Customization possibilities for Hydra, e.g. one-time-login link


I was wondering how Hydra compares to Keycloak with regard to customization.
I don’t have the requirement at the moment, but I was wondering how one would tackle a scenario like “send a user a magic link” or “one time login url by email”.

Basically, this:
When implementing passwordless authentication with “magic links”, the user is sent an email with a link in it. This link will allow them to login directly when clicking on it. It is similar in function to them getting an email with a one-time-use code in it, returning to your app, and entering the code, but without having to actually perform those steps.

I guess with providers like Keycloak, one would need to handle this himself by implementing custom authentication providers and other customizable plugins.

Does Hydra offer anything like this too?

I’m guessing the generation and checking of such a one-time-code could be done in a self-implemented identity provider (no idea if Kratos will offer this?) => generate the code there, link it to the user, send a link to the user, point him to the identity provider, check there if the token is correct, linked to the user and valid… but then what?

How would one then tell hydra to authenticate the user and redirect the user to the target application, already authenticated?

I actually don’t have this requirement myself at the moment, but encountered it elsewhere recently and was wondering how one would tackle this with Hydra?

We had this question a couple of times before in this forum and on GitHub and in the chat. The general advice is, “magic link” does not work well with OAuth2 nor OpenID Connect because of CSRF Cookies. There is no guarantee that the link the user clicks in his/her received email will open in the same browser that performed the OAuth2 dance, thus greatly reducing the chance of success of such an authentication flow.

This is why other providers also do not offer this. My general advice is, if you use magic link authentication, you probably don’t need OAuth2 as OAuth2 is generally designed for third party authorization and most magic link providers (given the lax security policy) probably don’t offer such capabilities.

Clear, thanks!
Sweet, this forum is so responsive :smiley:

To be honest, way more responsive than other forums for other similar products…

1 Like

That’s how we roll :slight_smile:

1 Like