Show HN: Hydra – Open-Source OAuth2 Server

In my research, Hydra is the only OSS OIDC server implementation that is built from the start in a modern, containerized manner.

I&#x27;m not too familiar with this space, so please excuse my question. What is OAuth2 server is?<p>I was under the impression that for a given service&#x2F;API typically OAuth2 is implemented by the provider on their servers, either from scratch or using some sort of library.<p>With an OAuth2 server are you running a separate server or is it an internal service that your application code connects to (and forwards requests?) when OAuth related requests come in?<p>A diagram of how an OAuth2 server fits into an application architecture and a visualization of an OAuth flow in it would greatly help here.

The Ory suite is missing the user database component. Is this still on the roadmap? The Hive project looks empty: <a href="https:&#x2F;&#x2F;github.com&#x2F;ory&#x2F;hive" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ory&#x2F;hive</a>

I wonder how many open source projects use this name. There&#x27;s also Hydra[1], a Nix-based continuous build system.<p>[1] <a href="https:&#x2F;&#x2F;nixos.org&#x2F;hydra&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nixos.org&#x2F;hydra&#x2F;</a>

Does Hydra follow the OAuth Security BCP (<a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;draft-ietf-oauth-security-topics-12" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;draft-ietf-oauth-security-topics...</a>)? I do not see PKCE or mix-up mitigation mentioned, for example.

I was just researching OAuth servers last week and came across Hydra several times. Congrats all on a big release!<p>Ran across some unexpected drama while poking around: apparently, one of the main authors of OAuth2 spec withdrew his name from the publication and has repeatedly publicly derided the standard. <a href="https:&#x2F;&#x2F;vimeo.com&#x2F;52882780" rel="nofollow">https:&#x2F;&#x2F;vimeo.com&#x2F;52882780</a>. Parts I heard were good.<p>I&#x27;d just like to make a small request that developers on tiny internal-only APIs not make a big ordeal out of OAuth and require a big honking session store anchored against the &quot;user&#x27;s&quot; OAuth creds on every <i>internal</i>, <i>service-to-service</i> request, thanks.

A looong time ago, when OpenID was sort-of new, I implemented my own OpenID provider, because I wanted to log into StackOverflow and other places, but I didn&#x27;t want to use a third party service.<p>That worked swimmingly in the few places that supported OpenID, but eventually even StackOverflow dropped support.<p>I must admit I haven&#x27;t kept up with what has happened since in this area, so stupid question:<p>Could I install this server and have my own OAuth2&#x2F;OIDC provider that would allow me to login to websites using my own provider (instead of &quot;Login with Microsoft Github&quot;, &quot;Login with Facebook&quot;, &quot;Login with Google&quot;, &quot;Login with Twitter&quot;), or is this something else&#x2F;the reverse?

How does Hydra compare to other OIDC server implementations like Dex and Keycloak?

Site doesn&#x27;t seem to give a simple high level explanation. How does this compare to a service like auth0? Seems like a subset of a cognito&#x2F;auth0&#x2F;okta?

Are there any load test reports? How well does it scale?

Glad to see OpenAPI codegen being used for the SDKs!