Hi! Is my use case valid for self hosted hydra/kra...
# ory-selfhostingl
limited-energy-64008
10/18/2024, 2:14 PMHi! Is my use case valid for self hosted hydra/kratos?
I already have an IDBroker in the company and it is oidc compatible. Can I connect hydra/kratos to it and run them in k8s? I want to create different oauth2clients in different namespaces for the apps to use. The ultimate authentication needs to happen against the corporate IDP, I wanted to do that with hydra but seems as if you can not put a provider there, so I guess it needs kratos as well and in kratos set a generic oidc provider. Is this possible?
m
magnificent-energy-493
10/18/2024, 2:32 PM
Hello @limited-energy-64008
If you IDBroker offers an OIDC connection you can use Ory Kratos to offer OIDC based login to your users through that IDBroker.
So generic OIDC should do the trick if your IDBroker is compliant.
Btw you can test this out easily with a free account on Ory Network: console.ory.sh
Then you dont have to host Kratos and the other parts required for testing.
l
limited-energy-64008
10/18/2024, 3:57 PMThanks @magnificent-energy-493 I am already on it, testing hydra and ory together on a kind cluster. It would be awesome if hydra could act by itself alone as an OIDC “proxy” so that apps could self-service deploy oauth2clients in their namespace via hydra-maester and connect to hydra, and hydra could offload to an OIDC compatible IDP. Would be so awesome but I guess kratos is also needed. Anyway, great approach making this “kubernetes and CRD” friendly
limited-energy-64008
10/18/2024, 3:58 PMSadly I can’t go “as a service” with this and I need to host it myself.
limited-energy-64008
10/24/2024, 1:49 PMHello again, I refined a bit my use case and I am looking for confirmation that this is possible. I dont see an example of this in the internet when the IDP already exists and there is no need for consent/login pages as those are provided from the existing IDP.
Is my use case valid for selfhosting? Am i missing something?
m
magnificent-energy-493
10/29/2024, 7:44 AM
What do you need Hydra for in this scenario?
Why not let Kratos issue the session via a cookie or JWT and check that in userspace?
I think if you just want to authenticate users via OIDC IDP then you dont need Hydra
l
limited-energy-64008
10/29/2024, 1:21 PMI want to use different oauth2clients per namespace. And I already have an IDP, what I want is SSO on all apps, but each his own oauth2client.
limited-energy-64008
10/29/2024, 1:21 PMAll consents will be skipped
limited-energy-64008
10/29/2024, 4:21 PMIf I could I would point hydra to an upstream oidc provider but I think that is not possible, therefore I think the only way is using kratos?
limited-energy-64008
10/29/2024, 4:28 PMCan I create different oauth2clients via CRD and use them with kratos instead you say?
limited-energy-64008
11/21/2024, 10:55 AMHello, another try of getting some help from the community on my PoC, I tried explaining it with details here, can I get your opinion on this please? I am half way through the testing and the hydra and hydra-maester part works well, Ill be investigating on the kratos part soon. All feedback is appreciated. See: https://github.com/ory/kratos/discussions/4217
m
magnificent-energy-493
11/21/2024, 11:02 AM
Hello @limited-energy-64008
sorry I meant to followup but got distracted.
see here for an example of kratos + hydra integration:
https://github.com/ory/examples/tree/master/kratos-hydra
If I could I would point hydra to an upstream oidc provider but I think that is not possible, therefore I think the only way is using kratos?yes you are correct - but I would argue that you could get away with only using Ory Kratos. What do you need OAuth2 for in this scenario? Why can't users obtain a session from Kratos directly?
l
limited-energy-64008
11/21/2024, 12:27 PMGood point, maybe they can, I'll test that and maybe I dont need hydra? what I like about having hydra is being able to deploy new oauth2clients "as code" via hydra-maester.
4 Views