fix(ory): harden Kratos and Hydra production security configuration

Kratos: xchacha20-poly1305 cipher for at-rest encryption, 12-char min password with HaveIBeenPwned + similarity check, recovery/verification switched to code (not link), anti-enumeration on unknown recipients, 15m privileged session, 24h session extend throttle, JSON structured logging, WebAuthn passwordless enabled, additionalProperties: false on all identity schemas, memory limits bumped to 256Mi. Hydra: expose_internal_errors disabled, PKCE enforced for public clients, janitor CronJob every 6h, cookie domain set explicitly, SSRF prevention via disallow_private_ip_ranges, JSON structured logging, Maester enabledNamespaces includes monitoring. Also: fixed selfservice URL patch divergence (settings path, missing allowed_return_urls), removed invalid responseTypes on Hive client.
2026-03-24 19:40:58 +00:00
parent 4c02fe18ed
commit 50a4abf94f
5 changed files with 56 additions and 56 deletions
--- a/base/lasuite/oidc-clients.yaml
+++ b/base/lasuite/oidc-clients.yaml
@@ -4,28 +4,6 @@
 # App pods reference those secrets for OIDC_RP_CLIENT_ID/SECRET env vars.
 # redirectUris contain DOMAIN_SUFFIX which is replaced by sed at deploy time.

-# ── Docs ─────────────────────────────────────────────────────────────────────
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
-  name: docs
-  namespace: lasuite
-spec:
-  clientName: Docs
-  grantTypes:
-    - authorization_code
-    - refresh_token
-  responseTypes:
-    - code
-  scope: openid email profile
-  redirectUris:
-    - https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
-  postLogoutRedirectUris:
-    - https://docs.DOMAIN_SUFFIX/api/v1.0/logout-callback/
-  tokenEndpointAuthMethod: client_secret_post
-  secretName: oidc-docs
-  skipConsent: true
---
 # ── Drive ─────────────────────────────────────────────────────────────────────
 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
@@ -95,28 +73,6 @@ spec:
  secretName: oidc-messages
  skipConsent: true
 ---
-# ── People ────────────────────────────────────────────────────────────────────
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
-  name: people
-  namespace: lasuite
-spec:
-  clientName: People
-  grantTypes:
-    - authorization_code
-    - refresh_token
-  responseTypes:
-    - code
-  scope: openid email profile
-  redirectUris:
-    - https://people.DOMAIN_SUFFIX/api/v1.0/callback/
-  postLogoutRedirectUris:
-    - https://people.DOMAIN_SUFFIX/api/v1.0/logout-callback/
-  tokenEndpointAuthMethod: client_secret_post
-  secretName: oidc-people
-  skipConsent: true
---
 # ── Find ──────────────────────────────────────────────────────────────────────
 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
@@ -173,8 +129,6 @@ spec:
  clientName: Hive
  grantTypes:
    - client_credentials
-  responseTypes:
-    - token
  scope: openid
  tokenEndpointAuthMethod: client_secret_basic
  secretName: oidc-hive