I have gotten a great auth service rocking with keto hydra a Ory Community #general

I have gotten a great auth service rocking with ke...

bitter-farmer-82819

07/10/2025, 8:17 AM

I have gotten a great auth service rocking with keto, hydra, and kratos + APISIX OIDC, last think is Ory Polis, is there a guide somehwere on integrating kratos/hydra/keto with polis? or is that something i will need to bridge manually

creamy-art-71586

07/10/2025, 9:40 AM

We are still working on the guides. Kratos is the easiest to bridge, you can use the Generic OIDC provider because Polis wraps SAML around Oauth2/OIDC. For SCIM you will have to call the Kratos APIs (when you receive the webhooks from Polis) to manage the provisioning/de-provisioning. For Keto to Polis you can have the groups and roles mappings from OIDC/SAML flow through and then map that to Keto policies in your business logic.

bitter-farmer-82819

07/10/2025, 9:47 AM

A follow-up question: Given that it seems bridge logic is required either way, does it make more sense to fully replace Hydra with Polis in my setup? My requirements: • Users can login directly (without SSO) • Users can login via enterprise SSO • Directory Sync • Other applications can use my system as an OAuth2 provider for: ◦ M2M authentication (client credentials flow) ◦ "Login with MyApp" functionality (authorization code flow)

creamy-art-71586

07/10/2025, 9:59 AM

No, Polis does not offer Hydra functionality. You could potentially retrofit it in some ways but it is not built for that purpose

bitter-farmer-82819

07/10/2025, 10:00 AM

fair enough, build a bridge, will do. Thank you!

👍 1

creamy-art-71586

07/10/2025, 10:04 AM

And Hydra and Polis should never need a bridge directly, Kratos sits right in the middle

bitter-farmer-82819

07/10/2025, 10:12 AM

yes it sounds like, ill need to slap together the hooks to ensure i provision users in kratos, and then, in theory, will my existing logic for hydra allow those people to login with their enterprise SSO accounts? maybe i need some method of distinguishing an sso login vs a non sso login to point them at polis vs hydra? I am a touch confused because in my system i get a session cookie (from apisix oidc plugin), and a kratos cookie, but im sure with a bit more reading i can clean that up inside of kratos i set:

Copy code

oauth2_provider:
  url: <http://hydra:4445>
  override_return_to: true

but i assume since hydra, and polis are distinct, there may need to be something custom here

Open in Slack

Previous Next