[arekkas]

Currently hydra issues opaque tokens but has the capabilities to switch to JWT in the future. There is a warden HTTP API endpoint that you can use to inspect tokens and use hydra's access control. I will probably add a more common token info endpoint or a OAuth2 Token Introspection endpoint ( https://tools.ietf.org/html/rfc7662 ) later on.

I haven't used kong yet but from my first impression it should be possible to use hydra together with kong.

[dalu]

You're doing OIDC but OIDC requires JWT. Well sorry but if you're not using JWT then this isn't OIDC. The whole point of OIDC is token verification, you provide an identity and that identity can be verified.

[olalonde]

Ok, thanks. So let's say I wanted to use Hydra for authenticating requests made to my REST API, I'd have to make an API call to Hydra on each request, right? Would be interesting to have some integration examples with popular web frameworks (e.g. Express.js, Rails, Django, etc.).

Thanks for releasing this by the way, looks really well engineered. I'm sure you've considered it already, but you could probably sell a hosted version (a la https://auth0.com) to make money and finance development.

[arekkas]

Depends, if you use JWT you can cryptographically verify that the token and the token claims are valid. Right now, Hydra does not issue JWTs but it would be easy as pie to add that functionality.

Writing an integration guide for this is a very good idea. Hydra's APIs are validating all requests using that technique, but it's not documented.

Auth0.com is pretty cool, they have done some cool projects that help OAuth developers. However, they are overpriced imho. Hosting hydra is definitely something I will consider. Thanks! :)