Custom Provider

cristiandley · September 3, 2020, 5:31pm

Hi

First i must say im amazed with the ORY stack.

In the other hand, im a noob in what security matters, saying that in my company we are trying to migrate our security made over Keycloak with a custom provider that communicates to an Ahuthenticator.

Is this possible with ORY ? iv seen Hydra specs:

ORY Hydra is an OpenID Certified™ OAuth2 and OpenID Connect Provider can connect to any existing identity database (LDAP, AD, KeyCloak, PHP+MySQL, …) and user interface.

But is hard to find documentation regarding to the quote, and what even means “user interface” ?

Thanks.

hackerman · September 5, 2020, 2:27pm

I don’t understand the question, you want to use Hydra and Keycloak together?

cristiandley · September 6, 2020, 12:48am

No, as i said we are trying to migrate from Keycloak to Hydra.The issue, we own a custom provider over Keycloak (so authentication occurs in other platform). Is that possible on Hydra?

hackerman · September 6, 2020, 5:35am

Yes, that is the core concept behind Hydra

cristiandley · September 7, 2020, 11:35am

But i couldn’t find documentation about integrations or code examples on how to do it. Also if you search stuff on the docs seems to be broken.

hackerman · September 7, 2020, 12:29pm

What is broken for you wrt search?

cristiandley · September 7, 2020, 12:43pm

I did search for “LDAP” but couldnt find anything regarding to it.

The Login Flow and Consent Flow, if im not wrong both talk about connecting two OAuth services basically. What i need is a Authorization Provider (without OAuth). To own the login screen on ORY and then ask if the credencials are OK in other platform.

hackerman · September 7, 2020, 1:04pm

No, you misunderstood. Please re-read the relevant parts in the docs and check out the 5 minute quickstart guide etc!

There is no mention of LDAP because we do not support LDAP directly, you have to implement the „bridge“ between Hydra and your login solution yourself!

cristiandley · September 7, 2020, 1:12pm

Yes i misunderstood, the Hydra details say that ^ so i got Confused. I will try to read more about the “bridge” (provider) implementation.

Thanks.

asaf000 · September 8, 2020, 8:54am

@cristiandley KeyCloak is different because it’s a full identity stack while Hydra just orchestrate the OAuth workflows with some level of session management.

What @hackerman means by “bridge” is this:

You have to configure hydra to redirect to a login service (you have to write this one on your own)
In your login service, you should perform the auth (trough LDAP or whatever protocol you are using) and based on the auth result accept or deny the login request.

Cheers,

Asaf.

cristiandley · September 8, 2020, 11:26am

@asaf000 first, thanks (when i said custom provider, i refered to the concept of “bridge”, we are on the same page now).

You have to configure hydra to redirect to a login service (you have to write this one on your own)

Is this example the same thing? https://github.com/ory/hydra-login-consent-node

Thanks

asaf000 · September 8, 2020, 7:04pm

@cristiandley yea if you like node, you can fork this and your own logic instead of this