Challenge claims redirect http instead of https

[ahillman3]

I'm trying to create an OAuth2 process flow using hydra as my OAuth2 server. I have it setup within Kubernetes running in Amazon, wth http.

I have added an SSL certificate to the load balancer, and added a DNS entry to Route53 to provide a public FQDN matching the certificate.

I don't see any issues with invalid certificate errors, but when I ask for a challenge response the redirect value in the claim has http instead of https.

This makes completing the process flow difficult, as redirects don't work.

Any ideas, or more info needed?

[aeneasr]

Definitely more info needed. What docker image are you running, what environment variables are set (don't include secrets)?

[ahillman3]

My docker image is built from the most recent code as of yesterday.
Environment variables:
SYSTEM_SECRET: ******
DATABASE_URL: mysql://:@tcp(xxx.xxx.xxx.xxx:3306)/hydra?parseTime=true
FORCE_ROOT_CLIENT_CREDENTIALS: :
AUTHORIZE_CODE_LIFESPAN: 10m
AUTH_CODE_LIFESPAN: 10m
ID_TOKEN_LIFESPAN:8760h
ACCESS_TOKEN_LIFESPAN: 8760h
CHALLENGE_TOKEN_LIFESPAN: 10m
CONSENT_URL: https://ad6c1aff82f3411e7899506d9bf1932f-844480084.us-west-2.elb.amazonaws.com:8081/consent
PROFILING: cpu

The consent url is not currently working, but I'm not having a problem with that.

[aeneasr]

Which docker image are you using exactly? There are multiple flavors!

[aeneasr]

Oh I misread, seems like you're building it yourself. Which docker image are you using?

[ahillman3]

Ahh.

Docker-http

[aeneasr]

Ok, that one has https disabled, use the normal one for https - does that answer your question?

[ahillman3]

Will that still work if I have it running without https in kubernetes? I like having the certificate outside kubernetes.

[aeneasr]

Have you seen the TLS termination option? If not, check out hydra help host and look under the "HTTPS CONTROLS" section. That should be what you're looking for

[ahillman3]

I'll look. Thanks.

[aeneasr]

otherwise you could probably also issue a certificate from the platform you're using for hydra, use that in hydra and serve regular https. that usually works too for e.g. AWS ELB - should also work on GCP

[ahillman3]

I'll look into that as well.

[aeneasr]

also head over to our community channel on gitter (link in readme), the community is really helpful and has dealt with this as well :)

closing this issue, if you feel there's a bug or something please reopen or create a new issue

[ahillman3]

Thanks.