Skip to content

fix issue with hydra no openning up enrichment paths #601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pitabwire merged 1 commit into from
Nov 20, 2025
Merged

fix issue with hydra no openning up enrichment paths #601

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions frametests/deps/testoryhydra/hydra.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,27 @@ oauth2:
- username
- service_name
mirror_top_level_claims: false
hashers:
bcrypt:
cost: 10
pbkdf2:
iterations: 1
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The number of iterations for PBKDF2 is set to 1. This is critically low and provides almost no resistance to brute-force attacks, making the hashed values insecure. While this is for a test environment, using such a weak setting is a dangerous practice. It is highly recommended to use a much higher iteration count. For example, OWASP recommends values in the hundreds of thousands for production. For testing, a value like 10000 would offer a better balance between security and performance.

Suggested change
iterations: 1
iterations: 10000

algorithm: pbkdf2
pkce:
enforced_for_public_clients: true
enforced: true
client_credentials:
default_grant_allowed_scope: false
grant:
jwt:
iat_optional: false
jti_optional: false
max_ttl: 720h
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The max_ttl for JWT-based grants is set to 720h (30 days). This is an exceptionally long lifetime for a token, which significantly increases the security risk if the token is compromised. It is a security best practice to use short-lived tokens. Consider reducing this to a much shorter duration, such as 1h, to limit the window of exposure.

Suggested change
max_ttl: 720h
max_ttl: 1h

refresh_token:
grace_period: 1h
refresh_token_hook: http://127.0.0.1:3000/webhook/enrich/refresh-token
token_hook: http://127.0.0.1:3000/webhook/enrich/token
expose_internal_errors: true
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Setting expose_internal_errors to true can be useful for debugging in development or test environments. However, it poses a significant security risk in production by potentially leaking sensitive information like stack traces or internal application details. Please ensure this setting is disabled in any production configuration to prevent information disclosure vulnerabilities.


secrets:
system:
Expand Down
3 changes: 0 additions & 3 deletions server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,6 @@ func (dd *defaultDriver) ListenAndServe(addr string, h http.Handler) error {
protocols.SetUnencryptedHTTP2(true)
dd.httpServer.Protocols = protocols

log.Info("h2c (HTTP/2 without TLS) enabled by default")

ln, err0 := getListener(dd.ctx, addr, "", "", dd.listener)
if err0 != nil {
return err0
Expand All @@ -113,7 +111,6 @@ func (dd *defaultDriver) ListenAndServeTLS(addr, certPath, certKeyPath string, h
if err != nil {
return err
}
log.Info("h2c disabled, using standard HTTP/2 with TLS")

ln, err0 := getListener(dd.ctx, addr, certPath, certKeyPath, dd.listener)
if err0 != nil {
Expand Down
Loading