Question about integration of Hydra with Kratos


First, I’d like to thank you for this amazing open source project. I’m working on a personal project and was looking for a complete IAM solution. I was not satisfied by most products on the market because most of the time it is a monolithic software based on java. I’m very concerned by memory consumption, and can’t rely on solutions that require 2 Go of RAM to startup.

Right now, I have successfully deploy hydra, kratos, and kratos-selfservice-ui-node behind a reverse proxy on three subdomains. It works correctly with kratos-selfservice-ui-node on branch (hydra-integration). I compiled kratos with the master branch because I had to configure the domain for the cookie. And I had to add CORS headers for Kratos on my nginx proxy.

I started to implement user interface with single page application (vuejs). In the documentation of Hydra, it is advised to implement the login, consent, logout page with server side application (like in kratos-selfservice-ui-node with express.js)
However, Kratos offers public api for SPA.

So, should I keep the login, consent, and logout page with a server side application and other pages (register, profile management) with my SPA? Today, most of my frontends are developed with vuejs so I would like to reduce the need of server side pages.

What would be the best security design for this ?

Hi there, we have an example of writing an app that integrates Hydra and Kratos on this branch:

Please treat this as a workaround for now, we will add proper integration of Hydra into Kratos in the future - so you won’t need to write a lot of code to get this done!


Thank you for this answer. This was not exactly my question because I was already working on this branch. It was more about if it would be safe to develop a single page application for user management and oauth2 consent ?
In the documentation of Hydra, it is advised to use Server Side Rendering.

Upon reflection, I will organize all my services in this way :

  • A very small website for user management (Login, Register, Profile/Password update) : it will be based on Kratos and a full SSR solution
  • All my others “business” services (mobile application, API, website): it will use oauth2/OpenID with hydra and SPA application

Finally, I’m going to develop a SSR solution because of the following points :

  • It will reduce the attack surface for all flows (consent, user login, registration, etc.)
  • I discovered that VueJS could be used for SSR (It’s a good news because I can reuse components, and my theme without too much extra work).

I started to develop the SSR with VueJS and it works perfectly. Currently, I have successfully handled the following flows (login, register, profile and password updates).

For those who are working with VueJS I used the following framework/plugins :