 characters long, got 4 characters." ```

[nicerobot]

How about hashing whatever is provided by the user instead of generating a random one so that at least if the user provides one, it'll always be the same?

[aeneasr]

Hashing a password does not make it secure. Why should we encourage behaviour that compromises security?

[nicerobot]

How is simply requiring a 32 character string secure? I could just do:

export SYSTEM_SECRET=01234567890123456789012345678901

A hashed 32 character password is as good as any 32 character password and far better than a pattern-based 32 character password like i provided above. Someone attempting to crack the hashed 32-character password won't know to try hashes of shorter passwords.

Also, FYI, when someone is testing out a tutorial, many times they jump straight to the code and only skim the details.

[aeneasr]

Please read https://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords

Someone attempting to crack the hashed 32-character password won't know to try hashes of shorter passwords.

Of course, the technology is open source.

[aeneasr]

In any case, I think your question has been answered. To avoid the error, please use a password of 32 characters.

We will not change the way passwords are used in hydra because besides painful breaking changes we're applying best practice cryptography and there is little reason to allow shorter passwords.

[nicerobot]

I'm well aware of security concerns with and comparisons of hashes. My point is that in a tutorial, it's not critical and user experience should matter.

[aeneasr]

In that context, it makes way more sense! We could probably die if the secret is to short. This should avoid confusion when starting with the software and is now tracked as #817. Thank you for your suggestion!