Skip to content

Trying the Device Flow

Jump to bottom
Nikos Sklikas edited this page Apr 11, 2024 · 1 revision

This document is a tutorial for setting up hydra and trying out the device flow using skaffold or docker-compose.

Setup

To run the device flow we are going to use a dummy client found on https://github.com/canonical/hydra-rock/tree/IAM-597/hack/flow-test. We are going to use Kratos as a Identity Broker and Github as our Identity Provider.

First of all we need to register a Github application to use, to do this you need to:

  1. Go to https://github.com/settings/applications/new. The application name and homepage URL do not matter, but the Authorization callback URL must be https://iam.internal:8443/self-service/methods/oidc/callback/github if using skaffold
  2. Generate a client secret
  3. Save your client_id and client_secret so that you can use them later

Skaffold

Prerequisites

You will need to have (skaffold)[https://skaffold.dev/docs/install/#standalone-binary], helm, rockcraft and microk8s installed.

Enable the microk8s registry:

microk8s enable registry

Configure kubectl:

# ensure kubectl is configured to use microk8s
microk8s.kubectl config view --raw > $HOME/.kube/config
# Alias kubectl so that it can be used by Skaffold
snap alias microk8s.kubectl kubectl

Deployment

In order to deploy using skaffold you will need to fetch the IAM-597 branch from the hydra-rock repo:

git clone -b IAM-597 [email protected]:canonical/hydra-rock.git

Then you need to update hack/helm/kratos.yaml to use the client_id and client_secret you created on the previous step (see https://github.com/canonical/hydra-rock/blob/IAM-597/hack/helm/kratos.yaml#L64)

To make networking and the certs work you will need to add this line to your /etc/hosts:

127.0.0.1	iam.internal

Now you can run make dev from the hydra-rock repo root folder. This will deploy hydra, kratos, postgres and the login UI, and then perform the device flow. In order to make the flow easier to run, we suggest that you trust the tls certificates used by the ingress. To do this you need to:

  1. run `kubectl get secret -o yaml iam-tls | yq '.data'
  2. copy the ca.crt and tls.crt into /usr/local/share/ca-certificates/
  3. run update-ca-certificates

On your terminal you should see instructions to perform the device flow: image

Once you have completed the browser flow (by logging in with github) you should be able to see the generated tokens on your terminal image

Clone this wiki locally