Protocol between hydra and Identity Provider

Hello, is there any standard protocol supported between hydra and the IdP, like SAML or OIDC? Otherwise, how can I integrate with an existing Identity Provider, without writing code?

You can’t - if you just want an OIDC proxy use something like Dex for example

It is not possible. By design, Hydra offloads the user authentication to your login provider, an API that you need to implement to work with Hydra. The purpose of this API is very simple - it is to provide the resource owner identity for the OAuth2 flows that require it. How - this is irrelevant to Hydra. You can do the database lookup, you can lookup in LDAP etc. Or, since it is all in the browser flow, you can talk to an OIDC provider, for example. This is, in fact, what we do. Login provider by itself acts as a client from OIDC perspective.

No I don’t want just want an OIDC proxy - I want to integrate hydra with an existing IdP, which what the hydra docs explain is the hydra way. So I’d expect there to be a no-code way to integrate with existing IdPs, using standard protocols. Don’t get me wrong, I can also write some code. I’m just wondering why something that seems so obvious to me isn’t there, it must mean that I got something wrong.

Is the code for your Hydra Login Provider which acts as an OIDC client available as open source?

No, unfortuantely this is an internal implementation for us, but the basic prototype implementation is extremely simple, few dozens of lines of code. You, essentially, redirect the user to the OIDC authorization endpoint, let the identity provider to do its magic, and then you get ID_TOKEN. You validate the token signature, extract the claims you are interested in, push them to the “accept login request” Hydra Admin API call and you are done.

However, as @arekkas said, if you are not looking specifically for OAuth2 server, Hydra is not necessarily the best option for you. If you are looking for the identity aggregator/proxy, there are other solutions out there, free and commercial.

Thanks a lot for the hints. But why do both you and @arekkas think I’m not looking for an OAuth2 server only because I want to use an external IdP with OIDC or SAML? Actually I do look for an OAuth2 server…

That’s not what I intended to say :slight_smile: It’s just that, if you just want a 1-click proxy for an existing OpenID Connect System (or SAML for that matter), CoreOS/Dex probably does the job right with very little set up.

If you have a more complex set up (e.g. multiple saml and oidc providers, maybe some other identity system), hydra is the way to go.

Additionally, if you want to modify the login experience, hydra is the way to go as you have full control over how the “login” and “consent” pages work.

Keep in mind that Dex is an OpenID Provider first and an OAuth2 server second. Depending on what your focus is you’d have to choose one of the two.

For ID Management, we are currently building hive ( https://github.com/ory/hive ). It will take some time until the first release is there but we intend to solve delegated login via e.g. oidc providers or saml. Hive will naturally integrate with hydra, of course :slight_smile: