
Show HN: Run your own OAuth2/OpenID Connect provider - aeneasr
https://github.com/ory-am/hydra#
======
simplify
If you're interested in this sort of thing, Doorkeeper[1] is a robust, open
source OAuth 2 provider that's been around for about 5 years. We use it as a
standalone app, and have many other node.js apps that sign in using it.

[1] [https://github.com/doorkeeper-
gem/doorkeeper](https://github.com/doorkeeper-gem/doorkeeper)

~~~
arekkas
Thanks, however Doorkeeper is an SDK, right? With Hydra, you simply boot the
docker image and are done.

If you're interested in OAuth2 frameworks, check out
[fosite]([https://github.com/ory-am/fosite](https://github.com/ory-
am/fosite)), which is like Doorkeeper for Go.

~~~
simplify
Doorkeeper is closer to a full-package with customizable features, including a
basic frontend. I'm not too familiar with hydra, but it seems Doorkeeper is
best when you want to get the full OAuth app & user interface running (and
customize later), whereas Hydra is best when you want to get a quick OAuth API
app and build your own frontend. Would you say this is accurate?

~~~
arekkas
Yeah I think that is valid. Hydra can also be put on top of existing
infrastructures. Not sure how well that is possible with Doorkeeper.

~~~
simplify
Doesn't the nature of an OAuth server imply that it can be added to existing
infrastructures? Or is there an issue you foresee with non-Hydra libraries?

~~~
arekkas
No, Hydra works with every existing solution :) You can read more on this
topic in the guide: [https://ory-
am.gitbooks.io/hydra/content/oauth2.html](https://ory-
am.gitbooks.io/hydra/content/oauth2.html)

~~~
simplify
You didn't answer my question. I think you may have misread it.

------
ethernetdan
Also similar: [https://github.com/coreos/dex](https://github.com/coreos/dex)

------
defiancedigital
Ask HN: Is "hydra" the most used open source project name ?

~~~
johns
Unicorn

~~~
defiancedigital
hydra vs unicorn dixit github :

Hydra = 1,934 results
([https://github.com/search?utf8=&q=hydra](https://github.com/search?utf8=&q=hydra))

Unicorn = 1,878 results
([https://github.com/search?utf8=&q=unicorn](https://github.com/search?utf8=&q=unicorn))

Winner Hyra !!!

~~~
neilellis
Hail Hydra!

------
Pyxl101
Nice! Lowering barriers to the use of technologies like these is important.

Would anyone else be interested in hosting Mozilla Persona?
[https://developer.mozilla.org/en-
US/Persona](https://developer.mozilla.org/en-US/Persona)

~~~
scrollaway
Check out Let's Auth:

[https://github.com/letsauth/letsauth.github.io](https://github.com/letsauth/letsauth.github.io)

It's a successor to Mozilla Persona in development.

Details in the readme and on freenode #letsauth (mirrored to
gitter.im/letsauth/letsauth).

~~~
arekkas
why is it written in python? why not something that compiles and runs well on
all platforms?

~~~
scrollaway
From the readme:

> Let's Auth 1.0 will ship as a single, statically compiled binary. Pre-1.0,
> we will use a variety of dynamic languages for prototyping.

~~~
arekkas
nice :)

------
olalonde
How do you integrate this with your existing API? Do you need to proxy
requests through Hydra or do you just need to read and trust Hydra-signed
tokens on every request? Is there any overlap with
[https://getkong.org/](https://getkong.org/)?

~~~
arekkas
Currently hydra issues opaque tokens but has the capabilities to switch to JWT
in the future. There is a warden HTTP API endpoint that you can use to inspect
tokens and use hydra's access control. I will probably add a more common token
info endpoint or a OAuth2 Token Introspection endpoint (
[https://tools.ietf.org/html/rfc7662](https://tools.ietf.org/html/rfc7662) )
later on.

I haven't used kong yet but from my first impression it should be possible to
use hydra together with kong.

~~~
olalonde
Ok, thanks. So let's say I wanted to use Hydra for authenticating requests
made to my REST API, I'd have to make an API call to Hydra on each request,
right? Would be interesting to have some integration examples with popular web
frameworks (e.g. Express.js, Rails, Django, etc.).

Thanks for releasing this by the way, looks really well engineered. I'm sure
you've considered it already, but you could probably sell a hosted version (a
la [https://auth0.com](https://auth0.com)) to make money and finance
development.

~~~
arekkas
Depends, if you use JWT you can cryptographically verify that the token and
the token claims are valid. Right now, Hydra does not issue JWTs but it would
be easy as pie to add that functionality.

Writing an integration guide for this is a very good idea. Hydra's APIs are
validating all requests using that technique, but it's not documented.

Auth0.com is pretty cool, they have done some cool projects that help OAuth
developers. However, they are overpriced imho. Hosting hydra is definitely
something I will consider. Thanks! :)

------
akbar501
For anyone interested the Go client library is: [https://github.com/ory-
am/fosite](https://github.com/ory-am/fosite)

------
welder
OAuth is super simple, you only need two endpoints for an OAuth provider. It
only took a few hours to write the WakaTime OAuth provider implementation[1].
No offense and serious question: why would you need a library for this? Isn't
it more trouble to integrate an external OAuth provider with an existing api
than to just write two api endpoints yourself?

[1] [https://wakatime.com/api](https://wakatime.com/api)

~~~
arekkas
The libraries (SDK) I used for my first project for had security flaws. OAuth2
is super simple to implement, but hard to get right. It's not just two
endpoints, it's multiple specs with ~200 written pages. Some people for
example don't even know that
[rfc6819]([https://tools.ietf.org/html/rfc6819](https://tools.ietf.org/html/rfc6819))
even exists. Most SDKs are also very limited or hard to extend (e.g. adding
OpenID Connect).

I believe that adding a docker container to your deployment and creating a
consent token (JWT) is even less work than integrating with an SDK and
implementing the missing parts every time you hit that new edge case. On top
of that, you can be sure that it is backed by an open source community.

------
sakopov
I know it's in the title but I don't see any OpenID capabilities here. Looks
like Oauth2 spec implementation. Am i missing something?

~~~
arekkas
OpenID has been deprecated in favor of OpenID Connect:

* [http://openid.net/specs/openid-connect-core-1_0.html](http://openid.net/specs/openid-connect-core-1_0.html) * [http://openid.net/connect/faq/](http://openid.net/connect/faq/)

------
StavrosK
This looks very nice, but isn't it overkill to use RethinkDB when SQLite would
do (and probably be about as fast)?

------
smw
It'd be really neat to see an amazon lambda serverless version of this.

~~~
arekkas
Integrating that in lambda should not be hard. If you want, create an issue on
GitHub and I will try my best.

------
ClayM
Would this or coreos/dex replace something like Auth0?

~~~
jon-wood
Auth0's big feature that isn't provided by open source platforms at the moment
is being able to request an OAuth token for third party services the user has
authenticated with, so for example you can trade in an auth token that was
issued when you logged in the user for a Facebook token.

~~~
arekkas
Not true. Dex and Hydra both support it, although you need to implement a
little bit more stuff when using Hydra. Read it in the docs: [https://ory-
am.gitbooks.io/hydra/content/connection.html](https://ory-
am.gitbooks.io/hydra/content/connection.html)

~~~
jon-wood
I stand corrected. In that case Auth0 is even more overpriced than I
originally thought.

