You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am working on this PoC and would like to know if you agree this scenario is possible:
We already have a capable IDP that is OIDC compatible, we just want to offload the oauth2client creation into kubernetes, via self-service deployment of oauth2clients with hydra. So only one Oauth2Client in the upstream provider can then be used to authenticate users for several apps using each a different "local oauth2client" to that namespace in the cluster.
See drawing:
The idea is to use hydra maester to deploy self-service Oauth2clients in different namespaces, one per application, for example.
The applications will point to this clientID + clientSecret + issuerURL so that users can obtain a token from hydra.
I would like to connect Hydra directly to an upstream OIDC provider but it seems that is not a possibility.
There is the posibility to connect to Kratos though, via urls.identity_provider.url and that is what I want to do.
Kratos can actually connect to a "social provider" or "generic oidc provider" upstream.
This seems to be doable via oidc.config.providers.issuer_url.
I wonder if this setup is possible and has been tested by someone already.
I dont need any UI, if the user is not logged in already into the company IDP then it should be redirected to it, so that he gets a valid token.
Part of my question is regarding that "red part" what is the glue that needs to be added so that an auth request goes from an oauth2client created by Hydra, to kratos, and from kratos to the upstream "social provider".
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello all,
I am working on this PoC and would like to know if you agree this scenario is possible:
We already have a capable IDP that is OIDC compatible, we just want to offload the oauth2client creation into kubernetes, via self-service deployment of oauth2clients with hydra. So only one Oauth2Client in the upstream provider can then be used to authenticate users for several apps using each a different "local oauth2client" to that namespace in the cluster.
See drawing:
The idea is to use hydra maester to deploy self-service Oauth2clients in different namespaces, one per application, for example.
The applications will point to this clientID + clientSecret + issuerURL so that users can obtain a token from hydra.
I would like to connect Hydra directly to an upstream OIDC provider but it seems that is not a possibility.
There is the posibility to connect to Kratos though, via
urls.identity_provider.urland that is what I want to do.Kratos can actually connect to a "social provider" or "generic oidc provider" upstream.
This seems to be doable via
oidc.config.providers.issuer_url.I wonder if this setup is possible and has been tested by someone already.
I dont need any UI, if the user is not logged in already into the company IDP then it should be redirected to it, so that he gets a valid token.
Part of my question is regarding that "red part" what is the glue that needs to be added so that an auth request goes from an oauth2client created by Hydra, to kratos, and from kratos to the upstream "social provider".
Any help would be appreciated.
Beta Was this translation helpful? Give feedback.
All reactions