first of all let me tell you that the consent flow is due to a large refactor with version 0.10.0. Instead of relying on asymmetric cryptography and JWK + JWT standards, it will be possible to use the trust relationship between the consent app and hydra and issue a REST request to hydra, letting hydra know that consent was given. Because the new API is completely documented in swagger, you can use swagger-codegen to generate an java SDK. We use swagger-codegen for the Go SDK already and even use it in Hydra internally, so it’s working 100%.
Having said that, let’s come back to your question which covers 0.9.x:
- Browser ask Auth Server for Authentication
Teh work flow this is correct. I only want to point out that we are talking about Authorization in the concept of OAuth 2.0. If you want 100% accurate, you would have to say:
- App asks user for Authorization by generating the Authorization URL (pointing to Hydra)
- Hydra asks browser of user for authentication by redirecting to the Consent App
It is important to separate authorization (your ability to enter a country) and authentication (customs checking your passport).
Everything else in your flow is 100% correct.
I would like to understand more about step 5.1. Why do we need to request a private key over http, would it be better to do
1)Consent app generate a public/private key pair
2)Consent app sign the response using the private key and send to Auth Server
3)Upon receiving the response, Auth Server send a request to consent app for public key
4)Auth Server uses the public key to verify the response is from Consent Server
Yes, you are correct here. That would indeed be a better flow. However, what influenced our decision was a developer experience aspect: generating cryptographic keys correctly is hard. By having an encrypted storage in Hydra and the ability to transport JWKs over HTTP(s), the decision was made to sacrifice the standard PKI structure. In retrospect, we could have used shared secrets instead. This is also why we’re refactoring this part in 0.10.0 to make it more accessible and also more logical.