Use Ory Hydra for OAuth2 functionality while extending it for authentication

[msaket]

I have more basic question.
I want to implement a OAuth2Server where for authentication/verification we want to call our own rest API. Once a user is authenticated for all OAuth2 specific functionality I want to use the OAuth2Server.

So essentially my plan is when a call comes to OAuth2 server, we will extend/enhance the server to call our REST API's internally to validate the user. Once the user is validated, OAuth2 server can continue to work normally. Is Hydra right tool for the same? Or should we also look into fosite or node-oauth2-server as well?

Any help from you gurus will be highly appreciated. As I indicated in my earlier post, I am very new to this space so any guidance towards known pitfalls is welcome. 🙂

[vinckr]

Stop me if im getting this wrong:
You want to use Ory Hydra as a OAuth2 server. You want to authenticate a user through Hydra via your internal REST APIs.

I think you want to use your internal setup to serve as OICD provider, basically "Login with our internal API" ?

I am guessing you are already familiar with OAuth2, but maybe this document can give you some perspective on the use case:
Do You Need OAuth2?

[msaket]

Thanks for the reply vinckr. I really apologize for replying so late. I missed the response.

I am familiar with OAuth2 and its concepts, but not an expert on the subject. Yes you are correct that for authentication I want to use our own API's but for all rest of the functionality (example generating refresh token) I want to you use OAuth2 server.

Is it a good idea to use Ory Hydra for this use case? I'm still playing with it, so any help on this will be highly appreciated.

[vinckr]

Dont worry about a late response!

For machine-machine interactions people usually use the client-credentials flow (specification).
You can definitely use Ory Hydra for this, you might need some other building parts depending on your setup.
But going by how you described it, I think Hydra is a good fit.
We do not have extensive guides for the client credentials setup, but if you would be interested in starting a draft I would be happy to help you finish & publish it!

[msaket]

Thanks for the response vinckr.

Reviewing various documentation I have gathered that I'll need to install ory hydra and hook it up with database. I'm sure there are other pieces that I am missing right now. Can you list out all of them at a high level?

Let me review client credentials flow.

I am keeping notes, will be very happy to convert in into a guide and share with you.

Thanks

[vinckr]

Hm, it depends on your setup what else you need. Ory Hydra and a database are good starting points for sure.
You may need a load balancer/reverse proxy, naturally I recommend Ory Oathkeeper, but I am sure there are loads of alternatives out there.

Do you want GUIs for your users or is it all running in the background?

You could also use Fosite I guess, but it is much harder and you need more background knowledge. Basically Hydra is built on top of Fosite, making most use cases much easier to handle.

We also have Open Source Support options and are looking to bring a first candidate of our hosted cloud environment soon™.
If you would be interested in those option as opposed to setting it up yourself, reach out to [email protected].

[msaket]

Thanks for the help Vinckr. That's what I am thinking as well, to begin with setup Ory Hydra and database. I'm not too worried about load balancer/reverse proxy. We will need UI for our users as well, we may create something of our own.

At least for now we'll try to do it and see how far we can take it. Thanks for all your support. I'll review the information that you have given me and may come back with additional questions if I have.