Run your own low-latency, cloud native OAuth2 and OpenID Connect provider. Written in Google Go.
Table of Contents
At first, there was the monolith. The monolith worked well with the bespoke authentication module. Then, the web evolved into an elastic cloud that serves thousands of different user agents in every part of the world.
Hydra is driven by the need for a scalable, low-latency, in memory Access Control, OAuth2, and OpenID Connect layer that integrates with every identity provider you can imagine.
Hydra is available through Docker and relies on RethinkDB for persistence. Database drivers are extensible, in case you want to use RabbitMQ, MySQL, MongoDB, or some other database instead.
This section is a quickstart guide to working with Hydra. In-depth docs are available as well:
The easiest way to start docker is without a database. Hydra will keep all changes in memory. But be aware! Restarting, scaling or stopping the container will make you lose all data:
$ docker run -d -p 4444:4444 oryam/hydra --name my-hydra ec91228cb105db315553499c81918258f52cee9636ea2a4821bdb8226872f54b
The CLI client is available at gobuild.io.
There is currently no installer which adds the CLI to your path automatically. You have to set up the path yourself. If you do not understand what that means, ask on our Gitter channel.
To install the CLI from source, execute:
go get github.com/ory-am/hydra go get github.com/Masterminds/glide cd $GOPATH/src/github.com/ory-am/hydra glide install go install github.com/ory-am/hydra hydra
Alternatively, you can use the CLI in Docker (not recommended):
$ docker exec -i -t <hydra-container-id> /bin/bash # e.g. docker exec -i -t ec12 /bin/bash root@ec91228cb105:/go/src/github.com/ory-am/hydra# hydra Hydra is a twelve factor OAuth2 and OpenID Connect provider Usage: hydra [command] [...]
Install the CLI and Docker Toolbox. Make sure you install Docker Compose. On OSX and Windows, open the Docker Quickstart Terminal. On Linux open any terminal.
We will use a dummy password as system secret:
SYSTEM_SECRET=passwordtutorialpasswordtutorial. Use a very secure secret in production.
On OSX and Windows using the Docker Quickstart Terminal.
$ go get github.com/ory-am/hydra $ cd $GOPATH/src/github.com/ory-am/hydra $ DOCKER_IP=$(docker-machine ip default) docker-compose build WARNING: The SYSTEM_SECRET variable is not set. Defaulting to a blank string. rethinkdb uses an image, skipping Building hydra [...] $ SYSTEM_SECRET=passwordtutorialpasswordtutorial DOCKER_IP=$(docker-machine ip default) docker-compose up Starting hydra_rethinkdb_1 Recreating hydra_hydra_1 Recreating hydra_consent_1 Attaching to hydra_rethinkdb_1, hydra_hydra_1, hydra_consent_1 [...]
$ go get github.com/ory-am/hydra $ cd $GOPATH/src/github.com/ory-am/hydra $ DOCKER_IP=localhost docker-compose build WARNING: The SYSTEM_SECRET variable is not set. Defaulting to a blank string. rethinkdb uses an image, skipping Building hydra [...] $ SYSTEM_SECRET=passwordtutorialpasswordtutorial DOCKER_IP=tutorialpassword docker-compose up Starting hydra_rethinkdb_1 Recreating hydra_hydra_1 Recreating hydra_consent_1 Attaching to hydra_rethinkdb_1, hydra_hydra_1, hydra_consent_1 [...] mhydra | mtime="2016-05-17T18:09:28Z" level=warning msg="Generated system secret: MnjFP5eLIr60h?hLI1h-!<4(TlWjAHX7" [...] mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="Temporary root client created." mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_id: d9227bd5-5d47-4557-957d-2fd3bee11035" mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_secret: ,IvxGt02uNjv1ur9" [...]
You have now a running hydra docker container! Additionally, a RethinkDB image was deployed and a consent app.
Hydra can be managed with the hydra cli client. The client hast to log on before it is allowed to do anything.
When hydra detects a new installation, a new temporary root client is created. The client credentials are printed by
docker compose up:
mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_id: d9227bd5-5d47-4557-957d-2fd3bee11035" mhydra | mtime="2016-05-17T18:09:29Z" level=warning msg="client_secret: ,IvxGt02uNjv1ur9"
The system secret is a global secret assigned to every hydra instance. It is used to encrypt data at rest. You can
set the system secret through the
$SYSTEM_SECRET environment variable. When no secret is set, hydra generates one:
time="2016-05-15T14:56:34Z" level=warning msg="Generated system secret: (.UL_&77zy8/v9<sUsWLKxLwuld?.82B"
Important note: Please be aware that logging passwords should never be done on a production server. Either prune the logs, set the required parameters, or replace the credentials with other ones.
Now you know which credentials you need to use. Next, we log in.
Note: If you are using docker toolbox, please use the ip address provided by
docker-machine ip default as cluster url host.
$ hydra connect Cluster URL: https://localhost:4444 Client ID: d9227bd5-5d47-4557-957d-2fd3bee11035 Client Secret: ,IvxGt02uNjv1ur9 Done.
Great! You are now connected to Hydra and can start by creating a new client:
$ hydra clients create --skip-tls-verify Warning: Skipping TLS Certificate Verification. Client ID: c003830f-a090-4721-9463-92424270ce91 Client Secret: Z2pJ0>Tp7.ggn>EE&rhnOzdt1
Important note: Hydra is using self signed TLS certificates for HTTPS, if no certificate was provided. This should
never be done in production. To skip the TLS verification step on the client, provide the
Why not issue an access token for your client?
$ hydra token client --skip-tls-verify Warning: Skipping TLS Certificate Verification. JLbnRS9GQmzUBT4x7ESNw0kj2wc0ffbMwOv3QQZW4eI.qkP-IQXn6guoFew8TvaMFUD-SnAyT8GmWuqGi3wuWXg
Let's try this with the authorize code grant!
$ hydra token user --skip-tls-verify Warning: Skipping TLS Certificate Verification. If your browser does not open automatically, navigate to: https://192.168.99.100:4444/oauth2/auth?client_id=d9227bd5-5d47-4557-957d-2fd3bee11035&response_type=code&scope=core+hydra&state=sbnwdelqzxyedwtqinxnolbr&nonce=sffievieeesltbjkwxyhycyq Setting up callback listener on http://localhost:4445/callback Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process.
Great! You installed hydra, connected the CLI, created a client and completed two authentication flows! Your next stop should be the Guide.
The Guide is available on GitBook.
The REST API is documented at Apiary.
The CLI help is verbose. To see it, run
hydra -h or
hydra [command] -h.
Unless you want to test Hydra against a database, developing with Hydra is as easy as:
go get github.com/ory-am/hydra go get github.com/Masterminds/glide cd $GOPATH/src/github.com/ory-am/hydra glide install go test ./... go run main.go
If you want to run Hydra against RethinkDB, you can do so by using docker:
docker run --name some-rethink -d -p 8080:8080 -p 28015:28015 rethinkdb # Linux DATABASE_URL=rethinkdb://localhost:28015/hydra go run main.go # Docker Terminal DATABASE_URL=rethinkdb://$(docker-machine ip default):28015/hydra go run main.go
A list of extraordinary contributors and bug hunters.