Skip to content

Ory Hydra

FeatureSupport
OAuth2/OIDC clients✅ Full
SAML clients❌ Not supported by Hydra
Resource servers⚠️ Derived from existing client audiences (read-only)
Client cloning✅ Full
  1. Run Ory Hydra

    Hydra exposes two ports: a public API (4444) used by clients during the OAuth flow, and an Admin API (4445) used by Taco to manage clients. Only the Admin API needs to be reachable from Taco.

    Terminal window
    docker compose -f docker-compose.dev.yml -f docker-compose.hydra.yml up

    This starts Hydra (public + admin), its migration job, and a dedicated Postgres instance, matching the config in .docker/hydra.

  2. Set environment variables

    Terminal window
    OPENID_PROVIDER=ory
    ORY_BASE_URL=http://localhost:4445

Hydra’s Admin API has no built-in authentication of its own — access control is expected to be enforced at the network layer. Leave OPENID_PROVIDER_AUTH_TYPE unset when using this provider.

  • Grant types, response types, and token endpoint auth method map directly to Hydra’s native OAuth2 client fields.
  • Resource servers are derived, not stored natively: Taco lists the distinct audience values seen across existing clients. Renaming or deleting a “resource server” only affects future client edits, not Hydra state directly.
  • Client secrets are only returned by Hydra at creation time. Rotate a client’s secret from the client detail page if it needs to be regenerated.

To protect the Taco dashboard with Hydra-issued tokens, register a separate OAuth2 client in Hydra for Taco’s own login flow (authorization code, confidential):

Terminal window
AUTH_CLIENT_OPENID_CONFIGURATION_URL=http://localhost:4444/.well-known/openid-configuration
AUTH_CLIENT_ID=your-oidc-client-id
AUTH_CLIENT_SECRET=your-oidc-client-secret

Add <BASE_URL>/api/auth/callback/oidc to that client’s allowed redirect URIs.