Aqw Hydra Challenge

[Cristy Borovetz]

Isaw a few topics like this, so maybe it is being addressed and I might be thinking ahead, but I was looking at integrating ORY Hydra and Kratos (and later Oauthkeeper in front). I was adapting the example Kratos UI and Hydra example UIs to essentially use Kratos as the IPD for Hydra Oauth2 flor.

ya I think that makes sense. So that route handles the redirect for after kratos has succeeded and it needs to redirect back to the UI which then accepts the login with hydra and immediately redirects again to the authorization screen (if auth is needed).

I was thinking when separating it, we could keep both flows working like you could initiate the login from hydra, through oauth2 flow, but also could use the demo UI just hitting kratos, not using Hydra at all, the way it used to work where you would initiate the login and get redirected to the dashboard. Not sure if thats necessary.

It also could exist as a separate demo UI so theres like the Hydra-demo-ui, Kratos-demo-ui, and then this one which uses kratos and hydra. I have also experimented with adding Oathkeeper to this as well to verify the hydra tokens

We did some preliminary work on this in the kratos selfservice app - please be aware that a full integration is coming to ORY Kratos at some point, but you can use it as a workaround for now: -selfservice-ui-node/tree/hydra-integration/contrib/hydra

We have a question related to login challenge code. Login challenge is passing in front channel communication and users can share the link with code challenge between each other, bookmark login page in browser or do other crazy things.

It creates sometimes weird situation that users reusing challenge codes accidentally. For example today we got a case when user logged in successfully with code_challenge but saved link, opened it again after some time, passed login flow and we got pq: duplicate key value violates unique constraint "hydra_oauth2_authentication_request_handled_pkey" exception when backend tried to accept the challenge.

My understanding of hydra is that, I can have an app which can decide whether to authorize or not, then offload the work to hydra to generate the token etc.

i.e browser login page -> some backend API -> (checks if it meets its requirements) -> make request to hydra to generate token.

Also, is there any way to skip the Accept and Consent forms? As on register and login, on the main website, it would make very little sense to show them these pages. (I do see a prompt keyword, but not sure where and why it is applicable.)

This guide will walk you through the process of customizing Ory OAuth2 and OpenID Connect to work with your user database, loginUI, and consent logic and UI. We'll cover everything you need to know, including how to redirect users to your login endpoint, howto fetch and process login and consent requests, and how to use the SDK to accept or reject these requests.

By default, Ory OAuth2 and OpenID Connect is integrated with Ory Identities and the Ory Account Experience. Read this document ifyou want to customize the user backend, login UI, or consent logic and UI.

OAuth2 and OpenID Connect requires an authenticated end user session for all OAuth2 / OpenID Connect flows except the clientCredentials flow which doesn't involve end users. Ory OAuth2 and OpenID Connect doesn't contain a database with end users butinstead uses HTTP redirection to "delegate" the login flow to another app - this is the "Ory OAuth 2.0 login & consent flow".

The OAuth2 2.0 / OpenID Connect Flow is initiated by pointing the end user's browser to the /oauth2/auth endpoint. Depending onthe OAuth2 flow you want to use, some of the query parameters (for example /oauth2/auth?response_type=code or/oauth2/auth?response_type=token) can change. Starting flows always involves sending the browser to that URL.

The next task for Ory OAuth2 and OpenID Connect is to know the user of the request. To achieve that, Ory OAuth2 and OpenID Connectchecks if a session cookie is set containing information about a previously successful login. Additionally, OpenID Connectparameters id_token_hint, prompt, and max_age are evaluated and processed. Depending on their values and the login state,the user might need to re-authenticate or the flow will fail.

To authenticate the user (this happens regardless of whether a session exists for the user or not), Ory OAuth2 and OpenID Connectredirects the browser to the "login endpoint" established in your config:

Ory OAuth2 and OpenID Connect appends a login_challenge query parameter to the URL. The value is an ID which should later beused by the login endpoint to fetch important information about the request.

The response contains information about the login request. The body contains a skip value. If the value is false, the userinterface must be shown. If skip is true, you shouldn't show the user interface but instead just accept or reject the loginrequest.

Ory OAuth2 and OpenID Connect appends a consent_challenge query parameter to the URL. The value is an ID which should later beused by the Consent Endpoint to fetch important information about the request.

When you create an OAuth2 client in your Ory Network project, you can configure it to skip the "consent screen", which is thescreen where the user must explicitly agree to giving the client access to their data and allow perform operations on theirbehalf.

In certain scenarios (for example a special OAuth2 client), you might not want to show the consent screen at all. In those cases,you can choose to skip showing the UI and just accept the consent. Please keep in mind that OAuth2 is a delegation protocol andthat it makes most sense for third-party access. Not showing the consent screen will break OpenID Connect Certification.

The response contains information about the consent request. The body contains a skip value. If the value is false, the userinterface must be shown. If skip is true, you shouldn't show the user interface but instead just accept or reject the consentrequest.

This flow allows you to take full control of the behavior of your login system, authentication methods, and consent screen. Awell-documented reference implementation for both the Login and Consent Provider is availableon GitHub.

The Challenge Deck is a special self-running deck with its own set of rules. Players are encouraged to pilot it against one another one-on-one or in groups of up to four with guidance from the included instructional playmat. The Challenge deck contains 60-cards (18 Heads and 42 Sorcery cards). The 15 unique cards are not legal in regular Magic, which is made clear by their different card back. Some of the Heads have the supertype elite. When playing against this deck the player may use their Hero cards. The Hydra follows a predetermined sequence of casting cards from its shuffled deck and blasting the player for damage. The goal is to eliminate all of the Hydra heads before it eats you. When you cut one head down, sometimes more grow back. If you win against the challenge deck, you win a third Hero card (The Slayer). The Face the Hydra Challenge Deck is available as a saleable product for $11.99.

You can battle the Hydra alone or with friends (just replace "you" with "each player" in these rules). At the end of any turn, if there are no Heads on the battlefield, you win!Use the regular Magic rules with the following exceptions:

Whenever the hydra takes 25 or more damage in a single turn, one of its heads dies. If all its heads die, the hydra dies. At the end of its turn, it grows two heads for each of its heads that died since its last turn, unless it has taken fire damage since its last turn. The hydra regains 10 hit points for each head regrown in this way.

My interpretation of this is that each time the hydra receives 25 damage it lose a head, because we're assuming that the hydra lose 57 health each round, 2 heads dies and 2 heads grows back. Therefor the hydra is regenerating 20 hp each round.

In general the developers don't follow the CR calculation mechanics in the Dungeon Masters Guide. There were several articles that lead to the thought that they kind of just went with 'what felt right' and until the DMG came out we were expected to do the same.

In fact the DMG only has you calculate in HP, AC, save DC, and damage to figure out a challenge rating. So if the developers used this it ignores any special attacks or features that don't fall into one of those categories.

A challenge to establish the predictive power of computational spectroscopy on the example of 1:1 complexes of organic molecules with water. The quantity to predict is the hydrogen-bonded OH bond stretching fundamental of water relative to the free water value of 3657 cm-1 (experimental symmetric stretch). Read more about the challenge. The official start was on the 24.08.2021.

One thing I'd like to ask is about the card Mind Grind. As there are no lands in the Hydra deck, wouldn't using Mind Grind to 1 basically win the game Turn 3 due to milling the entire Hydra deck? Meaning that, if you play three-on-one, if your team members keep the heads busy while you run Dimir to get Mind Grind out, you get an easy win?

...but the way I understand it, there is no "player" controlling the Hydra, thus Traumatize would be useless, (unless you want to hit yourself or your team mates) because there is no player to target.

Not sure how Mind Grind works... there is a rule that say abilities can't cause the Hydra to draw or discard, and that you ignore any impossible actions... but technically Mind Grind wouldn't cause an impossible action, and it doesn't target a player.

For example. When a head dies, the Hydra reveals the top 2 cards of it's Library... puts sorceries into it's Graveyard, and any heads into the battlefield. My question... are the head revealed this way "cast" or just "put onto the battlefield".

3a8082e126