oathkeeper beta8 builds on older hydra SDK

[fredbi]

oathkeeper tag beta8 is not compatible with hydra beta 8.

In particular, this build uses pre-beta8 hydra SDK client, and is not able to distinguish AdminURL from PublicURL.

When running from docker images beta8 (hydra & oathkeeper), I am unable to have oathkeeper use a setup with admin and public running on separate ports.

[aeneasr]

Nice catch. There is a workaround though - as you don't need an access token to perform token introspection any more, it should be possible to omit those values and set the hydra_url to the admin port. Let me know if it works. This will be fixed anyways though!

[aeneasr]

ps: And feel free to PR!

[fredbi]

PRs will abound, friend, but not before 15 days or so. Right now, I am getting it to work all together.

Yes I found out too I should set the (deprecated) var HYDRA_URL to the admin port.
Here is the full config (assuming public on port 4444 and admin on 4445):

    - CREDENTIALS_ISSUER_ID_TOKEN_ALGORITHM=ORY-HYDRA
    - CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_CLIENT_ID=******************************
    - CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_CLIENT_SECRET=***************************** 
    - CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_CLIENT_SCOPES=openid email profile
    - CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_URL=https://hydra.mycorp-test.com:4445/
    - CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_JWK_SET_ID=oathkeeper:id-token
    - HYDRA_URL=https://hydra.mycorp-test.com:4445

It does not work at all. When retrieving the keys, the proxy fails:

oathkeeper-proxy| time="2018-08-10T19:42:14Z" level=error msg="Unable to refresh keys for signing ID Token, 'id_token' credentials issuer will not work." error="Get https://hydra.mycorp-test.com:4445/keys/oathkeeper:id-token: oauth2: cannot fetch token: 404 Not Found\nResponse: 404 page not found\n" retry=4

However, querying keys independently works:

curl \
    --location \
    --header 'ContentType: application/json' \
    --capath ./certs/mycorp-test.com/ca \
    --get https://hydra.mycorp-test.com:4445/keys/oathkeeper:id-token
...
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "private:ee0637f0-1530-4eb5-9d97-67ee9683813a",
      "alg": "RS256",
      "n": "****"
...

[aeneasr]

Omit CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_CLIENT_ID, CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_CLIENT_SECRET, and CREDENTIALS_ISSUER_ID_TOKEN_HYDRA_CLIENT_SCOPES

[fredbi]

ok at least it starts now thanks.
I am continuing testing beta8 on the full setup I made with beta6

[aeneasr]

Thanks! Let me know of any other difficulties. Upgrading to beta.8 SDK should solve this, but it should also be better documented that these values are not required usually.