search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.58k stars 1.49k forks source link

Do not redirect to https in `--dev` mode in V2 #3413

Open rauanmayemir opened 1 year ago

rauanmayemir commented 1 year ago

Preflight checklist

Describe the bug

After upgrading to V2, there is no longer a --dangerous-force-http option. --dev mode allows inbound http request, but internally redirects to https.

First of all, http is not 'dangerous' as the defunct option suggested. Forcing everyone to deal with TLS inside the workload when people could have varying setups is overreaching.

Hydra should not redirect to https at least because it is usually operated internally without exposing it to public. So TLS is terminated at the gateway level and the traffic inside the cluster is not encrypted.

Even if I use mTLS for internal traffic, it could still be handled by other tools, e.g istio will encrypt on the transport level but then still terminate mTLS on the sidecar, so that way the workload never has to bother and deal with certificates, keys, etc.

Bonus point: internal endpoints can only use self-signed certificates, but oathkeeper will not be able to call such endpoints because it doesn't support self-signed and will fail to process requests.

Reproducing the bug

  1. Run hydra V2 container with --dev option
  2. Try calling an endpoint as HTTP.
  3. Receive 307 redirect to HTTPS.

Relevant log output

No response

Relevant configuration

No response

Version

2.0.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response

rauanmayemir commented 1 year ago

IIUC, there was a decent resolution where a server accepted HTTP traffic, BUT only if it had an inbound X-Forwarded-Proto: https header. This signaled the workload is behind proxy and https is in-place.

rauanmayemir commented 1 year ago

Turns out hydra redirected to HTTPS not because it didn't like HTTP, but because it wanted /admin/oauth2/introspect instead of /oauth2/introspect (not seeing the endpoint part in the logs even in debug mode is what made it all confusing). #3339 is essentially the same issue.

I would still like to state that the DX of this change made it worse. My endpoint is already a hydra-admin that runs on a separate port than public, introducing the change now was not necessary unless the ports were unified into a single endpoint.