Hydra is an OAuth 2.0 and OpenID Connect Provider. In other words, an implementation of the OAuth 2.0 Authorization Framework as well as the OpenID Connect Core 1.0 framework. As such, it issues OAuth 2.0 Access, Refresh, and ID Tokens that enable third-parties to access your APIs in the name of your users.
One of ORY Hydra's biggest advantages is that unlike other OAuth 2.0 implementations, it implements the OAuth and OpenID Connect standard without forcing you to use a "Hydra User Management" (login, logout, profile management, registration), a particular template engine, or a predefined front-end.
This allows you to implement user management and login your way, in your technology stack, with authentication mechanisms required by your use case (token-based 2FA, SMS 2FA, etc). You can of course use existing solutions like authboss or auth0.com. It provides you all the benefits of OAuth 2.0 and OpenID Connect while being minimally invasive to your business logic and technology stack.
In addition to the OAuth 2.0 functionality, ORY Hydra offers a safe storage for cryptographic keys (used for example to sign JSON Web Tokens) and can manage OAuth 2.0 Clients.
ORY Hydra is OpenID Connect certified (pending) and implements all the requirements stated by the OpenID Foundation. In particular, it correctly implements the various OAuth 2.0 and OpenID Connect flows specified by the IETF and OpenID Foundation.
ORY Hydra's architecture and work flows are designed to neutralize many common (OWASP TOP TEN) and uncommon attack vectors. Learn more.
Hydra has a low CPU and memory footprint, short start-up time, and scales effortlessly up and down on many platforms including Heroku, Cloud Foundry, Docker, Google Container Engine, and others.
Hydra is available for all popular platforms including Linux, OSX and Windows. It ships as a single binary without any additional dependencies. For further simplicity, it is available as a Docker Image.
Hydra also provides a developer-friendly CLI.
Hydra has a few limitations too:
- Hydra does not manage user accounts, i.e. user registration, password reset, user login, sending confirmation emails, etc. In Hydra's architecture, the Identity Provider is responsible for this.
- Hydra doesn't support the OAuth 2.0 Resource Owner Password Credentials flow because it is legacy, discouraged, and insecure.
OAuth 2.0 can be used in many environments for various purposes. This list might help you decide if OAuth 2.0 and Hydra are the right fit for a use case:
- enable third-party solutions to access to your APIs: This is what an OAuth2 Provider does, Hydra is a perfect fit.
- be an Identity Provider like Google, Facebook, or Microsoft: OpenID Connect and thus Hydra is a perfect fit.
- enable your browser, mobile, or wearable applications to access your APIs: Running an OAuth2 Provider can work great for this. You don't have to store passwords on the device and can revoke access tokens at any time. GMail logins work this way.
- you want to limit what type of information your backend services can read from each other. For example, the comment service should only be allowed to fetch user profile updates but shouldn't be able to read user passwords. OAuth 2.0 might make sense for you.