Email not in userinfo via Hydra Oauth2/OpenID integration

elliottneilclark commented 1 year ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] This issue affects my Ory Network project.
[ ] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

On Kubernetes I've set up Kratos and Hydra.

Kratos is there for login. Configured with an external UI and oauth2_provider.url is the internal URL of hydra's public service. Hydra is there for Oauth with disparate installed services. It's installed with urls.login being the Kratos self service login URL. Consent is our own consent URL. Kratos login and registration work well. I can register and verify email addresses.

I then added Grafana to the kubernetes cluster. Grafana needs an email address from oauth. Grafana has it's own hyrda oauth client with scopes and grantTypes (scope: openid profile email offline_access grantTypes: authorization_code refresh_token implicit) That didn't work. Grafana errors out 500 when trying to get the email. The oauth login flow works correctly grafana -> kratos self -> login UI -> login Ui -> kratos -> grafana all works as I can see:

logger=oauth.generic_oauth t=2023-01-30T23:21:40.228672567Z level=debug msg="Received id_token" 
raw_json="{\"amr\":[\"code_recovery\",\"password\"],\"at_hash\":\"obQC0kGn5MMUmWmeTPZl8g\",\"aud\":[\"e48376be-ae4a-49b5-92b5-d5bcce51a62c\"],\"auth_time\":1675115278,\"exp\":1675124500,\"iat\":1675120900,\"iss\":\"http://hydra.core.172.18.128.1.ip.batteriesincl.com\",\"jti\":\"3f868958-af54-4d1f-a098-599ab1a1abf8\",\"rat\":1675120899,\"sid\":\"24d776d8-153c-456b-b511-8d9d775c41c7\",\"sub\":\"e973241a-96ba-4f3a-a380-4ebb89ff551b\"}" 
data="Name: , Displayname: , Login: , Username: , Email: , Upn: , Attributes: map[]"

Some parts of the OpenID integration must be working because amr contains information from hydra about what login methods are enabled. However, the token is opaque, so Grafana needs to use the OpenID. It then goes to /userinfo. Nothing in /userinfo contains the email. So Grafana tries /userinfo/emails, which 404's presumably expectedly.

I would have expected that the Hydra Oauth2 integration meant that either the email is in sub or another response field. In other words, I would have expected that Hyrda's OpenID endpoint had all the email information.

Reproducing the bug

Install Kratos
Install Hydra
Configure Kratos Oauth2 + OpenID
Configure Hydra login URL to Kratos self serve.
Create an Oauth2 client for grafana
Configure Grafana api_url: http://ory-hydra-public:4444/userinfo token_url: http://ory-hydra-public:4444/oauth2/token and auth_url to the external hydra URL. /oauth2/auth
Try and oauth login with Grafana

Relevant log output

logger=oauth.generic_oauth t=2023-01-30T23:21:40.230520371Z level=debug msg="HTTP GET" url=http://ory-hydra-public:4444/userinfo status="200 OK" response_body="{\"amr\":[\"code_recovery\",\"password\"],\"aud\":[\"e48376be-ae4a-49b5-92b5-d5bcce51a62c\"],\"auth_time\":1675115278,\"iat\":1675120900,\"iss\":\"<<URL>>\",\"rat\":1675120899,\"sub\":\"e973241a-96ba-4f3a-a380-4ebb89ff551b\"}\n"
logger=oauth.generic_oauth t=2023-01-30T23:21:40.230568772Z level=debug msg="Received user info response from API" raw_json="{\"amr\":[\"code_recovery\",\"password\"],\"aud\":[\"e48376be-ae4a-49b5-92b5-d5bcce51a62c\"],\"auth_time\":1675115278,\"iat\":1675120900,\"iss\":\"<<URL>>\",\"rat\":1675120899,\"sub\":\"e973241a-96ba-4f3a-a380-4ebb89ff551b\"}\n" data="Name: , Displayname: , Login: , Username: , Email: , Upn: , Attributes: map[]"

Relevant configuration

No response

Version

docker.io/oryd/hydra:v2.0.3 docker.io/oryd/kratos:v0.11.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response

aeneasr commented 1 year ago

This is part of your consent app, the Ory Hydra integration does not solve this, it can only tell Ory Hydra that the user authenticated. What data you provide as part of consent is not the concern of Ory Kratos.

elliottneilclark commented 1 year ago

@aeneasr Thanks for the response. I did indeed find that I could send things along in the consent. However, I have a couple of issues with that:

Passing data along with consent is not well documented and it's hard to find. There's almost no how-to, or other information about how to integrate Kratos and Hydra, and reading the consent flow pages would not be my first guess as a solution. So it's not well documented.
More importantly, it makes Kratos the least powerful IDP solution to Hydra. All of the other providers will use data mappings and scopes to store identities with the correct traits in Hydra. That means that the OpenID server can actually return this information. I would have expected that the Ory Kratos and Ory Hyrda integrations automatically configured this part.

Ultimately we integrated our SaaS with Ory Hydra and Kratos but had to switch to Keycloak since there were a number of open-source projects that expected data in OpenID endpoints.

ory / kratos