I have a couple of projects: <main.com>, <proj1.co...
# talk-hydram
modern-controller-1963
01/16/2022, 8:17 AMI have a couple of projects: main.com, proj1.com, proj2.com, proj3.com. I wanted to make it so that main.com hosts all the authentication accounts, and then the projects can oauth with it to sign in/sign up. This was I can continue to add more projects without touching auth at all and instead just have to quickly implement oauth (which there are premade libraries for). Do you think this is a good idea? If not, why not? If so, then should main.com use kratos + hydra or do I need more than those two?
b
bulky-architect-22083
01/16/2022, 11:39 AMHello. I am working on a project with the exact same concept like yours. Kratos + Hydra works well to implement the core auth platform with other services acting as oauth2 clients. You can find my example implementation in Go here.
https://github.com/atreya2011/go-kratos-test/tree/hydra-consent
bulky-architect-22083
01/16/2022, 11:41 AMhttps://ory-community.slack.com/archives/C010F7Z4XM1/p1641436375000500?thread_ts=1641389195.287300&channel=C010F7Z4XM1&message_ts=1641436375.000500
Instead of scope you can use
audiencebulky-architect-22083
01/16/2022, 11:45 AMYou can also store service specific json metadata in the oauth2 clients when you create them.
https://www.ory.sh/hydra/docs/reference/api#operation/createOAuth2Client
m
modern-controller-1963
01/17/2022, 1:46 AMAwesome, thanks very much for the links, ill give it a shot. Good to know that you are successful in setting up a similar system to what I want
modern-controller-1963
01/17/2022, 7:26 AM@User Question for you, each of your clients, how do you fetch vital information such as the user's name? Do you fetch once when signing in and cache it? Do you fetch it from your main.com server every time? Or maybe is there a JWT you read from and refreshes every couple minutes? What happens if user changes their name on main.com, when does proj1.com get that information?
b
bulky-architect-22083
01/18/2022, 1:41 AM@User
Good Question.
TLDR
I fetch it from my main.com server every time. However I am also looking at ways I can cache this information. Haven't gotten around to implementing it yet.
The long explanation follows:
I only store user email and password in main.com and let each service such as proj1.com that connects to main.com for authentication manage other user information such as name etc.
This way I can let each service manage their own user information and only use Kratos/Hydra for just authentication/authorization with email and password.
Once proj1.com successfully authenticates with main.com, I store the email and kratos identity id within the access token created by Hydra.
Then proj1.com uses hydra’s introspect token endpoint to get the kratos identity id and also check if the token is active.
Each service such as proj1.com proj2.com has a kratos identity id column in their respective user tables to verify if the user has access to the respective services.
Let me know if you need any clarification regarding my explanation.
I have also updated my repo to demonstrate how I use metadata to turn registration on and off for example.
https://github.com/atreya2011/go-kratos-test/compare/hydra-consent?expand=1
3 Views