Ory Hydra
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| OAuth2/OIDC clients | ✅ Full |
| SAML clients | ❌ Not supported by Hydra |
| Resource servers | ⚠️ Derived from existing client audiences (read-only) |
| Client cloning | ✅ Full |
-
Run Ory Hydra
Hydra exposes two ports: a public API (
4444) used by clients during the OAuth flow, and an Admin API (4445) used by Taco to manage clients. Only the Admin API needs to be reachable from Taco.Terminal window docker compose -f docker-compose.dev.yml -f docker-compose.hydra.yml upThis starts Hydra (public + admin), its migration job, and a dedicated Postgres instance, matching the config in
.docker/hydra. -
Set environment variables
Terminal window OPENID_PROVIDER=oryORY_BASE_URL=http://localhost:4445
No management API authentication needed
Section titled “No management API authentication needed”Hydra’s Admin API has no built-in authentication of its own — access control is expected to be enforced at the network layer. Leave OPENID_PROVIDER_AUTH_TYPE unset when using this provider.
Client management notes
Section titled “Client management notes”- Grant types, response types, and token endpoint auth method map directly to Hydra’s native OAuth2 client fields.
- Resource servers are derived, not stored natively: Taco lists the distinct
audiencevalues seen across existing clients. Renaming or deleting a “resource server” only affects future client edits, not Hydra state directly. - Client secrets are only returned by Hydra at creation time. Rotate a client’s secret from the client detail page if it needs to be regenerated.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the Taco dashboard with Hydra-issued tokens, register a separate OAuth2 client in Hydra for Taco’s own login flow (authorization code, confidential):
AUTH_CLIENT_OPENID_CONFIGURATION_URL=http://localhost:4444/.well-known/openid-configurationAUTH_CLIENT_ID=your-oidc-client-idAUTH_CLIENT_SECRET=your-oidc-client-secretAdd <BASE_URL>/api/auth/callback/oidc to that client’s allowed redirect URIs.