Implement Hydra integration

[sczj]

Configure Hydra's authorization authentication, how it should be configured in the profile

[aeneasr]

This will be possible in the future but we will first have to implement some basic features here.

[raffis]

This will be possible in the future but we will first have to implement some basic features here.

Do you have any vague idea when that will be the case? For me personally kratos makes only sense as being the authentication/identity provider for hydra.

[aeneasr]

I mean you can simply do this yourself today. Just add the Hydra snippet to your Kratos Self-Service Login UI and add a consent page.

[raffis]

Yes that is what I did for now. But would be awesome to have this out of the box.

[aeneasr]

The flow will somewhat be similar anyways, maybe with a small integration for login so if you solved that already today you're good to go with this for the next half year at least.

Regarding timelines, we do not give any unless t < 7d. Most issues have milestones attached (like this one) and you can check the overall milestones in the milestone tab which gives you a vague idea of how the feature is prioritized.

[hudongcheng]

@aeneasr @raffis Excuse me for asking, is there a sample code that integrate with Hydra?

[aeneasr]

Not yet, we're still working on some other features. Maybe you can ask in the community or on the forum if someone has already done it and can help you.

[tacurran]

@hudongcheng please see the comment here #273 from @raffis regarding a sample app "Yes that is what I did for now."

[romcok]

Yes that is what I did for now. But would be awesome to have this out of the box.

Hi, please does anyone have a hydra snippet for its integration into Kratos? It's super hard to do when there's no demonstration.

[exfly]

+1

[jpbogle]

I actually happened to have tried to do this as well.

I have forked the kratos example UI and integrated the hydra snippet into it and was planning to keep working on that so you could take a took and follow along here if you want

https://github.com/jpbogle/kratos-selfservice-ui-node/commit/edd2a478fb7880de0b92101dc98e1e8cc7a15444 https://github.com/jpbogle/kratos-selfservice-ui-node

The outstanding issue I am looking at is keeping the Hydra challenge throughout a login or registration flow with kratos without using cookies. I have discussed this briefly here on the Ory forums

https://community.ory.sh/t/ory-hydra-with-ory-kratos-as-idp/1845

[aeneasr]

For anyone looking, I've pushed this back because there's a way to solve this in the selfservice app. You can find the code here: https://github.com/ory/kratos-selfservice-ui-node/tree/hydra-integration/contrib/hydra

Please be aware that there are possible security issues if you do not implement it the way it is done there. To make this easier in the future, we'll add the implementation to ORY Kratos directly. But I'm pushing this back because there is a way to solve it now!

[CSRaghunandan]

@aeneasr Thanks a lot for the work you've put for the new 0.5.0 release. I was thinking, what changes would need to be made to get this to work: https://github.com/ory/kratos-selfservice-ui-node/tree/hydra-integration/contrib/hydra . This works on the older version of Kratos.

We were exploring Kratos as a userDB for Hydra and wanted to explore this branch further, but there were a few issues which we were waiting to be fixed in 0.5.0.

[aeneasr]

Good question! I haven't looked at the code but I think what you would need to do is just update the SDK usages to bring them up to the 0.5 release. As said earlier, we're still planning a seamless integration between the two projects but the refactor of the 0.5 release was a lot of work which is why we weren't able to do it for now.

[CSRaghunandan]

Good question! I haven't looked at the code but I think what you would need to do is just update the SDK usages to bring them up to the 0.5 release. As said earlier, we're still planning a seamless integration between the two projects but the refactor of the 0.5 release was a lot of work which is why we weren't able to do it for now.

I see. Thanks for the reply.

[CSRaghunandan]

Good question! I haven't looked at the code but I think what you would need to do is just update the SDK usages to bring them up to the 0.5 release. As said earlier, we're still planning a seamless integration between the two projects but the refactor of the 0.5 release was a lot of work which is why we weren't able to do it for now.

Hi @aeneasr

Can you please provide some tips on migrating the hydra-integration branch to 0.5.x version of Kratos?

What would be the best way to approach the migration to the newer version?

I was thinking about understanding the changes made in hydra-integration branch and make similar changes to self-serviceui branch on master branch. But a lot of files have been changed and I'm afraid this effort will take a quite a while to figure it out.

OR is it easier to start with the hydra-integration branch and make changes to work with 0.5.x version of kratos?

[CSRaghunandan]

I was thinking about understanding the changes made in hydra-integration branch and make similar changes to self-serviceui branch on master branch. But a lot of files have been changed and I'm afraid this effort will take a quite a while to figure it out.

I guess I need to modify hydra.ts file, but what changes should be made for the hydra and kratos client side code for typescript? The API has been changed and my editor is showing a bunch of errors, but idk where to lookup for the changed API.

[aeneasr]

Sorry, I don't really have time to look into this right now! But working on a native kratos/hydra integration is on our next roadmap!

[CSRaghunandan]

Sorry, I don't really have time to look into this right now! But working on a native kratos/hydra integration is on our next roadmap!

Any timelines for the roadmap?

Also, is there anyone else who could help me on this? Please let me know.

[aeneasr]

Unfortunately we do not give out timelines!

[rushairer]

Yes, those would be awesome to have this out of the box.

[jsiedentop]

I am currently developing a mobile application for Apple and Android using Flutter. Unfortunately I found the following hint in the documentation: "Social Sign Up is currently not possible for API Clients. It will be possible in a future version, which is partially tracked as kratos#273".

If I interpret this correctly, it means that Kratos is currently not suitable for mobile applications. A rule from Apple is that if you enable registrations in the app you always have to offer Apple sign up. Unfortunately, it's not an option to offer only email registration.

Would be awesome, to see this in the near future.

[aeneasr]

That’s not true:

Apps that exclusively use a third-party or social login service (such as Facebook Login, Google Sign-In, Sign in with Twitter, Sign In with LinkedIn, Login with Amazon, or WeChat Login) to set up or authenticate the user’s primary account with the app must also offer Sign in with Apple as an equivalent option. A user’s primary account is the account they establish with your app for the purposes of identifying themselves, signing in, and accessing your features and associated services. Sign in with Apple is not required if: Your app exclusively uses your company’s own account setup and sign-in systems. Your app is an education, enterprise, or business app that requires the user to sign in with an existing education or enterprise account. Your app uses a government or industry-backed citizen identification system or electronic ID to authenticate users. Your app is a client for a specific third-party service and users are required to sign in to their mail, social media, or other third-party account directly to access their content.

[jsiedentop]

@aeneasr Thanks for the clarification, it seems, that I was not well informed. So just mail registration would be possible. Anyways, it is a pity that social logins are currently only possible for web applications.

[aeneasr]

Well, supporting OIDC for native applications is really difficult as it involves token exchanges, trust, and of course a ton of security mechanisms. You are welcomed to share proposals and ideas how this could work!

[jsiedentop]

I have tried to help with the creation of the Dart SDK. But I don't know enough about this topic, so I won't be able to contribute here. If social logins for mobile apps is an use case, we have to choose an alternative (for now). I would have realized this earlier, if I had read the documentation better.

Nevertheless, I like the idea behind Ory Kratos and the concept makes a very good impression on me. Maybe I will take another look at a future project. Thanks for the great work!

[Jonas-Sander]

Is there any workaround to implement OIDC social login for API clients? I am also developing a flutter application and wanted to use ORY Kratos but can't without this. For my app I wanted to start with a Discord Social Log-In (email would be very inconvenient).

[nicolaric]

hey guys, is there any update on that ticket? I'm currently building a nativescript application and it would be nice to have that until release in october.

[vinckr]

Hey @nicolaric, have a look at our roadmap overview: https://www.ory.sh/docs/ecosystem/roadmap . We can't provide deadlines for open source features, but this is planned for the v0.10.0-alpha.1 milestone.

In the meantime you can check out this workaround: https://github.com/ory/kratos-selfservice-ui-node/tree/hydra-integration-2021 .

[adamfowleruk]

@vinckr Can I please ask that someone merges in the recent main branch changes into the hydra-integration-2021 branch? I'm currently debugging an issue on Kubernetes with kratos, hydra and istio (rather than oathkeeper). I'm mostly there, but I want to ensure my issues are not caused by this UI sample diverging. I'm using the latest kratos helm chart so will also check that too. Thanks.

[vinckr]

Sorry @adamfowleruk I missed your comment. I think there are multiple breaking changes since, so merging the recent branch would probably not be straightforward. But @aeneasr has probably a better idea if that is feasible at the moment.

[jeff0131]

Is it possible to get an update to the workaround mentioned by @vinckr? Out of the box, the current code gets into a loop trying to get the flow value.

[DeamonMV]

@jeff0131 try this one https://github.com/atreya2011/go-kratos-test I found it recently, maybe it will help you somehow.

[jeff0131]

Thanks @DeamonMV but I'm trying to use hydra as an oidc oauth2 server with kratos for self-service identity.

[yevyevyev]

so, before even thinking about implementing native OIDC flows the hydra integration needs to be finished, and it is still in progress, right?

[vinckr]

@tapkain This would make the integration much easier, but it is also possible in the current state e.g.: https://blog.px.dev/open-source-auth/

[UbiquitousBear]

@tapkain do we know what's blocking someone from just creating an express app to deal with this?

[micheljung]

I'm confused. What's the goal of this ticket? To provide a login/consent screen? I thought Kratos is API-only. https://github.com/ory/kratos-selfservice-ui-node/ seems to be a better place but as its name says, it's "self service". I'm not sure consent qualifies as self service.

Then there is https://github.com/ory/hydra-login-consent-node. I'll try implementing Kratos login there but I'm terrible at ExpressJS so maybe someone else could also give it a shot?

[snikch]

I think the required functionality is tightly coupled self service kratos apis that implement the hydra flow. So not the ui, but the capability to login and consent to a hydra authentication via Kratos.

[DzianisH]

Hi all,

Am I correct that this workaround from @aeneasr is out of date due to a lot of changes in the master branch hasn't been merged into the hydra-integration branch? And also you are working now on Kratos-Hydra integration closely in the scope of the Kratos project, aren't you?

[aeneasr]

Hi, yes, we’re working actively on it

[vinckr]

Hey @DzianisH In the meantime check out this community integration: https://github.com/atreya2011/go-kratos-test/tree/hydra-consent

[openscript]

I'm happy to see the issue is marked as completed. Is it now possible to access the identities inside a Kratos instance via Hydras OIDC?

[mvrahden]

Amazing 🎉

[aeneasr]

Yes exactly, we will add a quick guide to get this working in an example to the release notes. We want to release it today, but are still working on getting this to production before doing so.

[aeneasr]

Thank you all for your patience! I know it's been a long time coming :)

[bbroniewski]

Is that guide uploaded somewhere already? I can not find it. Thank you in advance! @aeneasr

[dezeroku]

@bbroniewski it works for me (meaning I can obtain tokens from hydra, based on Kratos' user data/login process) with the following config:

1. kratos docker image built from master, oauth2_provider.url in config set to hydra's admin API
2. consent v2.0.1, pointing to Hydra's admin/public API as usual
3. kratos' selfservice UI image :latest, pointing to kratos admin/public API as usual
4. hydra v2.0.1 with urls.consent pointing to consent API as usual and login/logout URLs pointing to Kratos' selfservice UI

[bbroniewski]

Hi @dezeroku, thank you for your help. I will wait for some time for official guide, if nothing will be available then for sure I will give it a try according to your points. Thank you again.

[aeneasr]

If you want to check out the flow on the Ory Network (where the feature flag and release is available), check out: https://www.ory.sh/run-oauth2-server-open-source-api-security/

:)

To do it yourself, the guide from @dezeroku is on point