https://www.ory.sh/ logo
#talk-hydra
Title
# talk-hydra
t

thousands-church-11419

02/22/2022, 7:20 PM
also, kind of random, but if hydra hands out OIDC JWTs, then why does it have session management? Or am I misunderstanding something
1
m

magnificent-energy-493

02/22/2022, 7:37 PM
Ory Hydra maintains a session cookie. When a user signs in, the cookie will be set for that user. This allows the next OAuth2 request to complete without requesting the user to sign in again.
This is not the same as the "Application Session", that you would handle for example with Ory Kratos. This document also explains it a bit more https://www.ory.sh/docs/hydra/concepts/before-oauth2#access-and-refresh-tokens-are-not-sessions Let me know if that made it clearer! OAuth2 is hella confusing -.-
t

thousands-church-11419

02/22/2022, 7:38 PM
👀 reading it
m

magnificent-energy-493

02/28/2022, 11:59 AM
Did that make it clear @User? I am wondering how we could improve this in the docs since it comes up a lot.
t

thousands-church-11419

03/01/2022, 2:14 PM
Hey @User - I think I understand but I think I somewhat disagree on your stance about oidc in general. I feel like I’m missing something though so it's hard to feel confident disagreeing.
I think need is always contentious. You don't need oidc there are definitely alternatives. Using oidc for first party login makes sense to me mostly because of standardization - and allowing the client to fetch their own credentials. I’d actually say the question is if you need scopes and for most products the answer is no
But yeah for a typical api driven system with a mobile app I think registering clients, letting them get their own credentials, using JWTs etc the rest of the stack makes a lot of sense. I think/worry that for most companies you’d end up creating a worse version of oidc / hydra pretty quickly as feature requests start coming in for things that are common in most apps
2 Views