Hydra w/external IdP (Azure AD)

[jfarleyx]

I've got Hydra running in K8S and I can perform the client credential flow. That process is pretty straight forward. However, I need to set up and test using Hydra with an external identity provider via OIDC for the auth code flow. In this case, the IdP would be Microsoft Azure Active Directory.

I'm a little confused on exactly how to configure Hydra to work with Azure AD as an OIDC IdP (or any 3rd party IdP). We are not in control of the identity provider, we just need our app & Hydra to work with that provider for user authentication via OIDC. Has anyone here configured Hydra to work with an external identity provider like Azure AD (or even Okta/Auth0)?

This is the flow I'm trying to accomplish:

1. User hits a web page I control. The page would offer a "Login w/ Azure AD" button, which should direct user to Azure controlled login page. I have examples from MS regarding how to use their OIDC SDK to authenticate users in Azure AD. That part is clear.
2. User authenticates, letting our app know it was successful/unsuccessful.
3. If successful authentication, we get access/refresh token for authorization from our Hydra instance.

Questions:
Is Hydra able to accommodate this or am I misusing/misunderstanding Hydra?
Does Azure AD communicate with Hydra in this flow and if so, how exactly? What do I configure in Hydra to accommodate that communication.
The Hydra login/consent/logout urls - I'm confused as to what to put here. In this use case, would I provide URL's to Azure AD login or are these URL's for an app we build? I suspect the latter.

Basically, I'm not clear on how, if at all, the IdP and Hydra work together and how to configure Hydra to accommodate that relationship. Perhaps they don't communicate and my app simply manages them separately. If they are separate, can I simply leave the consent URL parameter blank for Hydra, as the consent UI is managed by Azure AD?

If anyone has done this and could help me better understand how to set this up I would be extremely grateful.

[vinckr]

Could you use Ory Kratos instead? You can login with any OIDC provider, we also have a guide for Azure AD .
Maybe the login flow for API clients?
It sounds to me as you are on the OAuth2/OIDC client side, rather than looking to become a OIDC server yourself.

[astor4ever]

@tn185075 is there any chance to get some sample code to get better understand of that?

[tn185075]

I can try sending out the link to a gist here, if I find some time.

[astor4ever]

@tn185075 would be nice - also if You dont want to publish it always You can send it to me 😀

[astor4ever]

@tn185075 hey did you had time to prepare something? :)

[tn185075]

Will take some time tomorrow to publish. Hope that works. @astor4ever

[vinckr]

Hello @jfarleyx @tn185075
The Ory Kratos and Ory Hydra integration just landed with Hydra 2.0,
see the release notes for more details!
That will make this much easier!