This article describes how Apache integrates with Ory Hydra to implement centralized authentication.
Background Information
Apache
Apache is an open source cloud native API gateway. As an API gateway, it has the characteristics of dynamic, real-time, and high performance. It provides rich traffic management functions such as load balancing, dynamic upstream, gray-scale publishing, service fusing, identity authentication and observability. You can use to handle the traditional north-south traffic and the east-west traffic between services. It can also be used as a K8s ingress controller. Thanks to the full dynamic design of , configuration changes can be made at any time without restarting the service.
The openid-connect plugin of supports the OpenID Connect protocol. Users can use this plugin to allow Apache to connect with many authentication service providers and deploy it in enterprises as a centralized authentication gateway.
ORY Hydra
Ory Hydra is one of the identity providers that supports the OAuth 2.0 and OpenID Connect protocols, based on the OAuth 2.0 authorization framework and the Open ID Connect Core 1.0 framework, with both open source and cloud native features. It can be integrated with any login system, and through OAuth 2.0 Access, Refresh, and ID Tokens, third parties can easily access your API, enabling users to interact with any application anytime, anywhere.
Ory Hydra is written in Go language and provides SDKs for almost all languages, including Dart, .NET, Go, Java, PHP, Python, Ruby, Rust, and Typescript. It works with any login system, and the login experience can be easily customized.
Introduction
OpenID is a centralized authentication mode, and it is a decentralized identity authentication system. The advantage of using OpenID is that users only need to register and log in on one OpenID identity provider's website and use one account and password information to access different applications.
With the openid-connect plugin supported by , we can integrate with authenticators supporting the OpenID Connect protocol. For example: Ory Hydra. For more information, please refer to: Centralized Identity Authentication.
One of the biggest advantages of Ory Hydra is that it implements the OAuth and OpenID Connect standards instead of forcing you to use "Hydra user management" (login, logout, profile management, registration), a specific template engine, or a predefined front end.
It allows to use the authentication mechanisms required by your program (token-based 2FA, SMS 2FA, etc.) and implement user management and login in your technology stack. Of course, you can also use existing solutions, such as authboss. It gives you all the great features of OAuth 2.0 and OpenID Connect while being minimally intrusive to your business logic and technology stack.
OAuth 2.0 can be used in many environments for various purposes. The following information may help you decide whether OAuth 2.0 and Hydra are suitable for a certain scenario:
- enable third-party solutions to access your APIs.
- be an Identity Provider like Google, Facebook, or Microsoft.
- enable your browser, mobile, or wearable applications to access your APIs: Running an OAuth2 Provider can work great for this. You don't have to store passwords on the device and can revoke access tokens at any time.
- you want to limit what type of information your backend services can read from each other. For example, the comment service should only be allowed to fetch user profile updates but shouldn't be able to read user passwords.
Operation steps
Next, I will show you how integrates with Hydra using a real example. In this example, Docker will be used to running the required environment. Please install Docker before doing this.
Step 1: Create and deploy the database
For quick deployment of the test environment, we will use Docker to run PostgreSQL as Hydra's database. It's not recommended to use Docker to run the database in production.
docker network create hydraguide && \docker run \ --network hydraguide \ --name ory-hydra-example--postgres \ -e POSTGRES_USER=hydra \ -e POSTGRES_PASSWORD=secret \ -e POSTGRES_DB=hydra \ -d postgres:9.6The above command will create a network named hydraguide and start a Postgres instance named ory-hydra-example--postgres which creates the database hydra, the user hydra, and the user password secret.
Step 2: Deploy Hydra
This step will map 4444 to 5444 and 4445 to 5445 ports, please make sure that these ports are not used.
- The system key can only be set for the new database, and does not support key rotation. This key is used to encrypt the database and needs to be set to the same value each time the process restarts. You can use
/dev/urandomto generate keys. But make sure that the key must be the same when you define it. For example, you can store the value somewhere:
export SECRETS_SYSTEM=$(export LC_CTYPE=C; cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)Set Hydra's database URL to point to your Postgres instance by configuring an environment variable.
export DSN=postgres://hydra:secret@ory-hydra-example--postgres:5432/hydra?sslmode=disable- Ory Hydra does not migrate SQL automatically, so you need to manually perform the database migration.
docker pull oryd/hydra:v1.10.6 && \docker run -it --rm \ --network hydraguide \ oryd/hydra:v1.10.6 \ migrate sql --yes $DSN- Run the Hydra server with the following command. For more information, please refer to deploy-ory-hydra.
docker run -d \ --name ory-hydra-example--hydra \ --network hydraguide \ -p 5444:4444 \ -p 5445:4445 \ -e SECRETS_SYSTEM=$SECRETS_SYSTEM \ -e DSN=$DSN \ -e URLS_SELF_ISSUER=https://localhost:5444/ \ -e URLS_CONSENT=http://localhost:9020/consent \ -e URLS_LOGIN=http://localhost:9020/login \ oryd/hydra:v1.10.6 serve allYou can view Hydra logs using the following command:
docker logs ory-hydra-example--hydranote
If the Hydra password is not specified, you can find the password information in the log. If you forget your password, you will not be able to restart Hydra.
You can also use the following commands to view Hydra related introductions and operation commands.
docker run -it --rm --entrypoint hydra oryd/hydra:v1.10.6 help serveStep 3: Deploy login and authentication programs
Login Provider and Consent Provider can be two separate web services. Hydra provides sample programs that combine both functions in one application. Next, we'll deploy the application using Docker.
docker pull oryd/hydra-login-consent-node:v1.10.6 && \docker run -d \ --name ory-hydra-example--consent \ -p 9020:3000 \ --network hydraguide \ -e HYDRA_ADMIN_URL=https://ory-hydra-example--hydra:4445 \ -e NODE_TLS_REJECT_UNAUTHORIZED=0 \ oryd/hydra-login-consent-node:v1.10.6You can use the following command to check whether the program runs normally:
docker logs ory-hydra-example--consentReturns the result normally:
> hydra-login-consent-logout@0.0.0 serve /usr/src/app> node lib/app.jsListening on http://0.0.0.0:3000Step 4: Execute the OAuth 2.0 Authorization Code Flow
Hydra supports the ability to set an OAuth 2.0 consumer and OAuth 2.0 callback URL via the CLI, and is a third-party application that requests access to user resources on the server.
This information is required when configuring the openid-connect plugin:
idcorresponds to theclient_idconfigure by the plugin in the following route.secretcorresponds to theclient_secretconfigured by the plugin in the following route.scopecorresponds to thescopeconfigured by the plugin in the following route.
docker run --rm -it \ -e HYDRA_ADMIN_URL=https://ory-hydra-example--hydra:4445 \ -- network hydraguide \ oryd/hydra:v1.10.6 \ clients create --skip-tls-verify \ --id facebook-photo-backup \ --secret some-secret \ --grant-types authorization_code,refresh_token,client_credentials,implicit \ --response-types token,code,id_token \ --scope openid,offline,photos.read \ --callbacks http://127.0.0.1:9010/callbackThe following example will perform an OAuth 2.0 authorization flow. To simplify this, the Hydra CLI provides a helper command called hydra token user.
docker run --rm -it \ --network hydraguide \ -p 9010:9010 \ oryd/hydra:v1.10.6 \ token user --skip-tls-verify \ --port 9010 \<span class="token-line" style="color: rgb(57, 58, 52);