https://www.ory.sh/ logo
#talk-hydra
Title
# talk-hydra
m

modern-controller-1963

01/16/2022, 8:17 AM
I have a couple of projects: main.com, proj1.com, proj2.com, proj3.com. I wanted to make it so that main.com hosts all the authentication accounts, and then the projects can oauth with it to sign in/sign up. This was I can continue to add more projects without touching auth at all and instead just have to quickly implement oauth (which there are premade libraries for). Do you think this is a good idea? If not, why not? If so, then should main.com use kratos + hydra or do I need more than those two?
b

bulky-architect-22083

01/16/2022, 11:39 AM
Hello. I am working on a project with the exact same concept like yours. Kratos + Hydra works well to implement the core auth platform with other services acting as oauth2 clients. You can find my example implementation in Go here. https://github.com/atreya2011/go-kratos-test/tree/hydra-consent
You can also store service specific json metadata in the oauth2 clients when you create them. https://www.ory.sh/hydra/docs/reference/api#operation/createOAuth2Client
m

modern-controller-1963

01/17/2022, 1:46 AM
Awesome, thanks very much for the links, ill give it a shot. Good to know that you are successful in setting up a similar system to what I want
@User Question for you, each of your clients, how do you fetch vital information such as the user's name? Do you fetch once when signing in and cache it? Do you fetch it from your main.com server every time? Or maybe is there a JWT you read from and refreshes every couple minutes? What happens if user changes their name on main.com, when does proj1.com get that information?
b

bulky-architect-22083

01/18/2022, 1:41 AM
@User Good Question. TLDR I fetch it from my main.com server every time. However I am also looking at ways I can cache this information. Haven't gotten around to implementing it yet. The long explanation follows: I only store user email and password in main.com and let each service such as proj1.com that connects to main.com for authentication manage other user information such as name etc. This way I can let each service manage their own user information and only use Kratos/Hydra for just authentication/authorization with email and password. Once proj1.com successfully authenticates with main.com, I store the email and kratos identity id within the access token created by Hydra. Then proj1.com uses hydra’s introspect token endpoint to get the kratos identity id and also check if the token is active. Each service such as proj1.com proj2.com has a kratos identity id column in their respective user tables to verify if the user has access to the respective services. Let me know if you need any clarification regarding my explanation. I have also updated my repo to demonstrate how I use metadata to turn registration on and off for example. https://github.com/atreya2011/go-kratos-test/compare/hydra-consent?expand=1
3 Views