The Wayback Machine - https://web.archive.org/web/20201001201533/https://github.com/ory/hydra/issues/2077
Skip to content

/ hydra

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: reference configuration provides invalid bcrypt cost and some other outdated values #2077

Open
nessita opened this issue Sep 30, 2020 · 2 comments
Open

Docs: reference configuration provides invalid bcrypt cost and some other outdated values #2077

nessita opened this issue Sep 30, 2020 · 2 comments
Assignees
@vinckr
Labels
docs good first issue help wanted
Milestone
v1.8.1

Comments

@nessita
Copy link
Contributor

@nessita nessita commented Sep 30, 2020

I've following the various docs in an attempt to run Ory Hydra using the binary, and I've used the reference configuration from docs/docs/reference/configuration.md in order to speed up the setup of a basic playground.

On one hand, there seems to be a few outdated values in that reference configuration as per the following warning messages:

{
  "audience": "application",
  "file": "/go/pkg/mod/github.com/ory/x@v0.0.144/viperx/helper.go:15",
  "func": "github.com/ory/x/viperx.d",
  "level": "warning",
  "msg": "Configuration key oidc.subject_identifiers.enabled is deprecated and will be removed in a future release. Use key oidc.subject_identifiers.supported_types instead!",
  "service_name": "",
  "service_version": "",
  "time": "2020-09-29T12:48:18Z"
}
{
  "audience": "application",
  "file": "/home/ory/driver/configuration/provider_viper.go:149",
  "func": "github.com/ory/hydra/driver/configuration.(*ViperProvider).SubjectTypesSupported",
  "level": "warning",
  "msg": "The pairwise subject identifier algorithm is not supported by the JWT OAuth 2.0 Access Token Strategy and is thus being disabled. Please remove \"pairwise\" from oidc.subject_identifiers.enable\" (e.g. oidc.subject_identifiers.enable=public) or set strategies.access_token to \"opaque\".",
  "service_name": "",
  "service_version": "",
  "time": "2020-09-29T12:48:18Z"
}

On the other hand, I got the following 500 error when invoking the create an OAuth2 client endpoint (when sending a correct POST payload):

  "audience": "application",
  "error": {
    "message": "crypto/bcrypt: cost 36973593 is outside allowed range (4,31)",
    "trace": "\ngithub.com/ory/hydra/client.(*SQLManager).CreateClient\n\t/home/ory/client/manager_sql.go:146\ngithub.com/ory/hydra/client.(*Handler).Create\n\t/home/ory/client/handler.go:108\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2041\ngithub.com/ory/hydra/x.RejectInsecureRequests.func1\n\t/home/ory/x/tls_termination.go:55\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.144/metricsx/middleware.go:261\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP\n\t/home/ory/metrics/prometheus/middleware.go:26\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.144/reqlog/middleware.go:134\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/tracing.(*Tracer).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.144/tracing/middleware.go:40\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2836\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1924\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1373"
  },
  "file": "/go/pkg/mod/github.com/ory/herodot@v0.9.1/error_reporter.go:24",
  "func": "github.com/ory/herodot.DefaultErrorReporter.func1",
  "http_request": {
    "headers": {
      "accept": "application/json",
      "accept-encoding": "gzip",
      "user-agent": "Go-http-client/1.1"
    },
    "host": "localhost:53678",
    "method": "POST",
    "path": "/clients",
    "query": null,
    "remote": "127.0.0.1:51332",
    "scheme": "http"
  },
  "http_response": {
    "status_code": 500
  },
  "level": "error",
  "msg": "An error occurred while handling a request",
  "service_name": "",
  "service_version": "",
  "time": "2020-09-29T19:59:03Z"
}

While in retrospective the error is somehow obvious, at the time of debugging I spent a non trivial amount of time and tons of googling to realize that the offending value came from the config.yaml I was using.

Reproducing the bug

Steps to reproduce the behavior:

  1. Download the hydra binary
  2. Run with a config.yaml built from the reference documentation
  3. Invoke the clients create endpoint with a correct payload

Expected behavior

IMHO it would be a bit more useful and less error prone to have a valid value for the bcrypt cost setting, for example using the recommended/default value of 10 as per the config comments.

Environment

  • Version: v1.7.4
  • Environment: Ubuntu running the hydra binary
@zepatrik
Copy link
Member

@zepatrik zepatrik commented Sep 30, 2020

Right, we auto generate the page you are referring to. It is not really an example you can use but it documents all the possible values. We should actually add more specific validation (looks like range (4,31) would do the trick) to the bcrypt values. Then the rendered values will also be valid. But for the deprecation warning, it is because the config reference documents all keys and therefore also the deprecated ones. You will be better off using the quickstart config 😉
We should put a note on the config reference to clarify this.
@zepatrik zepatrik added the docs label Sep 30, 2020
@zepatrik
Copy link
Member

@zepatrik zepatrik commented Sep 30, 2020

@vinckr I think it is a good task for you.

  1. Research the bcrypt values
  2. add missing validation to https://github.com/ory/hydra/blob/master/.schema/config.schema.json
  3. add a note to clarify the purpose of the config reference
@aeneasr aeneasr added this to the v1.8.1 milestone Oct 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs good first issue help wanted
4 participants
@nessita @aeneasr @zepatrik @vinckr
You can’t perform that action at this time.