Need advice to step by step upgrade to OAuth2 flow

ORY Hydra
#1

Hi,

I currently have a homemade AuthenticationService that manages its own store and is able to issue JWT for the frontend, but also refresh token.

It’s working great but we want to use a convenient way to check the JWT across microservices. In another use case we already check some Google JWT with an OpenID verifier that checks clientID… it follows a standard, it’s supported by a community… that’s cool.

In the future it could make sense for us to migrate to OAuth2 so third-parties could reach our API on the behalf on our users. But my question is, does it make sense right now we use ORY Hydra to start using some standards (OpenID Connect) so our microservices librairies can check the JWT origin thanks to /.well-known/openid-configuration and the jwks.json file, or is it a crazy idea?

It means for now our AuthenticationService would interact directly with Hydra to generate the JWT token.

In the meantime, it would allow us in the future to step by step open the OAuth2 flow to the outside.

What do you think :smile: ?

Thank you,

Note: sorry if it sounds a stupid question :thinking:

#2

I would discourage you from using JWT as access tokens but other than that I think it sounds like a plan!

#3

Hi @hackerman,

Could you expand a bit more on why not using JWT as access tokens? I thought it better to avoid all microservices calling Hydra/AuthService to check the token. It seems like a huge single point of failure, since a frontend request could bounce across API and 2-3 microservices (so if each one checks remotely the token…).

Thank you,

#4

We have extensive docs on this topic: https://www.ory.sh/docs/hydra/advanced#json-web-tokens

#5

Hi, I understand the point :slight_smile:

Just started to implement everything but got a doubt about that:

How can I solve this case of internal communication to authenticate a user without dealing with frontend OAuth 2.0 flow? To make sure Hydra handles all the token generation logic (secrets…)… ?

Thank you,

#6

You may want to look into OAuth2 clients instead. Sending user passwords around your stack is a really bad idea!

#7

I read your article https://www.ory.sh/oauth2-for-mobile-app-spa-browser/ and I better understand something can go wrong, even in the case where there is no third-party clients (only my native application).

I’m not used to see this type of login (AppAuth example) from native applications (banks…), but glad to have learned that today (will figure out how to switch over this flow)!

Thank you!

#8

I’m glad you were able to learn from our resources :slight_smile: