Convert Figma logo to code with AI

ory logohydra

Internet-scale OpenID Certified™ OpenID Connect and OAuth2.1 provider that integrates with your user management through headless APIs. Solve OIDC/OAuth2 user cases over night. Consume as a service on Ory Network or self-host. Trusted by OpenAI and many others for scale and security. Written in Go.

17,012
1,555
17,012
127
View on GitHub

Top Related Projects

keycloak's avatar

keycloak

34,105

Open Source Identity and Access Management For Modern Applications and Services

oauth2-proxy's avatar

oauth2-proxy

13,965

A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.

panva's avatar

node-oidc-provider

3,708

OpenID Certified™ OAuth 2.0 Authorization Server implementation for Node.js

authelia's avatar

authelia

26,759

The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™

supertokens's avatar

supertokens-core

14,984

Open source alternative to Auth0 / Firebase Auth / AWS Cognito

zitadel's avatar

zitadel

13,338

ZITADEL - Identity infrastructure, simplified for you.

Quick Overview

Ory Hydra is an OAuth 2.0 and OpenID Connect Provider. It's designed to be a secure, high-performance, and cloud-native implementation that integrates easily with existing systems. Hydra focuses on OAuth 2.0 and OpenID Connect without forcing you to use a specific identity provider or user management system.

Pros

  • Highly scalable and designed for cloud-native environments
  • Supports all OAuth 2.0 and OpenID Connect flows
  • Provides robust security features and follows best practices
  • Easy integration with existing identity providers and user management systems

Cons

  • Steep learning curve for beginners in OAuth 2.0 and OpenID Connect
  • Requires additional components for a complete identity management solution
  • Documentation can be overwhelming due to the complexity of the system
  • May be overkill for simple authentication needs

Code Examples

  1. Creating an OAuth 2.0 Client:
import "github.com/ory/hydra-client-go/client/admin"

client := admin.NewCreateOAuth2ClientParams().WithBody(&models.OAuth2Client{
    ClientID:      "my-client",
    ClientSecret:  "secret",
    GrantTypes:    []string{"authorization_code", "refresh_token"},
    ResponseTypes: []string{"code", "id_token"},
    Scope:         "openid profile email",
    RedirectURIs:  []string{"https://my-app.com/callback"},
})

_, err := hydraAdmin.CreateOAuth2Client(client)
  1. Initiating an OAuth 2.0 Authorization Code Flow:
import "github.com/ory/hydra-client-go/client/public"

challenge, err := hydraPublic.InitializeLoginFlow(&public.InitializeLoginFlowParams{
    ClientID:    "my-client",
    RedirectURI: "https://my-app.com/callback",
    Scope:       "openid profile email",
    State:       "random-state-string",
})
  1. Introspecting an OAuth 2.0 Access Token:
import "github.com/ory/hydra-client-go/client/admin"

result, err := hydraAdmin.IntrospectOAuth2Token(&admin.IntrospectOAuth2TokenParams{
    Token: accessToken,
})

if result.Payload.Active {
    // Token is valid
    fmt.Printf("Token belongs to subject: %s\n", result.Payload.Sub)
}

Getting Started

  1. Install Ory Hydra:

    docker pull oryd/hydra:v2.1.1

  2. Run Ory Hydra:

    docker run -p 4444:4444 -p 4445:4445 \
  -e DSN=memory \
  -e URLS_SELF_ISSUER=https://my-hydra.com/ \
  -e URLS_LOGIN=https://my-login.com/login \
  -e URLS_CONSENT=https://my-consent.com/consent \
  oryd/hydra:v2.1.1 serve all --dangerous-force-http

  3. Create an OAuth 2.0 Client:

    hydra clients create \
  --endpoint http://127.0.0.1:4445 \
  --id my-client \
  --secret secret \
  --grant-types authorization_code,refresh_token \
  --response-types code,id_token \
  --scope openid,offline \
  --callbacks http://127.0.0.1:5555/callback

Competitor Comparisons

keycloak logo

keycloak

34,105

Open Source Identity and Access Management For Modern Applications and Services

Pros of Keycloak

  • More comprehensive out-of-the-box features, including user management and admin console
  • Easier setup and configuration for non-technical users
  • Broader ecosystem with extensive documentation and community support

Cons of Keycloak

  • Higher resource consumption and slower performance
  • Less flexibility for custom integrations and modifications
  • Steeper learning curve for advanced customizations

Code Comparison

Hydra (Go):

import "github.com/ory/hydra/client"

c := client.NewHTTPClientWithConfig(nil, &client.TransportConfig{
    Schemes:  []string{"http", "https"},
    Host:     "localhost:4444",
    BasePath: "/",
})

Keycloak (Java):

import org.keycloak.admin.client.Keycloak;

Keycloak keycloak = Keycloak.getInstance(
    "http://localhost:8080/auth",
    "master",
    "admin",
    "password",
    "admin-cli");

Both examples show client initialization, but Hydra's approach is more lightweight and focused on HTTP transport, while Keycloak's includes authentication details for the admin client.

oauth2-proxy logo

oauth2-proxy

13,965

A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.

Pros of oauth2-proxy

  • Simpler setup and configuration for basic OAuth2 authentication scenarios
  • Lightweight and focused on proxying requests with OAuth2 authentication
  • Supports multiple providers out of the box (Google, GitHub, Azure, etc.)

Cons of oauth2-proxy

  • Limited functionality compared to Hydra's full OAuth2 and OpenID Connect server capabilities
  • Less flexibility for complex authentication and authorization scenarios
  • Fewer built-in features for token management and introspection

Code Comparison

oauth2-proxy configuration example:

oauth2_proxy:
  config:
    provider: "github"
    client_id: "your_client_id"
    client_secret: "your_client_secret"
    cookie_secret: "random_string"
    email_domains:
      - "*"

Hydra configuration example:

dsn: memory
serve:
  public:
    port: 4444
  admin:
    port: 4445
strategies:
  access_token: jwt

While oauth2-proxy focuses on simple proxy configuration with OAuth2 authentication, Hydra provides a more comprehensive OAuth2 and OpenID Connect server setup with additional features and flexibility.

panva logo

node-oidc-provider

3,708

OpenID Certified™ OAuth 2.0 Authorization Server implementation for Node.js

Pros of node-oidc-provider

  • Lightweight and flexible, allowing for easy customization
  • Extensive documentation and examples for various use cases
  • Built specifically for Node.js, providing seamless integration with Node-based applications

Cons of node-oidc-provider

  • Less out-of-the-box features compared to Hydra
  • May require more configuration and setup for complex scenarios
  • Limited built-in support for some advanced OAuth 2.0 flows

Code Comparison

node-oidc-provider:

const Provider = require('oidc-provider');
const configuration = {
  clients: [{ client_id: 'foo', client_secret: 'bar', redirect_uris: ['http://localhost:8080/cb'] }],
};
const oidc = new Provider('http://localhost:3000', configuration);

Hydra:

import "github.com/ory/hydra/driver"

d := driver.NewDefaultDriver()
r := d.Registry()
h := r.OAuth2Handler()

Both examples show basic setup, but node-oidc-provider's configuration is more straightforward for simple use cases, while Hydra's setup demonstrates its modular architecture.

authelia logo

authelia

26,759

The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™

Pros of Authelia

  • All-in-one authentication and authorization solution
  • Simpler setup and configuration for basic use cases
  • Built-in web portal for user management and self-service

Cons of Authelia

  • Less flexible for complex, distributed architectures
  • Fewer advanced features compared to Hydra's OAuth2 and OpenID Connect capabilities
  • Smaller community and ecosystem

Code Comparison

Authelia configuration (YAML):

authentication_backend:
  file:
    path: /config/users_database.yml
access_control:
  default_policy: deny
  rules:
    - domain: secure.example.com
      policy: two_factor

Hydra configuration (YAML):

dsn: postgres://user:password@host:port/database
serve:
  public:
    port: 4444
  admin:
    port: 4445
strategies:
  access_token: jwt

Both projects use YAML for configuration, but Authelia's setup is more straightforward for basic authentication scenarios. Hydra's configuration reflects its focus on OAuth2 and OpenID Connect, with separate public and admin interfaces.

Authelia is better suited for smaller, self-hosted projects requiring simple authentication, while Hydra excels in complex, distributed systems with advanced OAuth2 and OpenID Connect requirements.

supertokens logo

supertokens-core

14,984

Open source alternative to Auth0 / Firebase Auth / AWS Cognito

Pros of SuperTokens

  • Easier setup and integration with pre-built UI components and SDKs
  • More comprehensive user management features out-of-the-box
  • Better documentation and community support for developers

Cons of SuperTokens

  • Less flexible for complex, custom authentication flows
  • Smaller ecosystem and fewer third-party integrations
  • More opinionated architecture, which may not suit all project requirements

Code Comparison

SuperTokens (Node.js example):

import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";

supertokens.init({
    appInfo: {
        apiDomain: "https://api.example.com",
        appName: "MyApp",
        websiteDomain: "https://example.com"
    },
    recipeList: [Session.init()]
});

Hydra (Go example):

import "github.com/ory/hydra-client-go"

configuration := hydra.NewConfiguration()
configuration.Servers = hydra.ServerConfigurations{
    {URL: "https://your-hydra-instance.com/"},
}
client := hydra.NewAPIClient(configuration)

Both projects offer robust authentication and authorization solutions, but SuperTokens focuses more on user management and ease of use, while Hydra provides greater flexibility for complex OAuth2 and OpenID Connect scenarios. The choice between them depends on specific project requirements and developer preferences.

zitadel logo

zitadel

13,338

ZITADEL - Identity infrastructure, simplified for you.

Pros of Zitadel

  • All-in-one identity management solution with built-in user management, authentication, and authorization
  • Offers a user-friendly web interface for easy management and configuration
  • Supports multiple deployment options, including self-hosted and cloud-based solutions

Cons of Zitadel

  • Less flexible than Hydra for custom integrations and specific use cases
  • Newer project with a smaller community and ecosystem compared to Hydra
  • May have a steeper learning curve for developers familiar with more traditional OAuth2 servers

Code Comparison

Hydra (Go):

import "github.com/ory/hydra/client"

c := client.NewHTTPClientWithConfig(nil, &client.TransportConfig{
    Schemes:  []string{"http", "https"},
    Host:     "localhost:4444",
    BasePath: "/",
})

Zitadel (Go):

import "github.com/zitadel/zitadel/pkg/client/zitadel"

client, err := zitadel.NewClient(
    zitadel.WithClientID("client-id"),
    zitadel.WithClientSecret("client-secret"),
    zitadel.WithEndpoint("https://instance.zitadel.cloud"),
)

Both repositories provide OAuth2 and OpenID Connect capabilities, but Zitadel offers a more comprehensive identity management solution out of the box. Hydra focuses on being a lightweight and flexible OAuth2 server, while Zitadel provides additional features like user management and a web interface. The choice between the two depends on specific project requirements and the desired level of customization.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Ory Hydra - Open Source OAuth 2 and OpenID Connect server

Chat · Discussions · Newsletter · Docs · Try Ory Network · Jobs

Ory Hydra is a hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption. It connects to your existing identity provider through a login and consent app, giving you absolute control over the user interface and experience.

What is Ory Hydra?

Ory Hydra is a server implementation of the OAuth 2.0 authorization framework and the OpenID Connect Core 1.0. It follows cloud architecture best practices and focuses on:

  • OAuth 2.0 and OpenID Connect flows
  • Token issuance and validation
  • Client management
  • Consent and login flow orchestration
  • JWKS management
  • Low latency and high throughput

We recommend starting with the Ory Hydra introduction docs to learn more about its architecture, feature set, and how it compares to other systems.

Why Ory Hydra

Ory Hydra is designed to:

  • Be a standalone OAuth 2.0 and OpenID Connect server without user management
  • Connect to any existing identity provider through a login and consent app
  • Give you absolute control over the user interface and experience flows
  • Work with any authentication endpoint: Ory Kratos, authboss, User Frosting, or your proprietary system
  • Scale to large numbers of clients and tokens
  • Fit into modern cloud native environments such as Kubernetes and managed platforms

OAuth2 and OpenID Connect: Open Standards

Ory Hydra implements Open Standards set by the IETF:

and the OpenID Foundation:

OpenID Connect Certified

Ory Hydra is an OpenID Foundation certified OpenID Provider (OP).

Ory Hydra is a certified OpenID Providier

The following OpenID profiles are certified:

To obtain certification, we deployed the reference user login and consent app (unmodified) and Ory Hydra v1.0.0.

Deployment options

You can run Ory Hydra in two main ways:

  • As a managed service on the Ory Network
  • As a self hosted service under your own control, with or without the Ory Enterprise License

Use Ory Hydra on the Ory Network

The Ory Network is the fastest way to use Ory services in production. Ory OAuth2 & OpenID Connect is powered by the open source Ory Hydra server and is API compatible.

The Ory Network provides:

  • OAuth2 and OpenID Connect for single sign on, API access, and machine to machine authorization
  • Identity and credential management that scales to billions of users and devices
  • Registration, login, and account management flows for passkeys, biometrics, social login, SSO, and multi factor authentication
  • Prebuilt login, registration, and account management pages and components
  • Low latency permission checks based on the Zanzibar model with the Ory Permission Language
  • GDPR friendly storage with data locality and compliance in mind
  • Web based Ory Console and Ory CLI for administration and operations
  • Cloud native APIs compatible with the open source servers
  • Fair, usage based pricing

Sign up for a free developer account to get started.

Self-host Ory Hydra

You can run Ory Hydra yourself for full control over infrastructure, deployment, and customization.

The install guide explains how to:

  • Install Hydra on Linux, macOS, Windows, and Docker
  • Configure databases such as PostgreSQL, MySQL, and CockroachDB
  • Deploy to Kubernetes and other orchestration systems
  • Build Hydra from source

This guide uses the open source distribution to get you started without license requirements. It is a great fit for individuals, researchers, hackers, and companies that want to experiment, prototype, or run unimportant workloads without SLAs. You get the full core engine, and you are free to inspect, extend, and build it from source.

If you run Hydra as part of a business-critical system, for example OAuth2 and OpenID Connect for all your users, you should use a commercial agreement to reduce operational and security risk. The Ory Enterprise License (OEL) layers on top of self-hosted Hydra and provides:

  • Additional enterprise features that are not available in the open source version
  • Regular security releases, including CVE patches, with service level agreements
  • Support for advanced scaling, multi-tenancy, and complex deployments
  • Premium support options with SLAs, direct access to engineers, and onboarding help
  • Access to a private Docker registry with frequent and vetted, up-to-date enterprise builds

For guaranteed CVE fixes, current enterprise builds, advanced features, and support in production, you need a valid Ory Enterprise License and access to the Ory Enterprise Docker registry. To learn more, contact the Ory team.

Quickstart

Install the Ory CLI and create a new project to try Ory OAuth2 & OpenID Connect.

# Install the Ory CLI if you do not have it yet:
bash <(curl https://raw.githubusercontent.com/ory/meta/master/install.sh) -b . ory
sudo mv ./ory /usr/local/bin/

# Sign in or sign up
ory auth

# Create a new project
ory create project --create-workspace "Ory Open Source" --name "GitHub Quickstart" --use-project

Try out the OAuth 2.0 Client Credentials flow:

ory create oauth2-client \
    --name "Client Credentials Demo" \
    --grant-type client_credentials
# Note the client ID and secret from output

ory perform client-credentials \
    --client-id <your-client-id> \
    --client-secret <your-client-secret>
# Note the access token from output

ory introspect token <your-access-token>

Try out the OAuth 2.0 Authorize Code + OpenID Connect flow:

ory create oauth2-client \
    --name "Authorize Code with OpenID Connect Demo" \
    --grant-type authorization_code,refresh_token \
    --response-type code \
    --redirect-uri http://127.0.0.1:4446/callback

ory perform authorization-code \
    --client-id <your-client-id> \
    --client-secret <your-client-secret>

Who is using Ory Hydra

The Ory community stands on the shoulders of individuals, companies, and maintainers. The Ory team thanks everyone involved - from submitting bug reports and feature requests, to contributing patches and documentation. The Ory community counts more than 50.000 members and is growing. The Ory stack protects 7.000.000.000+ API requests every day across thousands of companies. None of this would have been possible without each and everyone of you!

The following list represents companies that have accompanied us along the way and that have made outstanding contributions to our ecosystem. If you think that your company deserves a spot here, reach out to office@ory.com now!

Name Logo Website Case Study
OpenAI OpenAI openai.com OpenAI Case Study
Fandom Fandom fandom.com Fandom Case Study
Lumin Lumin luminpdf.com Lumin Case Study
Sencrop Sencrop sencrop.com Sencrop Case Study
OSINT Industries OSINT Industries osint.industries OSINT Industries Case Study
HGV HGV hgv.it HGV Case Study
Maxroll Maxroll maxroll.gg Maxroll Case Study
Zezam Zezam zezam.io Zezam Case Study
T.RowePrice T.RowePrice troweprice.com
Mistral Mistral mistral.ai
Axel Springer Axel Springer axelspringer.com
Hemnet Hemnet hemnet.se
Cisco Cisco cisco.com
Presidencia de la República Dominicana Presidencia de la República Dominicana presidencia.gob.do
Moonpig Moonpig moonpig.com
Booster Booster choosebooster.com
Zaptec Zaptec zaptec.com
Klarna Klarna klarna.com
Raspberry PI Foundation Raspberry PI Foundation raspberrypi.org
Tulip Tulip Retail tulip.com
Hootsuite Hootsuite hootsuite.com
Segment Segment segment.com
Arduino Arduino arduino.cc
Sainsbury's Sainsbury's sainsburys.co.uk
Contraste Contraste contraste.com
inMusic InMusic inmusicbrands.com
Buhta Buhta buhta.com
Amplitude amplitude.com amplitude.com
TIER IV Kyma Project Serlo Padis
Cloudbear Security Onion Solutions Factly All My Funds
Nortal OrderMyGear R2Devops Paralus
dyrector.io pinniped.dev pvotal.tech

Many thanks to all individual contributors

Ecosystem

We build Ory on several guiding principles when it comes to our architecture design:

  • Minimal dependencies
  • Runs everywhere
  • Scales without effort
  • Minimize room for human and network errors

Ory's architecture is designed to run best on a Container Orchestration system such as Kubernetes, CloudFoundry, OpenShift, and similar projects. Binaries are small (5-15MB) and available for all popular processor types (ARM, AMD64, i386) and operating systems (FreeBSD, Linux, macOS, Windows) without system dependencies (Java, Node, Ruby, libxml, ...).

Ory Kratos: Identity and User Infrastructure and Management

Ory Kratos is an API-first Identity and User Management system that is built according to cloud architecture best practices. It implements core use cases that almost every software application needs to deal with: Self-service Login and Registration, Multi-Factor Authentication (MFA/2FA), Account Recovery and Verification, Profile, and Account Management.

Ory Hydra: OAuth2 & OpenID Connect Server

Ory Hydra is an OpenID Certified™ OAuth2 and OpenID Connect Provider which easily connects to any existing identity system by writing a tiny "bridge" application. It gives absolute control over the user interface and user experience flows.

Ory Oathkeeper: Identity & Access Proxy

Ory Oathkeeper is a BeyondCorp/Zero Trust Identity & Access Proxy (IAP) with configurable authentication, authorization, and request mutation rules for your web services: Authenticate JWT, Access Tokens, API Keys, mTLS; Check if the contained subject is allowed to perform the request; Encode resulting content into custom headers (X-User-ID), JSON Web Tokens and more!

Ory Keto: Access Control Policies as a Server

Ory Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.

Documentation

The full Ory Hydra documentation is available at www.ory.com/docs/hydra, including:

For upgrading and changelogs, check releases tab and CHANGELOG.md.

Developing Ory Hydra

See DEVELOP.md for information on:

  • Contribution guidelines
  • Prerequisites
  • Install from source
  • Running tests
  • Build Docker image
  • Preview API documentation

Security

OAuth2 and OAuth2 related specifications are over 400 written pages. Implementing OAuth2 is easy, getting it right is hard. Ory Hydra is trusted by companies all around the world, has a vibrant community and faces millions of requests in production each day. Read the security guide for more details on cryptography and security concepts.

Disclosing vulnerabilities

If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub. You can find all info for responsible disclosure in our security.txt.

Telemetry

Our services collect summarized, anonymized data that can optionally be turned off. Click here to learn more.

Libraries and third-party projects

Official:

Community:

Developer Blog:

  • Visit the Ory Blog for guides, tutorials and articles around Ory Hydra and the Ory ecosystem.