Migrating from MITREid
info
Please note this page doesn't pretend to be a step-by-step guide.
This piece of documentation will try to give you some hints to move your current MITREid instance to Hydra.
Scopes
Scopes in hydra doesn't have a relational entity, every client defines its own array of scopes.
Scope vs Scp
Since hydra uses scp as the scope claim, you have to be sure your client libraries are capable to use both, we had to modify the behavior of our version of spring.security.oauth2 library following the example: Custom claim
Query String Parameters
MITREid doesn't mind if the parameters are passed in the body or in the query string. In order to work with hydra, you have to migrate all your calls that are using QS params to Body Parameters.
For example, you should move from
curl -X POST http://127.0.0.1/mitreid-server/token?grant_type=client_credentials -H "Authorization: $AUTH" ...
to
curl -X POST http://127.0.0.1/mitreid-server/token -H "Authorization: $AUTH" --data-urlencode 'grant_type=client_credentials' ...
Scope Strategies if no scope is requested
The last pitfall found during the migration was the difference of behavior when performing the client_credentials
grant without
specifying a scope. By default Ory Hydra returns an empty scope, but MITREid grants the default scope for the OAuth 2.0 Client.
To change the behavior in Ory Hydra, either set environment variable OAUTH2_CLIENT_CREDENTIALS_DEFAULT_GRANT_SCOPE=true
or
alternatively add to Ory Hydra's configuration file:
oauth2:
client_credentials:
default_grant_allowed_scope: true
Once set, Ory Hydra will behave like MITREid and grant the OAuth2 Client's scope when an empty scope is requested for a
client_credentials
grant.