SylviaBABY commented on code in PR #1187: URL: https://github.com/apache/apisix-website/pull/1187#discussion_r913322280
########## website/blog/2022/07/04/apisix-integrates-with-hydra.md: ########## @@ -0,0 +1,286 @@ +--- +title: "APISIX integrates with Ory Hydra" +authors: + - name: "Fei Han" + title: "Technical Writer" + url: "https://github.com/hf400159"; + image_url: "https://github.com/hf400159.png"; +keywords: +- Apache APISIX +- API Gateway +- Authentication +- Hydra +- Openid connect +- OIDC +description: This article describes the API gateway Apache APISIX for centralized authentication via the OpenID Connect plugin Hydra integration. +tags: [Authentication] +--- + +> This article describes how Apache APISIX integrates with Ory Hydra to implement centralized authentication. + +<!--truncate--> + +## Background Information + +### Apache APISIX + +[Apache APISIX](https://github.com/apache/apisix) is an open source cloud native API gateway. As an API gateway, it has the characteristics of dynamic, real-time, and high performance. It provides rich traffic management functions such as load balancing, dynamic upstream, gray-scale publishing, service fusing, identity authentication and observability. You can use APISIX to handle the traditional north-south traffic and the east-west traffic between services. It can also be used as a K8s ingress controller. Thanks to the full dynamic design of APISIX, configuration changes can be made at any time without restarting the service. + +The `openid-connect` plugin of APISIX supports the OpenID Connect protocol. Users can use this plugin to allow Apache APISIX to connect with many authentication service providers and deploy it in enterprises as a centralized authentication gateway. + +### ORY Hydra + +[Ory Hydra](https://github.com/ory/hydra) is one of the identity providers that supports the OAuth 2.0 and OpenID Connect protocols, based on the OAuth 2.0 authorization framework and the Open ID Connect Core 1.0 framework, with both open source and cloud native features. It can be integrated with any login system, and through OAuth 2.0 Access, Refresh, and ID Tokens, third parties can easily access your API, enabling users to interact with any application anytime, anywhere. + +Ory Hydra is written in Go language and provides SDKs for almost all languages, including Dart, .NET, Go, Java, PHP, Python, Ruby, Rust, and Typescript. It works with any login system, and the login experience can be easily customized. + +## Introduction + +OpenID is a centralized authentication mode, and it is a decentralized identity authentication system. The advantage of using OpenID is that users only need to register and log in on one OpenID identity provider's website and use one account and password information to access different applications. + +With the `openid-connect` plugin supported by APISIX, we can integrate with authenticators supporting the OpenID Connect protocol. For example: Ory Hydra. For more information, please refer to: [Centralized Identity Authentication](https://apisix.apache.org/blog/2021/08/25/using-the-apache-apisix-openid-connect-plugin-for-centralized-authentication/#what-is-authentication). + +One of the biggest advantages of Ory Hydra is that it implements the OAuth and OpenID Connect standards instead of forcing you to use "Hydra user management" (login, logout, profile management, registration), a specific template engine, or a predefined front end. + +It allows to use the authentication mechanisms required by your program (token-based 2FA, SMS 2FA, etc.) and implement user management and login in your technology stack. Of course, you can also use existing solutions, such as [authboss](https://github.com/go-authboss/authboss). It gives you all the great features of OAuth 2.0 and OpenID Connect while being minimally intrusive to your business logic and technology stack. + +OAuth 2.0 can be used in many environments for various purposes. This list might help you decide if OAuth 2.0 and Hydra are the right fit for a use case: + +1. enable third-party solutions to access your APIs. +2. be an Identity Provider like Google, Facebook, or Microsoft: OpenID Connect, and thus Hydra is a perfect fit. +3. enable your browser, mobile, or wearable applications to access your APIs: Running an OAuth2 Provider can work great for this. You don't have to store passwords on the device and can revoke access tokens at any time. +4. you want to limit what type of information your backend services can read from each other. For example, the comment service should only be allowed to fetch user profile updates but shouldn't be able to read user passwords. + +## Operation steps + +Next, I will show you how APISIX integrates with Hydra using a real example. In this example, Docker will be used to running the required environment. Please install [Docker](https://docs.docker.com/engine/install/) before doing this. + +### Step 1: Create and deploy the database + +For quick deployment of the test environment, we will use Docker to run PostgreSQL as Hydra's database. Using Docker to run the database in production is not recommended. Review Comment: ```suggestion For quick deployment of the test environment, we will use Docker to run PostgreSQL as Hydra's database. It's not recommended to use Docker to run the database in production. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
![https://github.com/hf400159.png"](https://github.com/hf400159.png"){kind=link}