If you're interested in OAuth2 frameworks, check out [fosite](https://github.com/ory-am/fosite), which is like Doorkeeper for Go.
Hydra = 1,934 results (https://github.com/search?utf8=&q=hydra)
Unicorn = 1,878 results (https://github.com/search?utf8=&q=unicorn)
Winner Hyra !!!
Would anyone else be interested in hosting Mozilla Persona? https://developer.mozilla.org/en-US/Persona
It's a successor to Mozilla Persona in development.
Details in the readme and on freenode #letsauth (mirrored to gitter.im/letsauth/letsauth).
> Let's Auth 1.0 will ship as a single, statically compiled binary. Pre-1.0, we will use a variety of dynamic languages for prototyping.
What would that be? :)
Also, Persona was pretty explicitly designed in a way that assumed eventual, native integration into browsers. IMHO, any successor without the backing of a browser vendor would be better served by starting from scratch with a different set of assumptions. :)
(Hypothetical future in which Persona takes off. I think it's a great idea.)
I haven't used kong yet but from my first impression it should be possible to use hydra together with kong.
Thanks for releasing this by the way, looks really well engineered. I'm sure you've considered it already, but you could probably sell a hosted version (a la https://auth0.com) to make money and finance development.
Writing an integration guide for this is a very good idea. Hydra's APIs are validating all requests using that technique, but it's not documented.
Auth0.com is pretty cool, they have done some cool projects that help OAuth developers. However, they are overpriced imho. Hosting hydra is definitely something I will consider. Thanks! :)
You other option is to allow blacklisting of JWTs per client. However, this will add additional overhead of making an HTTP request to check if a token is blacklisted. That's how Auth0 does it in their commercial OpenId Connect provider.
I believe that adding a docker container to your deployment and creating a consent token (JWT) is even less work than integrating with an SDK and implementing the missing parts every time you hit that new edge case. On top of that, you can be sure that it is backed by an open source community.
Fosite (which is what this is based on) is a very good implementation from a security perspective: https://github.com/ory-am/fosite#a-word-on-security