Ory Homepage

When to use OAuth2: Scaling auth for the enterprise

As your ecosystem of apps and services expands, simple authentication fails to scale, creating significant security risks and development challenges. Learn why enterprises must adopt the OAuth2 standard and how combining a robust identity system like Ory Kratos with an authorization server like Ory Hydra builds the secure, future-proof architecture needed for growth.

Ory ecosystem
Picture of The Ory Team
The Ory Team

For many organizations, managing user authentication and authorization starts simply enough.

A single website, a couple of applications – a direct identity solution might initially suffice. But what happens when your customer base grows, your product portfolio expands, and your internal systems multiply? This is where the capability and necessity of a standards-based approach like OAuth2 applies, especially when combined with a robust identity management system such as Ory Kratos.

While Ory Kratos provides powerful, native authentication flows, its strength lies in managing the core user identity lifecycle. For large, complex organizations like financial institutions with numerous products, mobile clients, or intricate internal systems, the optimal architectural outcome frequently involves a standards-based setup using Ory Kratos and Ory Hydra for OAuth2. This combination leverages Kratos for its robust user management capabilities while incorporating Hydra’s industry-standard authorization power of OAuth2.

Why large organizations benefit from OAuth2

If your organization fits the description of a large enterprise or a financial institution, here’s why integrating OAuth2 into your authentication architecture is not just advantageous, but often foundational for long-term operational success:

  • Extensive SDK support across languages and platforms: OAuth2 is a universally recognized standard. This means a substantial collection of SDKs and libraries are available across virtually every programming language (e.g., Python, Java, Node.js, Go) and platform (web, mobile, desktop). This significantly reduces development time and effort when integrating new applications or services, as developers can leverage existing, validated tools rather than building custom authentication logic. This interoperability is a core component of scalable enterprise architecture.
  • Streamlined integration with internal tools and new systems: In a large organization, the need to connect various internal tools, third-party services, and newly developed systems is constant. OAuth2's standardized approach simplifies this considerably. Instead of developing bespoke integration logic for each system, you can rely on established OAuth2 flows:
    • Authorization code grant with PKCE: This is the recommended flow for public clients (single-page applications (SPAs) and native/mobile apps) and increasingly for confidential clients (web applications) due to the strong security benefits it provides. The "Proof Key for Code Exchange" (PKCE) extension mitigates interception attacks for public clients that cannot securely store a client secret. The flow involves a secure redirection to the authorization server (Ory Hydra), user authentication (handled by Ory Kratos), user consent, issuance of an authorization code, and then the client exchanging this code for an access_token and potentially a refresh_token and id_token (if OpenID Connect is also used).
    • Client credentials grant: This flow is suitable for machine-to-machine (M2M) communication, where an application needs to access an API on its own behalf, without direct user involvement. This is common for backend services, microservices, or automated processes.
    • Delegated authorization through scopes: OAuth2 leverages scopes to define the specific permissions granted to an application. For example, an application might only receive a read:email scope, restricting its access to reading emails only, not sending them. This granular control is vital for maintaining the principle of least privilege in complex environments.
  • Architectural flexibility for system evolution: Business requirements evolve. Older systems are phased out, and new products are launched. OAuth2 provides the architectural flexibility to handle these transitions efficiently. You can integrate new offerings without disrupting existing authentication mechanisms and deprecate older systems without causing a cascading effect of broken integrations. This agility, facilitated by a decoupled authentication layer, supports sustained growth. By issuing time-limited access_tokens and managing refresh_tokens, the system can dynamically adjust access and revoke tokens as needed.
  • Improved onboarding and compatibility in M&A scenarios: Mergers and acquisitions are complex, and integrating disparate IT infrastructures can present a significant challenge. Organizations utilizing OAuth2-based authentication can streamline the identity integration process during M&A. The standardized nature of OAuth2 makes it notably easier to achieve compatibility and onboard new entities, reducing both integration complexity and associated costs. This is further enhanced when combined with OpenID Connect (OIDC), an authentication layer built on top of OAuth2, which provides standardized ID Tokens (JSON Web Tokens - JWTs) containing verifiable identity claims about the authenticated user. This supports seamless Single Sign-On (SSO) across disparate systems.

Using Kratos-only for complex landscapes

Ory Kratos is an API-first identity and user management system that handles user registration, login, profile management, password resets, multi-factor authentication (MFA), and session management. Its native flows are effective for these core identity lifecycle functions.

However, Kratos' native flows are primarily designed for direct interaction between an application and the Kratos instance for user identity management. While efficient for authentication, they are non-standard in how they handle authorization for accessing diverse resources across an ecosystem of applications. This implies that if you have numerous services (e.g., microservices, internal APIs, mobile apps, partner portals), each would need to implement custom logic to validate a Kratos session or token and then determine what the user is authorized to do.

This "custom auth logic for each system" approach presents a significant scaling challenge for large enterprises. Consider:

  • Increased development overhead: Every new application or service requires bespoke code to interpret Kratos sessions and apply authorization rules.
  • Inconsistent security postures: Different teams might implement authorization logic in varying ways, leading to inconsistencies and potential security vulnerabilities.
  • Maintenance complexity: Updating or changing authorization policies becomes a distributed, manual, and error-prone process.
  • Lack of centralized authorization policy enforcement: Without a central authorization server, enforcing granular access control policies across all applications becomes difficult.

This approach works for SMEs, but it does not scale efficiently in complex IT (versus R&D) environments, where dozens or hundreds of applications need to interact securely.

The technical synergy: Kratos + OAuth2 (Ory Hydra)

This is where the combination of Ory Kratos and Ory Hydra (an OAuth2 and OpenID Connect provider) offers a robust solution:

  • Ory Kratos: The Identity Provider (IdP): Kratos functions as your cloud-native identity management system. It handles all user-facing identity flows:
    • User registration (e.g., email/password, social logins, passkeys)
    • User login (including MFA, re-authentication)
    • Account recovery (password reset, email verification)
    • Profile management
    • Session management
    • Ory Kratos authenticates the user and manages their identity lifecycle
  • Ory Hydra: The OAuth2 authorization server: Hydra acts as the authorization server, issuing access_tokens and refresh_tokens after Kratos has authenticated a user and the user has granted consent.
    • Standardized token issuance: Hydra issues standardized OAuth2 tokens (often JWTs for id_tokens, and opaque tokens for access_tokens and refresh_tokens for enhanced security). These tokens carry authorization information (scopes) that can be easily validated by any resource server.
    • Consent management: Hydra facilitates the user consent flow, where users explicitly grant permissions (scopes) to client applications. This is a critical security and privacy feature for complex ecosystems.
    • Token introspection & revocation: Hydra provides endpoints for token introspection (checking the active status and details of a token) and token revocation (invalidating tokens prematurely), which are essential for secure operations.
    • OpenID Connect (OIDC) support: As an OIDC provider, Hydra issues id_tokens, allowing client applications to verify the user's identity based on the claims within the JWT. This separates authentication (who the user is, handled by Kratos + OIDC) from authorization (what the user can do, handled by OAuth2).

The combined flow:

  1. A client application initiates an OAuth2 Authorization Code flow by redirecting the user to Ory Hydra.
  2. Hydra, acting as the authorization server, then redirects the user to Ory Kratos for authentication.
  3. Kratos handles the user's login, potentially involving MFA or other configured flows.
  4. Upon successful authentication, Kratos informs Hydra.
  5. Hydra presents a consent screen to the user (often a custom UI integrated with Hydra) to approve the requested scopes.
  6. If the user consents, Hydra issues an authorization code back to the client application.
  7. The client application exchanges this code with Hydra's token endpoint for an access_token (for accessing protected resources), a refresh_token (for obtaining new access tokens without re-authentication), and an id_token (for user identity verification).
  8. The client application can then present the access_token to any of your resource servers (APIs, microservices). These resource servers can validate the token (e.g., by calling Hydra's introspection endpoint or by verifying the JWT signature if it's a JWT) and enforce authorization based on the scopes contained within.

A real-world use case: Banking & financial services example

The experience of a current Ory banking customer provides a clear illustration. When initially setting up their retail banking platform, a Kratos-only approach was considered. However, the expansive scope and complexity of their platform – encompassing numerous services, internal tools, and customer-facing applications – quickly indicated that OAuth2, powered by Ory Hydra, represented the more effective architectural choice. Their requirement for multiple client types (web, mobile), extensive third-party integrations, and machine-to-machine communication necessitated a standardized, token-based authorization framework that Kratos' native flows alone could not provide with adequate efficiency. While the integration of OAuth2 might have commenced later than optimal in this specific instance, it underscores the critical importance of making this architectural decision early in the development lifecycle for new customers.

Steering towards optimized outcomes: Kratos + OAuth2 from the outset

Moving forward, our recommendation is clear: for large customers with intricate and evolving IT landscapes, the conversation should prioritize a combined Ory Kratos + OAuth2 architecture from the initial stages. This proactive approach, leveraging Kratos for robust identity management and Hydra for scalable, standards-based authorization, yields demonstrably better long-term outcomes, substantially lowers integration risk, and provides the scalability and flexibility essential for navigating the complexities of modern enterprise environments.

By integrating OAuth2 with Ory Kratos, organizations can establish a resilient, future-proof authentication and authorization framework that supports expansion, simplifies operations, and ensures a consistent experience for both users and developers.

Ready to architect a scalable identity solution for your enterprise? Don't let proprietary authentication flows limit your growth. Explore how Ory Kratos and Ory Hydra can empower your organization with a robust, standards-based identity and authorization framework. Contact us today to discuss your specific architectural needs or Learn more from our documentation on Ory Kratos and Ory Hydra.