search

labbsr0x / whisper

A cloud-native Identity and OAuth Provider implemented with Golang and ORY Hydra
MIT License
12 stars 4 forks source link

Update Hydra's environment variables #53

Closed eabili0 closed 4 years ago

eabili0 commented 4 years ago

We are using deprecated envs for Hydra. We should update them to the newest configuration format. See https://www.ory.sh/docs/hydra/configuration

claudiosegala commented 4 years ago

@abilioesteves I found these warnings on hydra logs:

time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OIDC_SUBJECT_TYPES_SUPPORTED is deprecated and will be removed in a future release. Use key oidc.subject_identifiers.enabled instead!"
time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OIDC_SUBJECT_TYPE_PAIRWISE_SALT is deprecated and will be removed in a future release. Use key oidc.subject_identifiers.pairwise.salt instead!"
time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OAUTH2_ISSUER_URL is deprecated and will be removed in a future release. Use key urls.self.issuer instead!"
time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OAUTH2_SHARE_ERROR_DEBUG is deprecated and will be removed in a future release. Use key oauth2.expose_internal_errors instead!"
time="2019-11-21T19:02:49Z" level=warning msg="Configuration key SYSTEM_SECRET is deprecated and will be removed in a future release. Use key secrets.system instead!"
time="2019-11-21T19:02:53Z" level=warning msg="Configuration key CORS_ENABLED is deprecated and will be removed in a future release. Use key serve.public.cors.enabled instead!"
time="2019-11-21T19:02:57Z" level=warning msg="Configuration key CORS_ENABLED is deprecated and will be removed in a future release. Use key serve.admin.cors.enabled instead!"
time="2019-11-21T19:02:53Z" level=warning msg="Configuration key CORS_ALLOWED_METHODS is deprecated and will be removed in a future release. Use key serve.public.cors.allowed_methods instead!"
time="2019-11-21T19:02:57Z" level=warning msg="Configuration key CORS_ALLOWED_METHODS is deprecated and will be removed in a future release. Use key serve.admin.cors.allowed_methods instead!"
time="2019-11-21T19:03:21Z" level=warning msg="Configuration key OAUTH2_LOGIN_URL is deprecated and will be removed in a future release. Use key urls.login instead!"
time="2019-11-21T19:04:14Z" level=warning msg="Configuration key OAUTH2_CONSENT_URL is deprecated and will be removed in a future release. Use key urls.consent instead!"
time="2019-11-21T19:03:05Z" level=warning msg="A client requested the default error URL, environment variable OAUTH2_ERROR_URL is probably not set."
time="2019-11-21T19:02:53Z" level=warning msg="JSON Web Key Set \"hydra.https-tls\" does not exist yet, generating new key pair..."
time="2019-11-21T19:02:46Z" level=warning msg="JSON Web Key Set \"hydra.openid.id-token\" does not exist yet, generating new key pair..."
time="2019-11-21T19:02:49Z" level=warning msg="JSON Web Key Set \"hydra.jwt.access-token\" does not exist yet, generating new key pair..."
time="2019-11-21T19:02:57Z" level=warning msg="HTTPS disabled. Never do this in production."

Of those, only these are the deprecated:

time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OIDC_SUBJECT_TYPES_SUPPORTED is deprecated and will be removed in a future release. Use key oidc.subject_identifiers.enabled instead!"
time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OIDC_SUBJECT_TYPE_PAIRWISE_SALT is deprecated and will be removed in a future release. Use key oidc.subject_identifiers.pairwise.salt instead!"
time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OAUTH2_ISSUER_URL is deprecated and will be removed in a future release. Use key urls.self.issuer instead!"
time="2019-11-21T19:02:46Z" level=warning msg="Configuration key OAUTH2_SHARE_ERROR_DEBUG is deprecated and will be removed in a future release. Use key oauth2.expose_internal_errors instead!"
time="2019-11-21T19:02:49Z" level=warning msg="Configuration key SYSTEM_SECRET is deprecated and will be removed in a future release. Use key secrets.system instead!"
time="2019-11-21T19:02:53Z" level=warning msg="Configuration key CORS_ENABLED is deprecated and will be removed in a future release. Use key serve.public.cors.enabled instead!"
time="2019-11-21T19:02:57Z" level=warning msg="Configuration key CORS_ENABLED is deprecated and will be removed in a future release. Use key serve.admin.cors.enabled instead!"
time="2019-11-21T19:02:53Z" level=warning msg="Configuration key CORS_ALLOWED_METHODS is deprecated and will be removed in a future release. Use key serve.public.cors.allowed_methods instead!"
time="2019-11-21T19:02:57Z" level=warning msg="Configuration key CORS_ALLOWED_METHODS is deprecated and will be removed in a future release. Use key serve.admin.cors.allowed_methods instead!"
time="2019-11-21T19:03:21Z" level=warning msg="Configuration key OAUTH2_LOGIN_URL is deprecated and will be removed in a future release. Use key urls.login instead!"
time="2019-11-21T19:04:14Z" level=warning msg="Configuration key OAUTH2_CONSENT_URL is deprecated and will be removed in a future release. Use key urls.consent instead!"

Reducing the message we get:

OIDC_SUBJECT_TYPES_SUPPORTED -> oidc.subject_identifiers.enabled
OIDC_SUBJECT_TYPE_PAIRWISE_SALT -> oidc.subject_identifiers.pairwise.salt
OAUTH2_ISSUER_URL -> urls.self.issuer
OAUTH2_SHARE_ERROR_DEBUG -> oauth2.expose_internal_errors
SYSTEM_SECRET -> secrets.system
CORS_ENABLED -> serve.public.cors.enabled
CORS_ENABLED -> serve.admin.cors.enabled
CORS_ALLOWED_METHODS -> serve.public.cors.allowed_methods
CORS_ALLOWED_METHODS -> serve.admin.cors.allowed_methods
OAUTH2_LOGIN_URL -> urls.login
OAUTH2_CONSENT_URL -> urls.consent

And transforming the way defined on the ORY Documentation - Configuration that says:

# Assuming the following configuration layout:
#
# serve:
#   public:
#     port: 4444
#     something_else: foobar
#
# Key `something_else` can be set as an environment variable by uppercasing it's path:
#   `serve.public.port.somethihng_else` -> `SERVE.PUBLIC.PORT.SOMETHING_ELSE`
# and replacing `.` with `_`:
#   `serve.public.port.somethihng_else` -> `SERVE_PUBLIC_PORT_SOMETHING_ELSE`

We get:

OIDC_SUBJECT_TYPES_SUPPORTED -> OIDC_SUBJECT_IDENTIFIERS_ENABLED
OIDC_SUBJECT_TYPE_PAIRWISE_SALT -> OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT
OAUTH2_ISSUER_URL -> URLS_SELF_ISSUER
OAUTH2_SHARE_ERROR_DEBUG -> OAUTH2_EXPOSE_INTERNAL_ERRORS
SYSTEM_SECRET -> SECRETS_SYSTEM
CORS_ENABLED -> SERVE_PUBLIC_CORS_ENABLED
CORS_ENABLED -> SERVE_ADMIN_CORS_ENABLED
CORS_ALLOWED_METHODS -> SERVE_PUBLIC_CORS_ALLOWED_METHODS
CORS_ALLOWED_METHODS -> SERVE_ADMIN_CORS_ALLOWED_METHODS
OAUTH2_LOGIN_URL -> URLS_LOGIN
OAUTH2_CONSENT_URL -> URLS_CONSENT

Which are the changes proposed on the following PR togheter with some refactoring. All the deprecation warnings are now gone in logs.