Clarifications about hydra
75 views
Skip to first unread message
Mohamedh Fazal
Jun 4, 2016, 8:22:31 AM6/4/16
to ory-hydra
Hi,
I have some follow up questions about Hydra after issue #94.
First I want to implement an IDP compatible with Hydra.
I have a few services that a user can enable and use once user is logged in. User must have permission to enable
and communicate with the service. User is given a client_id and a client_secret when the service is enabled, to communicate with the service.
So In short.
- Giving user to use a specific service (This can be handled with Ladon Policies?)
- Giving user client credentials to communicate with the service (Does this client credential reside in hydra or IDP?).
- Giving a service the ability to verify user's client credentials
I want to move to Hydra. Is it possible manage this use-case with Hydra?
Aeneas Rekkas
Jun 4, 2016, 8:39:59 AM6/4/16
to ory-...@googlegroups.com
Hi,
> I have a few services that a user can enable and use once user is logged in. User must have permission to enable
and communicate with the service. User is given a client_id and
a client_secret when the service is enabled, to communicate with
the service.
You give client_id and client_secret only to application owners.
Read the Dropbox OAuth2 guide to understand what this means:
https://www.dropbox.com/developers/reference/oauth-guide
You, as an administrator, are also an application owner. Your applications are typically some front ends for your app, e.g.: React Web App, iOS Native App, Android Native App, ...
You, as an administrator, are also an application owner. Your applications are typically some front ends for your app, e.g.: React Web App, iOS Native App, Android Native App, ...
> - Giving user client credentials to communicate with the service
If your intention is that the user is creating his own OAuth2 app,
this is correct. Otherwise it's not.
> (Does this client credential reside in hydra or IDP?).
Hydra!
> - Giving user to use a specific service (This can be handled with Ladon Policies?
Yes, you can either use OAuth2 scopes or Ladon Policies or both.
You will need to implement the firewall, either a proxy which
checks all HTTP requests, or a request in your resource server
code, yourself.
> - Giving a service the ability to verify user's client credentials
Hydra supports the OAuth2 Client Grant - so it's possible to authenticate a client using his credentials only (id, secret).
--
You received this message because you are subscribed to the Google Groups "ory-hydra" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ory-hydra+...@googlegroups.com.
To post to this group, send email to ory-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ory-hydra/3646df15-49bb-47f3-8dbc-3aa651317bf7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mohamedh Fazal
Jun 4, 2016, 9:59:43 AM6/4/16
to ory-hydra
You're right. I forgot to mention that detail. Sorry about that.
User's create OAuth2 Apps and give those applications access to the services with client credentials.
Aeneas Rekkas
Jun 4, 2016, 10:01:25 AM6/4/16
to ory-...@googlegroups.com
No worries. Ok, then I believe a OAuth2 Provider like Hydra is
the right choice for you. :)
To view this discussion on the web visit https://groups.google.com/d/msgid/ory-hydra/811f03e9-2059-4316-af53-152de69522c8%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages