This project is used by all these people
+++ ++ Software releases and versions follow the {} + + ORY Versioning Framework + . Please read it now if you have not already, it will save you a lot of time. +
+
Latest version.
+| {latestVersion} | ++ + Documentation + + | +
|---|
| master | ++ + Documentation + + | +
|---|
+ Here you can find documentation for previous versions. +
+| {version} | ++ + Documentation + + | +
|---|
+ You can find past versions of this project on{' '} + GitHub. +
+
+{% endblock %}
+
+{% block faq_menu %}
+
+{% endblock %}
+
+{% block faq_footer %}
+
+
+
+
+{% endblock %}
diff --git a/_legacy/faq/book.json b/_legacy/faq/book.json
new file mode 100644
index 000000000..fb671d23c
--- /dev/null
+++ b/_legacy/faq/book.json
@@ -0,0 +1,23 @@
+{
+ "plugins": [
+ "theme-faq",
+ "-fontsettings",
+ "-sharing",
+ "sitemap-basepath",
+ "edit-link",
+ "ga"
+ ],
+ "pluginsConfig": {
+ "edit-link": {
+ "base": "https://github.com/ory/docs/tree/master/faq",
+ "label": "Edit this page"
+ },
+ "ga": {
+ "token": "UA-71865250-1"
+ },
+ "sitemap-basepath": {
+ "hostname": "https://www.ory.sh/",
+ "basePath": "/docs/faq/"
+ }
+ }
+}
\ No newline at end of file
diff --git a/_legacy/faq/general/consulting.md b/_legacy/faq/general/consulting.md
new file mode 100644
index 000000000..7a0651e50
--- /dev/null
+++ b/_legacy/faq/general/consulting.md
@@ -0,0 +1 @@
+Yes we do. Drop us a line at [hi@ory.am](mailto:hi@ory.am)!
\ No newline at end of file
diff --git a/_legacy/faq/general/docs.md b/_legacy/faq/general/docs.md
new file mode 100644
index 000000000..6b58fbbb2
--- /dev/null
+++ b/_legacy/faq/general/docs.md
@@ -0,0 +1 @@
+The documentation is available at [www.ory.sh/docs](https://www.ory.sh/docs).
diff --git a/_legacy/faq/general/envs.md b/_legacy/faq/general/envs.md
new file mode 100644
index 000000000..47587836b
--- /dev/null
+++ b/_legacy/faq/general/envs.md
@@ -0,0 +1,3 @@
+For general information on environment variables, check out [this article](https://en.wikipedia.org/wiki/Environment_variable).
+
+For information on using environment variables in docker, check out [this Stack Overflow question](https://stackoverflow.com/questions/30494050/how-do-i-pass-environment-variables-to-docker-containers).
diff --git a/_legacy/faq/general/jobs.md b/_legacy/faq/general/jobs.md
new file mode 100644
index 000000000..c17b83010
--- /dev/null
+++ b/_legacy/faq/general/jobs.md
@@ -0,0 +1,3 @@
+We are always looking for talented software engineers. You should have solid experience with Go and NodeJS. You should have
+contributed to an open source project and have skills in containerization, CI/CD and generally running software in the cloud.
+If you think you could fit the profile, drop us a line at [hi@ory.am](mailto:hi@ory.am).
diff --git a/_legacy/faq/general/jwt.md b/_legacy/faq/general/jwt.md
new file mode 100644
index 000000000..04cc5c11c
--- /dev/null
+++ b/_legacy/faq/general/jwt.md
@@ -0,0 +1,20 @@
+JSON Web Tokens make much sense, when a client needs to verify the payload of a token. For example, OpenID Connect ID Tokens
+are consumed by a client. The payload of the ID token is used to authenticate the user in the client app.
+
+The payloads of OAuth2 access and refresh tokens however are not relevant to the client. The payload is only
+relevant to the protected resource (e.g. an image), as that resource must check if the token is allowed to access it.
+The payload of the token is only relevant to the resource provider and the OAuth2 server. Therefore, JSON Web Tokens
+are the wrong tool for this task.
+
+Additionally, using JSON Web Tokens for access and refresh tokens adds another limitation. It becomes impossible to
+blacklist the tokens. They are valid as long as their signature - and the corresponding private key - is valid and as long
+as they are not expired. While it is theoretically possible to introduce a blacklist and "ban" certain tokens, it defeats
+the stateless nature of JSON Web Tokens as it would be necessary to check if the token is on the blacklist on every request.
+
+For these and other reasons, ORY Hydra does not issue JSON Web Tokens as access and refresh tokens, and never will.
+
+There is however one caveat to this story. Can you protect your API endpoints without making a REST call to ORY Hydra
+on every access request? With ORY Oathkeeper, you can!
+
+[ORY Oathkeeper](https://github.com/ory/oathkeeper) is a HTTP Reverse Proxy which "translates" ORY Hydra's access tokens to stateless JSON Web Tokens. It
+basically replaces the access token with a JSON Web Token which can be used as a stateless session identifier in your API endpoint.
diff --git a/_legacy/faq/general/open-source.md b/_legacy/faq/general/open-source.md
new file mode 100644
index 000000000..fa15caba0
--- /dev/null
+++ b/_legacy/faq/general/open-source.md
@@ -0,0 +1 @@
+Yes.
\ No newline at end of file
diff --git a/_legacy/faq/hydra/lifespan.md b/_legacy/faq/hydra/lifespan.md
new file mode 100644
index 000000000..c54cf2396
--- /dev/null
+++ b/_legacy/faq/hydra/lifespan.md
@@ -0,0 +1 @@
+Use `hydra help host | grep LIFESPAN` to get a list of options allowing you to customize the lifespan of tokens.
\ No newline at end of file
diff --git a/_legacy/faq/hydra/oauth2-tutorials.md b/_legacy/faq/hydra/oauth2-tutorials.md
new file mode 100644
index 000000000..fde88ba54
--- /dev/null
+++ b/_legacy/faq/hydra/oauth2-tutorials.md
@@ -0,0 +1,4 @@
+Here are some read-worthy resources on OAuth 2.0:
+
+* [A quick guide to OAuth 2.0 by Digital Ocean](https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2)
+* [A broad overview of OAuth 2.0 written by Aaron Parecki](https://www.oauth.com/oauth2-servers/oauth2-clients/server-side-apps/)
diff --git a/_legacy/faq/hydra/scope-acp.md b/_legacy/faq/hydra/scope-acp.md
new file mode 100644
index 000000000..931983fc2
--- /dev/null
+++ b/_legacy/faq/hydra/scope-acp.md
@@ -0,0 +1,12 @@
+OAuth 2.0 scopes and Access Control Policies cover different aspects of access control. OAuth 2.0 scopes do not represent
+what a resource owner ("user") is able to do in a system or not. They do not express things like administrative rights.
+
+OAuth 2.0 scopes express what a user allowed a token to do on his/her behalf. For example, an access token might be allowed
+to see a user's pictures, but not upload new pictures on his/her behalf. The user him/herself however is generally allowed
+to view and upload pictures. OAuth 2.0 scopes do not express a user's permissions. They express what an OAuth 2.0 Client
+may do on the user's behalf - independently of whether or not the user is actually allowed to do that.
+
+Access Control Policies say what permissions a user has. For example, a user may be allowed to upload and view pictures,
+but not ban other users. The latter permission is only allowed if the user is an administrator. Access Control Policies
+cover use cases where you would use RBAC or ACL - but are generally more powerful. A user may be an administrator and thus
+allowed to ban user, but the user might choose to not grant this capability (OAuth 2.0 scope) to some OAuth 2.0 Client.
\ No newline at end of file
diff --git a/_legacy/faq/package.json b/_legacy/faq/package.json
new file mode 100644
index 000000000..9664f260a
--- /dev/null
+++ b/_legacy/faq/package.json
@@ -0,0 +1,4 @@
+{
+ "dependencies": {
+ }
+}
diff --git a/_legacy/faq/yarn.lock b/_legacy/faq/yarn.lock
new file mode 100644
index 000000000..fb57ccd13
--- /dev/null
+++ b/_legacy/faq/yarn.lock
@@ -0,0 +1,4 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
diff --git a/guides/README.md b/_legacy/guides/README.md
similarity index 100%
rename from guides/README.md
rename to _legacy/guides/README.md
diff --git a/guides/SUMMARY.md b/_legacy/guides/SUMMARY.md
similarity index 100%
rename from guides/SUMMARY.md
rename to _legacy/guides/SUMMARY.md
diff --git a/_legacy/guides/_layouts/website/page.html b/_legacy/guides/_layouts/website/page.html
new file mode 100644
index 000000000..a30e4825e
--- /dev/null
+++ b/_legacy/guides/_layouts/website/page.html
@@ -0,0 +1,7 @@
+{% extends template.self %}
+
+{% block body %}
+ {{ super() }}
+
+
+{% endblock %}
diff --git a/guides/book.json b/_legacy/guides/book.json
similarity index 100%
rename from guides/book.json
rename to _legacy/guides/book.json
diff --git a/guides/ecosystem/0-overview.md b/_legacy/guides/ecosystem/0-overview.md
similarity index 100%
rename from guides/ecosystem/0-overview.md
rename to _legacy/guides/ecosystem/0-overview.md
diff --git a/guides/ecosystem/1-cloud-native.md b/_legacy/guides/ecosystem/1-cloud-native.md
similarity index 100%
rename from guides/ecosystem/1-cloud-native.md
rename to _legacy/guides/ecosystem/1-cloud-native.md
diff --git a/guides/ecosystem/2-versions.md b/_legacy/guides/ecosystem/2-versions.md
similarity index 100%
rename from guides/ecosystem/2-versions.md
rename to _legacy/guides/ecosystem/2-versions.md
diff --git a/_legacy/guides/ecosystem/3-upgrading.md b/_legacy/guides/ecosystem/3-upgrading.md
new file mode 100644
index 000000000..970bed824
--- /dev/null
+++ b/_legacy/guides/ecosystem/3-upgrading.md
@@ -0,0 +1,15 @@
+# Performing Software Updates
+
+Good software improves over time. If it wouldn't, you shouldn't use it. Unfortunately, some of these improvements
+have breaking changes. We know that breaking changes are annoying so we want to make upgrading as painless as possible.
+
+We document detailed changelogs and upgrade guides for this very reason:
+
+* ORY Hydra: [upgrade guide](https://github.com/ory/hydra/blob/master/UPGRADE.md), [changelog](https://github.com/ory/hydra/blob/master/CHANGELOG.md)
+* ORY Oathkeeper: [upgrade guide](https://github.com/ory/oathkeeper/blob/master/UPGRADE.md), [changelog](https://github.com/ory/oathkeeper/blob/master/CHANGELOG.md)
+* ORY Keto: [upgrade guide](https://github.com/ory/keto/blob/master/UPGRADE.md), [changelog](https://github.com/ory/keto/blob/master/CHANGELOG.md)
+
+Before upgrading to a newer version, please make sure to check with these documents first.
+
+**If you have not already subscribed to our release announcements, [subscribe now](http://eepurl.com/di390P)!** We announce
+important releases (e.g. security releases) in this newsletter.
diff --git a/guides/ecosystem/4-examples.md b/_legacy/guides/ecosystem/4-examples.md
similarity index 100%
rename from guides/ecosystem/4-examples.md
rename to _legacy/guides/ecosystem/4-examples.md
diff --git a/_legacy/guides/hydra/1-tutorial/README.md b/_legacy/guides/hydra/1-tutorial/README.md
new file mode 100644
index 000000000..5abc9713e
--- /dev/null
+++ b/_legacy/guides/hydra/1-tutorial/README.md
@@ -0,0 +1,133 @@
+# 5 Minute Tutorial
+
+To get started quickly, we provide a Docker Compose based example for setting up ORY Hydra, a PostgreSQL instance
+and an exemplary user login & consent app. You need to have the latest Docker as well as Docker Compose version installed.
+
+
+
+Next, clone (`git clone https://github.com/ory/hydra.git`), [download](https://github.com/ory-am/hydra/archive/master.zip),
+or use `go get -d github.com/ory/hydra` - if you have Go (1.10+) installed on you system - to download the Docker Compose
+set up.
+
+```
+$ git clone https://github.com/ory/hydra.git
+$ cd hydra
+$ git checkout tags/v1.0.0-beta.8
+
+$ docker-compose -p hydra up --build
+Starting hydra_mysqld_1
+Starting hydra_postgresd_1
+Starting hydra_hydra_1
+
+[...]
+```
+
+
+Everything should running now! Let's confirm that everything is working by creating our first OAuth 2.0 Client.
+The following commands will use Docker wizardry. You can obviously install the ORY Hydra CLI locally and avoid using
+Docker here. If you do use the CLI locally, you can omit `docker exec -it hydra_hydra_1 \` completely.
+
+You will notice that two ports are being used. Port `4444` and port `4445`. The former is for request to ORY Hydra's public
+endpoints. The latter to its administrative endpoints. For more information on this, head over to
+[Securing ORY Hydra](../2-environment/securing-ory-hydra.md). If you want to run ORY Hydra admin and
+public services in two separate containers, run
+
+```
+$ docker-compose -p hydra -f docker-compose-twoc.yml up --build
+```
+
+Please be aware that you will not be able to run the hydra CLI from within docker if you
+use the docker-compose-twoc.yml file. Instead, you must install the CLI locally and
+omit `docker exec -it hydra_hydra_1 \` from your commands.
+
+Ok, let's continue by creating a new OAuth 2.0 Client.
+
+```
+# Creates a new OAuth 2.0 client
+$ docker exec -it hydra_hydra_1 \
+ hydra clients create \
+ --endpoint http://localhost:4445 \
+ --id my-client \
+ --secret secret \
+ -g client_credentials
+
+OAuth2 client id: my-client
+OAuth2 client secret: secret
+
+# Let's perform the client credentials grant.
+$ docker exec -it hydra_hydra_1 \
+ hydra token client \
+ --endpoint http://localhost:4444 \
+ --client-id my-client \
+ --client-secret secret
+
+UDYMha9TwsMBejEvKfnDOXkhgkLsnmUNYVQDklT5bD8.ZNpuNRC85erbIYDjPqhMwTinlvQmNTk_UvttcLQxFJY
+
+# Let's perform token introspection on that token. Make sure to copy the token you just got and not the dummy value.
+$ docker exec -it hydra_hydra_1 \
+ hydra token introspect \
+ --endpoint http://localhost:4445 \
+ --client-id my-client \
+ --client-secret secret \
+ UDYMha9TwsMBejEvKfnDOXkhgkLsnmUNYVQDklT5bD8.ZNpuNRC85erbIYDjPqhMwTinlvQmNTk_UvttcLQxFJY
+
+{
+ "active": true,
+ "client_id": "my-client",
+ "exp": 1527078658,
+ "iat": 1527075058,
+ "iss": "http://localhost:4444",
+ "sub": "my-client",
+ "token_type": "access_token"
+}
+```
+
+Next, we will perform the OAuth 2.0 Authorization Code Grant. For that, we must first create a client that is capable
+of performing that grant:
+
+```
+$ docker exec -it hydra_hydra_1 \
+ hydra clients create \
+ --endpoint http://localhost:4445 \
+ --id auth-code-client \
+ --secret secret \
+ --grant-types authorization_code,refresh_token \
+ --response-types code,id_token \
+ --scope openid,offline \
+ --callbacks http://127.0.0.1:5555/callback
+```
+
+Note that you need to add `--token-endpoint-auth-method none` if your clients are public (such as SPA apps and native apps) because the public clients could not provide client secret.
+
+
+The next command starts a server that serves an example web application. The application will perform the OAuth 2.0
+Authorization Code Flow using ORY Hydra. The web server runs on [http://127.0.0.1:5555](http://127.0.0.1:5555).
+
+```
+$ docker exec -it hydra_hydra_1 \
+ hydra token user \
+ --client-id auth-code-client \
+ --client-secret secret \
+ --endpoint http://localhost:4444/ \
+ --port 5555 \
+ --scope openid,offline
+
+Setting up home route on http://127.0.0.1:4445/
+Setting up callback listener on http://127.0.0.1:4445/callback
+Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process.
+If your browser does not open automatically, navigate to:
+
+ http://127.0.0.1:5555/
+```
+
+Open the URL [http://127.0.0.1:5555/](http://127.0.0.1:5555/), log in, and authorize the application. Next, you should
+see at least an access token in the response. If you granted the `offline` scope, you will also see a refresh token.
+If you granted the `openid` scope, you will get an ID Token as well.
+
+Great! You installed hydra, connected the CLI, created a client and completed two authentication flows!
+Before you continue, clean up this set up in order to avoid conflicts with other tutorials form this guide:
+
+```
+$ docker-compose kill
+$ docker-compose rm -f
+```
diff --git a/_legacy/guides/hydra/2-environment/1-securing-ory-hydra.md b/_legacy/guides/hydra/2-environment/1-securing-ory-hydra.md
new file mode 100644
index 000000000..121a3ce5a
--- /dev/null
+++ b/_legacy/guides/hydra/2-environment/1-securing-ory-hydra.md
@@ -0,0 +1,34 @@
+# Securing ORY Hydra
+
+ORY Hydra exposes serves APIs via two ports:
+
+- Public port (default 4444)
+- Administrative port (default 4445)
+
+The public port can and should be exposed to public internet traffic. That port handles requests to:
+
+* `./well-known/jwks.json`
+* `./well-known/openid-configuration`
+* `/oauth2/auth`
+* `/oauth2/token`
+* `/oauth2/revoke`
+* `/oauth2/fallbacks/consent`
+* `/oauth2/fallbacks/error`
+* `/userinfo`
+
+The administrative port should not be exposed to public internet traffic. If you want to expose certain endpoints, such as the `/clients` endpoint for
+OpenID Connect Dynamic Client Registry, you can do so but you need to properly secure these endpoints with an API Gateway or Authorization Proxy.
+Administrative endpoints include:
+
+* All `/clients` endpoints.
+* All `/jwks` endpoints.
+* All `/health`, `/metrics`, `/version` endpoints.
+* All `/oauth2/auth/requests` endpoints.
+* Endpoint `/oauth2/introspect`.
+* Endpoint `/oauth2/flush`.
+
+None of the administrative endpoints have any built-in access control. You can do simple `curl` or Postman requests to talk to them.
+
+We generally advise to run ORY Hydra with `hydra serve all` which listens on both ports in one process. If you wish to have more granular control over
+each endpoint's settings (e.g. CORS), you can run `hydra serve admin` and `hydra serve public` separately. Please be aware that the `memory` backend
+will not work in this mode.
diff --git a/_legacy/guides/hydra/2-environment/README.md b/_legacy/guides/hydra/2-environment/README.md
new file mode 100644
index 000000000..d31f651ef
--- /dev/null
+++ b/_legacy/guides/hydra/2-environment/README.md
@@ -0,0 +1,64 @@
+# Dependencies & Environment
+
+
+
+ORY Hydra is built cloud native and implements [12factor](http://12factor.net) principles. The Docker Image is 5 MB light
+and versioned with [verbose upgrade instructions](https://github.com/ory/hydra/blob/master/UPGRADE.md)
+and [detailed changelogs](https://github.com/ory/hydra/blob/master/CHANGELOG.md). Auto-scaling, migrations, health checks,
+it all works with zero additional work required. It is possible to run ORY Hydra on any platform, including but not limited
+to OSX, Linux, Windows, ARM, FreeBSD and more.
+
+ORY Hydra has two operational modes:
+
+* In-memory: This mode does not work with more than one instance ("cluster") and any state is lost after restarting the instance.
+* SQL: This mode works with more than one instance and state is not lost after restarts.
+
+No further dependencies are required for a production-ready instance.
+
+## SQL
+
+The SQL adapter supports two DBMS: PostgreSQL 9.6+ and MySQL 5.7+. Please note that
+older MySQL versions have issues with ORY Hydra's database schema. For more information [go here](https://github.com/ory/hydra/issues/377).
+
+If you do run the SQL adapter, you must first create the database schema. The `hydra serve` command does not do this
+automatically, instead you must run `hydra migrate sql` to create the schemas. The `hydra migrate sql` command
+also runs database migrations in case of an upgrade. Please follow the [upgrade instructions](https://github.com/ory/hydra/blob/master/UPGRADE.md)
+to see when you need to run this command. Always create a backup before running `hydra migrate sql`!
+
+Running SQL migrations in Docker is very easy, check out the [docker-compose](https://github.com/ory/hydra/blob/master/docker-compose.yml)
+example to see how we did it!
+
+### Configuration
+
+Both MySQL and PostgreSQL adapters support the following settings. You can modify these settings by appending query parameters to your DSN (`postgres://user:pw@host:port/database?setting1=foo&setting2=bar`):
+
+* `max_conns` sets the maximum number of open connections to the database. Defaults to the number of CPUs. Example `postgres://user:pw@host:port/database?max_conns=10`.
+* `max_idle_conns` sets the maximum number of connections in the idle connection pool. Defaults to the number of CPUs. Example `postgres://user:pw@host:port/database?max_idle_conns=5`.
+* `max_conn_lifetime` sets the maximum amount of time (`ms`, `s`, `m`, `h`) a connection may be reused. Defaults to 0. Example `postgres://user:pw@host:port/database?max_conn_lifetime=10s`.
+
+#### MySQL
+
+On top of the settings above, MySQL supports additional settings:
+
+* `sql_notes`, if set to `false`, ignores MySQL notices. If left empty or set to `true`, they will be treated as warnings. Example `mysql://user:pw@host:port/database?sql_notes=false`.
+* `sql_mode` sets the server-side strict mode. Read more about possible values [here](https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html).
+
+#### PostgreSQL
+
+On top of the settings above, PostgreSQL supports additional settings:
+
+* `sslmode` sets whether or not to use SSL (default is require, this is not the default for libpq). Valid values for sslmode are:
+ * `disable` - No SSL
+ * `require` - Always SSL (skip verification)
+ * `verify-ca` - Always SSL (verify that the certificate presented by the
+ server was signed by a trusted CA)
+ * `verify-full` - Always SSL (verify that the certification presented by
+ the server was signed by a trusted CA and the server host name
+ matches the one in the certificate)
+* `fallback_application_name` - An application_name to fall back to if one isn't provided.
+* `connect_timeout` - Maximum wait for connection, in seconds. Zero or
+not specified means wait indefinitely.
+* `sslcert` - Cert file location. The file must contain PEM encoded data.
+* `sslkey` - Key file location. The file must contain PEM encoded data.
+* `sslrootcert` - The location of the root certificate file. The file
+must contain PEM encoded data.
\ No newline at end of file
diff --git a/_legacy/guides/hydra/3-overview/1-oauth2.md b/_legacy/guides/hydra/3-overview/1-oauth2.md
new file mode 100644
index 000000000..297a8fe48
--- /dev/null
+++ b/_legacy/guides/hydra/3-overview/1-oauth2.md
@@ -0,0 +1,392 @@
+# OAuth 2.0 & OpenID Connect
+
+ORY Hydra's primary feature is implementing the OAuth 2.0 and OpenID Connect spec, as well as related specs by the IETF
+and OpenID Foundation.
+
+This section explains how to connect your existing user management (user login, registration, logout, ...) with ORY Hydra
+in order to become an OAuth 2.0 and OpenID Connect provider like Google, Dropbox, or Facebook.
+
+Please be aware that you must know how OAuth 2.0 and OpenID Connect work. This documentation will not teach you how
+these protocols work.
+
+
+
+## Glossary
+
+Before we get into the gritty details of how everything fits together, let's get some terminologies out of the way. You will
+find these terminologies scattered across the OAuth2 and OpenID Connect ecosystem.
+
+We decided, for this guide, to use simpler and easier to use terminologies like, for example, *user* instead of *resource owner*.
+If you are familiar with OAuth2 details, you will find it easier to navigate these docs if you have read the glossary.
+
+1. The **resource owner** is the user who authorizes an application to access their account. The application's access to
+the user's account is limited to the "scope" of the authorization granted (e.g. read or write access). We will refer to
+the resource owner as a *user* or *end user* on this page.
+2. The **OAuth 2.0 Authorization Server** implements the OAuth 2.0 protocol (and optionally OpenID Connect) and serves
+endpoints such as `/oauth2/auth` or `/oauth2/token`. In our case, this is **ORY Hydra**.
+3. The **resource provider** is a service that - well - provides resources. These resources (e.g. a blog article, printer, todo list)
+are owned by a resource owner (user) mentioned above.
+3. The **OAuth 2.0 Client** is the *application* that wants access to a resource owner's resources (a.k.a. get write access to a user's images).
+Such a client can ask the authorization server to issue an access token on a resource owner's behalf. Typically, the authorization server
+will ask the user if he/she "is ok with" giving that application e.g. write access to personal images.
+4. The **Identity Provider** is a service ("application"/"website") with a login interface. An identity provider typically
+allows users to register as well and might also have an administrative interface in order to manage the identities (delete user, ban user, create user, ...).
+5. **User Agent** is usually a browser.
+6. **OpenID Connect** is a protocol built on top of OAuth 2.0 which is capable of federating authentication.
+
+A typical OAuth 2.0 flow looks as follows:
+
+1. A developer registers an OAuth 2.0 Client at the Authorization Server (ORY Hydra) with the intention of obtaining information on behalf of a user.
+2. The application UI asks the user to authorize the application to access information/data on his/her behalf.
+3. The user is redirected to the Authorization Server.
+4. The Authorization Server confirms the user's identity and asks the user to grant the OAuth 2.0 Client certain permissions.
+5. The Authorization Server issues tokens that the OAuth 2.0 client uses to access resources on the user's behalf.
+
+## Authenticating Users and Requesting Consent
+
+As you already know by now, ORY Hydra does not come with any type of user management (login, registration, ...).
+Instead, it relies on the so-called User Login and Consent Flow. This flow describes a series of redirects where the user's
+user agent is redirect to your Login Provider and, once the user is authenticated, to the Consent Provider. The Login
+and Consent provider is implemented by you in a programming language of your choice. You could write, for example, a
+NodeJS app that handles HTTP requests to `/login` and `/consent` and it would thus be your Login & Consent provider.
+
+The flow itself works as follows:
+
+1. The OAuth 2.0 Client initiates an Authorize Code, Hybrid, or Implicit flow. The user's user agent is redirect to
+`http://hydra/oauth2/auth?client_id=...&...`.
+2. ORY Hydra, if unable to authenticate the user (= no session cookie exists), redirects the user's user agent to the Login Provider
+URL. The application "sitting" at that URL is implemented by you and typically shows a login user interface ("Please enter
+your username and password"). The URL the user is redirect to looks similar to `http://login-service/login?login_challenge=1234...`.
+3. The Login Provider, once the user has successfully logged in, tells ORY Hydra some information about who the user is (e.g. the user's ID)
+and also that the login attempt was successful. This is done using a REST request which includes another redirect URL
+along the lines of `http://hydra/oauth2/auth?client_id=...&...&login_verifier=4321`.
+4. The user's user agent follows the redirect and lands back at ORY Hydra. Next, ORY Hydra redirects the user's user
+agent to the Consent Provider, hosted at - for example - `http://consent-service/consent?consent_challenge=4567...`
+5. The Consent Provider shows a user interface which asks the user if he/she would like to grant the OAuth 2.0 Client
+the requested permissions ("OAuth 2.0 Scope"). You've probably seen this screen around, which is usually something similar to:
+*"Would you like to grant Facebook Image Backup access to all your private and public images?"*.
+6. The Consent Provider makes another REST request to ORY Hydra to let it know which permissions the user authorized, and
+if the user authorized the request at all. The user can usually choose to not grant an application any access to his/her
+personal data. In the response of that REST request, a redirect URL is included along the lines of `http://hydra/oauth2/auth?client_id=...&...&consent_verifier=7654...`.
+7. The user's user agent follows that redirect.
+7. Now, the user has successfully authenticated and authorized the application. Next, ORY Hydra will
+run some checks and if everything works out, issue access, refresh, and ID tokens.
+
+This flow allows you to take full control of the behaviour of your login system (e.g. 2FA, passwordless, ...) and
+consent screen. A well-documented reference implementation for both the Login and [Consent Provider is available on GitHub](https://github.com/ory/hydra-login-consent-node).
+
+### The flow from a user's point of view
+
+{% youtube %}https://www.youtube.com/watch?v=txUmfORzu8Y{% endyoutube %}
+
+### The flow from a network perspective
+
+
+
+### Implementing a Login & Consent Provider
+
+You should now have a high-level idea of how the login and consent providers work. Let's get into the details of it.
+
+#### OAuth 2.0 Authorize Code Flow
+
+Before anything happens, the OAuth 2.0 Authorize Code Flow is initiated by an OAuth 2.0 Client. This usually works by
+generating a URL in the form of `https://hydra/oauth2/auth?client_id=1234&scope=foo+bar&response_type=code&...`. Then,
+the OAuth 2.0 Client points the end user's user agent to that URL.
+
+Next, the user agent (browser) opens that URL.
+
+#### User Login
+
+As the user agent hits the URL, ORY Hydra checks if a session cookie is set containing information about a previously
+successful login. Additionally, parameters such as `id_token_hint`, `prompt`, and `max_age` are evaluated and processed.
+
+Next, the user will be redirect to the Login Provider which was set using the `OAUTH2_LOGIN_URL` environment
+variable. For example, the user is redirected to `https://login-provider/login?login_challenge=1234` if `OAUTH2_LOGIN_URL=https://login-provider/login`.
+This redirection happens *always* and regardless of whether the user has a valid login session or if the user needs
+to authenticate.
+
+The service which handles requests to `https://login-provider/login` must first fetch information on the authentication
+request using a REST API call. Please be aware that for reasons of brevity, the following code snippets are pseudo-code.
+For a fully working example, check out our reference [User Login & Consent Provider implementation](https://github.com/ory/hydra-login-consent-node).
+
+The endpoint handler at `/login` **must not remember previous sessions**. This task is solved by ORY Hydra. If the
+REST API call tells you to show the login ui, you **must show it**. If the REST API tells you to not show the login ui,
+**you must not show it**. Again, **do not implement any type of session here**.
+
+```
+// This is node-js pseudo code and will not work if you copy it 1:1
+
+router.get('/login', function (req, res, next) {
+ challenge = req.url.query.login_challenge;
+
+ fetch('https://hydra/oauth2/auth/requests/login/' + challenge).
+ then(function (response) {
+ // ...
+ })
+})
+```
+
+The server response is a JSON object with the following keys:
+
+```
+{
+ // Skip, if true, let's us know that ORY Hydra has successfully authenticated the user and we should not show any UI
+ "skip": true|false,
+
+ // The user-id of the already authenticated user - only set if skip is true
+ "subject": "user-id",
+
+ // The OAuth 2.0 client that initiated the request
+ "client": {"id": "...", ...},
+
+ // The initial OAuth 2.0 request url
+ "request_url": "https://hydra/oauth2/auth?client_id=1234&scope=foo+bar&response_type=code&...",
+
+ // The OAuth 2.0 Scope requested by the client,
+ "requested_scope": ["foo", "bar"],
+
+ // Information on the OpenID Connect request - only required to process if your UI should support these values.
+ "oidc_context": {"ui_locales": [...], ...}
+}
+```
+
+For a full documentation on all available keys, please head over to the [API documentation](https://www.ory.sh/docs/api/hydra/)
+(make sure to select the right API version).
+
+Depending of whether or not `skip` is true, you will prompt the user to log in by showing him/her a username/password form,
+or by using some other proof of identity.
+
+If `skip` is true, you **should not** show a user interface but accept the login request directly by making a REST call.
+You can use this step to update some internal count of how often a user logged in, or do some other custom business logic.
+But again, do not show the user interface.
+
+To accept the login request, do something along the lines of:
+
+```
+// This is node-js pseudo code and will not work if you copy it 1:1
+
+const body = {
+ // This is the user ID of the user that authenticated. If `skip` is true, this must be the `subject`
+ // value from the `fetch('https://hydra/oauth2/auth/requests/login/' + challenge)` response:
+ //
+ // subject = response.subject
+ //
+ // Otherwise, this can be a value of your choosing:
+ subject: "...",
+
+ // If remember is set to true, then the authentication session will be persisted in the user's browser by ORY Hydra. This will set the `skip` flag to true in future requests that are coming from this user. This value has no effect if `skip` was true.
+ remember: true|false,
+
+ // The time (in seconds) that the cookie should be valid for. Only has an effect if `remember` is true.
+ remember_for: 3600,
+
+ // This value is specified by OpenID connect and optional - it tells OpenID Connect which level of authentication the user performed - for example 2FA or using some biometric data. The concrete values are up to you here.
+ acr: ".."
+}
+
+fetch('https://hydra/oauth2/auth/requests/login/' + challenge + '/accept', {
+ method: 'PUT',
+ body: JSON.stringify(body),
+ headers: { 'Content-Type': 'application/json' }
+}).
+ then(function (response) {
+ // The response will contain a `redirect_to` key which contains the URL where the user's user agent must be redirected to next.
+ res.redirect(response.redirect_to);
+ })
+```
+
+You may also choose to deny the login request. This is possible regardless of the `skip` value.
+
+```
+// This is node-js pseudo code and will not work if you copy it 1:1
+
+const body = {
+ error: "...", // This is an error ID like `login_required` or `invalid_request`
+ error_description: "..." // This is a more detailed description of the error
+}
+
+fetch('https://hydra/oauth2/auth/requests/login/' + challenge + '/reject', {
+ method: 'PUT',
+ body: JSON.stringify(body),
+ headers: { 'Content-Type': 'application/json' }
+}).
+ then(function (response) {
+ // The response will contain a `redirect_to` key which contains the URL where the user's user agent must be redirected to next.
+ res.redirect(response.redirect_to);
+ })
+```
+
+#### User Consent
+
+Now that we know who the user is, we must ask the user if he/she wants to grant the requested permissions to the OAuth 2.0 Client.
+To do so, we check if the user has previously granted that exact OAuth 2.0 Client the requested permissions. If the user
+has never granted any permissions to the client, or the client requires new permissions not previously granted, the user
+must visually confirm the request.
+
+This works very similar to the User Login Flow.
+First, the user will be redirect to the Consent Provider which was set using the `OAUTH2_CONSENT_PROVIDER` environment
+variable. For example, the user is redirected to `https://consent-provider/consent?consent_challenge=1234` if `OAUTH2_CONSENT_PROVIDER=https://consent-provider/consent`.
+This redirection happens *always* and regardless of whether the user has a valid login session or if the user needs
+to authorize the application or not.
+
+The service which handles requests to `https://consent-provider/consent` must first fetch information on the consent
+request using a REST API call. Please be aware that for reasons of brevity, the following code snippets are pseudo-code.
+For a fully working example, check out our reference [User Login & Consent Provider implementation](https://github.com/ory/hydra-login-consent-node).
+
+```
+// This is node-js pseudo code and will not work if you copy it 1:1
+
+challenge = req.url.query.consent_challenge;
+
+fetch('https://hydra/oauth2/auth/requests/consent/' + challenge).
+ then(function (response) {
+ // ...
+ })
+```
+
+The server response is a JSON object with the following keys:
+
+```
+{
+ // Skip, if true, let's us know that the client has previously been granted the requested permissions (scope) by the end-user
+ "skip": true|false,
+
+ // The user-id of the user that will grant (or deny) the request
+ "subject": "user-id",
+
+ // The OAuth 2.0 client that initiated the request
+ "client": {"id": "...", ...},
+
+ // The initial OAuth 2.0 request url
+ "request_url": "https://hydra/oauth2/auth?client_id=1234&scope=foo+bar&response_type=code&...",
+
+ // The OAuth 2.0 Scope requested by the client,
+ "requested_scope": ["foo", "bar"],
+
+ // Information on the OpenID Connect request - only required to process if your UI should support these values.
+ "oidc_context": {"ui_locales": [...], ...}
+}
+```
+
+If skip is true, you should not show any user interface to the user. Instead, you should accept (or deny) the consent request.
+Typically, you will accept the request unless you have a very good reason to deny it (e.g. the OAuth 2.0 Client is banned).
+
+If skip is false and you show the consent screen, you should use the `requested_scope` array to display a list of permissions
+which the user must grant (e.g. using a checkbox). Some people choose to always skip this step if the OAuth 2.0 Client
+is a first-party client - meaning that the client is used by you or your developers in an internal application.
+
+Assuming the user accepts the consent request, the code looks very familiar to the User Login Flow.
+
+```
+// This is node-js pseudo code and will not work if you copy it 1:1
+
+const body = {
+ // A list of permissions the user granted to the OAuth 2.0 Client. This can be fewer permissions that initially requested, but are rarely more or other permissions than requested.
+ grant_scope: ["foo", "bar"],
+
+ // If remember is set to true, then the consent response will be remembered for future requests. This will set the `skip` flag to true in future requests that are coming from this user for the granted permissions and that particular client. This value has no effect if `skip` was true.
+ remember: true|false,
+
+ // The time (in seconds) that the cookie should be valid for. Only has an effect if `remember` is true.
+ remember_for: 3600,
+
+ // The session allows you to set additional data in the access and ID tokens.
+ session: {
+ // Sets session data for the access and refresh token, as well as any future tokens issued by the
+ // refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.
+ // If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties
+ // can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!
+ access_token: { ... },
+
+ // Sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable
+ // by anyone that has access to the ID Challenge. Use with care!
+ id_token: { ... },
+ }
+}
+
+fetch('https://hydra/oauth2/auth/requests/consent/' + challenge + '/accept', {
+ method: 'PUT',
+ body: JSON.stringify(body),
+ headers: { 'Content-Type': 'application/json' }
+}).
+ then(function (response) {
+ // The response will contain a `redirect_to` key which contains the URL where the user's user agent must be redirected to next.
+ res.redirect(response.redirect_to);
+ })
+```
+
+You may also choose to deny the consent request. This is possible regardless of the `skip` value.
+
+```
+// This is node-js pseudo code and will not work if you copy it 1:1
+
+const body = {
+ // This is an error ID like `consent_required` or `invalid_request`
+ error: "...",
+
+ // This is a more detailed description of the error
+ error_description: "..."
+}
+
+fetch('https://hydra/oauth2/auth/requests/consent/' + challenge + '/reject', {
+ method: 'PUT',
+ body: JSON.stringify(body),
+ headers: { 'Content-Type': 'application/json' }
+}).
+ then(function (response) {
+ // The response will contain a `redirect_to` key which contains the URL where the user's user agent must be redirected to next.
+ res.redirect(response.redirect_to);
+ })
+```
+
+Once the user agent is redirected back, the OAuth 2.0 flow will be finalized.
+
+### Revoking consent and login sessions
+
+#### Login
+
+You can revoke login sessions. Revoking a login session will remove all of the user's cookies at ORY Hydra and will require
+the user to re-authenticate when performing the next OAuth 2.0 Authorize Code Flow. Be aware that this option will
+remove all cookies from all devices.
+
+Revoking the login sessions of a user is as easy as sending `DELETE to `/oauth2/auth/sessions/login/{user}`.
+
+#### Consent
+
+You can revoke a user's consent either on a per application basis or for all applications. Revoking the consent will
+automatically revoke all related access and refresh tokens.
+
+Revoking all consent sessions of a user is as easy as sending `DELETE to `/oauth2/auth/sessions/consent/{user}`.
+
+Revoking the consent sessions of a user for a specific client is as easy as sending `DELETE to `/oauth2/auth/sessions/consent/{user}/{client}`.
+
+## OAuth 2.0 Scope
+
+The scope of an OAuth 2.0 scope defines the permission the token was granted by the user. For example, a specific
+token might be allowed to access public pictures, but not private ones. The granted permissions are established during
+the consent screen.
+
+Additionally, ORY Hydra has pre-defined OAuth 2.0 Scope values:
+
+* `offline` and `offline_access`: Include this scope if you wish to receive a refresh token
+* `openid`: Include this scope if you wish to perform an OpenID Connect request.
+
+## OAuth2 Token Introspection
+
+OAuth2 Token Introspection is an [IETF](https://tools.ietf.org/html/rfc7662) standard.
+It defines a method for a protected resource to query
+an OAuth 2.0 authorization server to determine the active state of an
+OAuth 2.0 token and to determine meta-information about this token.
+OAuth 2.0 deployments can use this method to convey information about
+the authorization context of the token from the authorization server
+to the protected resource.
+
+You can find more details on this endpoint in the [ORY Hydra API Docs](https://www.ory.sh/docs/). You can also use
+the CLI command `hydra token introspect Docker
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":250,"y":222.5,"rotation":0,"id":46,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":140,"height":200,"lockAspectRatio":false,"lockShape":false,"order":0,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":325,"y":382,"rotation":0,"id":30,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":16,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":1,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[-5,-2],[-5,105.5],[-195,105.5]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":31,"uid":null,"width":123,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"snapshots for recovery
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":2,"px":0.5,"py":1}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":11,"px":1,"py":0.5}}},"linkMap":[]},{"x":80,"y":367,"rotation":0,"id":27,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":14,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":1,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":false,"interpolationType":"linear","cornerRadius":null,"controlPath":[[0,0.5],[0,83]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":32,"uid":null,"width":93,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"create snapshots
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":16,"px":0.5,"py":1}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":11,"px":0.5,"py":0}}},"linkMap":[]},{"x":197,"y":321,"rotation":0,"id":22,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":12,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":1,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[73,9],[26.333333333333314,9],[-20.333333333333343,9],[-67,9]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":23,"uid":null,"width":44,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"pub/sub
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":2,"px":0,"py":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":16,"px":1,"py":0.5}}},"linkMap":[]},{"x":30,"y":292.5,"rotation":0,"id":16,"uid":"com.gliffy.shape.flowchart.flowchart_v1.default.database","width":100,"height":75,"lockAspectRatio":false,"lockShape":false,"order":10,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.database.flowchart_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":18,"uid":null,"width":96,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Message Broker
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":30,"y":450,"rotation":0,"id":11,"uid":"com.gliffy.shape.flowchart.flowchart_v1.default.database","width":100,"height":75,"lockAspectRatio":false,"lockShape":false,"order":8,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.database.flowchart_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":13,"uid":null,"width":96,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Datastore
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":617,"y":332,"rotation":0,"id":8,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":6,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":1,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[3,-72.90620433565948],[-122,-72.90620433565948],[-122,-2],[-247,-2]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":9,"uid":null,"width":66,"height":28,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"HTTP REST\n
OAuth2
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":42,"px":1.1102230246251563e-16,"py":0.2928932188134525}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":2,"px":1,"py":0.5}}},"linkMap":[]},{"x":270,"y":280,"rotation":0,"id":2,"uid":"com.gliffy.shape.flowchart.flowchart_v1.default.multiple_documents","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":4,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.multiple_documents.flowchart_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":4,"uid":null,"width":96,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Hydra Host
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":810,"y":62.5,"rotation":0,"id":51,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":70,"height":40,"lockAspectRatio":false,"lockShape":false,"order":51,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":53,"uid":null,"width":66,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Clients
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":665,"y":540,"rotation":0,"id":40,"uid":"com.gliffy.shape.network.network_v3.business.server","width":77,"height":120,"lockAspectRatio":true,"lockShape":false,"order":20,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.server_3d.network_v3","strokeWidth":2,"strokeColor":"#000000","fillColor":"#003366","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":665,"y":387.5,"rotation":0,"id":38,"uid":"com.gliffy.shape.network.network_v3.business.workstation_lcd","width":120,"height":120,"lockAspectRatio":true,"lockShape":false,"order":19,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.workstation_lcd_3d.network_v3","strokeWidth":2,"strokeColor":"#000000","fillColor":"#003366","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":665,"y":90,"rotation":0,"id":36,"uid":"com.gliffy.shape.network.network_v3.home.laptop","width":120,"height":120,"lockAspectRatio":true,"lockShape":false,"order":18,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.laptop_3d.network_v3","strokeWidth":2,"strokeColor":"#000000","fillColor":"#003366","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":665,"y":240,"rotation":0,"id":5,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.window","width":120,"height":100,"lockAspectRatio":false,"lockShape":false,"order":2,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.window.ui_v2","strokeWidth":2,"strokeColor":"#000000","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":1.3333333333333333,"y":0,"rotation":0,"id":7,"uid":null,"width":117.33333333333336,"height":70,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"top","overflow":"none","vposition":"none","hposition":"none","html":"\n
\n
\n
\n
Hydra CLI
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":620,"y":77.5,"rotation":0,"id":42,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":210,"height":620,"lockAspectRatio":false,"lockShape":false,"order":1,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]}],"background":"#FFFFFF","width":880,"height":698,"maxWidth":5000,"maxHeight":5000,"nodeIndex":57,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":true,"drawingGuidesOn":true,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"shapeStyles":{"com.gliffy.shape.basic.basic_v1.default":{"fill":"#FFFFFF","stroke":"#333333","strokeWidth":2},"com.gliffy.shape.flowchart.flowchart_v1.default":{"fill":"#FFFFFF","stroke":"#333333","strokeWidth":2},"com.gliffy.shape.network.network_v3.home":{"fill":"#003366"},"com.gliffy.shape.network.network_v3.business":{"fill":"#003366"}},"lineStyles":{"global":{"startArrow":1,"endArrow":1}},"textStyles":{},"themeData":null}} \ No newline at end of file diff --git a/_legacy/guides/hydra/images/gliffy/hydra.gliffy b/_legacy/guides/hydra/images/gliffy/hydra.gliffy new file mode 100644 index 000000000..7b8f95a92 --- /dev/null +++ b/_legacy/guides/hydra/images/gliffy/hydra.gliffy @@ -0,0 +1 @@ +{"contentType":"application/gliffy+json","version":"1.1","metadata":{"title":"untitled","revision":0,"exportBorder":false},"embeddedResources":{"index":0,"resources":[]},"stage":{"objects":[{"x":651.5405032467534,"y":529,"rotation":0,"id":120,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":239.4375,"height":70,"lockAspectRatio":false,"lockShape":false,"order":120,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":122,"uid":null,"width":235.4375,"height":56,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"You can use Hydra with any Identity Provider. You must implement the capability to issue consent tokens using JWT.
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":907.45,"y":224,"rotation":0,"id":117,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":110,"height":40,"lockAspectRatio":false,"lockShape":false,"order":117,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":119,"uid":null,"width":106,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Identity Provider
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":178.45000000000005,"y":273,"rotation":0,"id":112,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":112,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[2.137084989847608,2],[2.137084989847608,-90.5],[114,-90.5],[114,-163]],"lockSegments":{"1":true}}},"children":[{"x":0,"y":0,"rotation":0,"id":113,"uid":null,"width":157,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"5. Receive Access / ID Token
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":93,"px":0.7071067811865476,"py":0}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":4,"px":0.5,"py":1}}},"linkMap":[]},{"x":418.01250000000005,"y":241.5,"rotation":0,"id":103,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":500,"height":380,"lockAspectRatio":false,"lockShape":false,"order":0,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":760.45,"y":415,"rotation":0,"id":99,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":42,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[157.5625,-62.20057685088807],[197.5625,-62.20057685088807],[197.5625,270],[-613,270],[-613,230]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":100,"uid":null,"width":177,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"4. Return Signed Consent Token
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":103,"px":1,"py":0.29289321881345237}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":93,"px":0.5,"py":1}}},"linkMap":[]},{"x":0.537500000000037,"y":630,"rotation":0,"id":95,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":133.82500000000002,"height":30,"lockAspectRatio":false,"lockShape":false,"order":40,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2.6765000000000003,"y":0,"rotation":0,"id":97,"uid":null,"width":128.47200000000004,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Authorization Service
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":67.45000000000005,"y":275,"rotation":0,"id":93,"uid":"com.gliffy.shape.basic.basic_v1.default.rectangle","width":160,"height":370,"lockAspectRatio":false,"lockShape":false,"order":1,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":221.45000000000005,"y":257,"rotation":0,"id":36,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":16,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[6,126.37049096097735],[101.28125,126.37049096097735],[101.28125,95.79942314911193],[196.56250000000006,95.79942314911193]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":57,"uid":null,"width":140,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"2. Issue Consent Request
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":93,"px":1,"py":0.29289321881345237}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":103,"px":1.1102230246251563e-16,"py":0.2928932188134525}}},"linkMap":[]},{"x":242.45000000000005,"y":76,"rotation":0,"id":34,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":12,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[5,-11],[-128.1370849898476,-11],[-128.1370849898476,199]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":55,"uid":null,"width":137,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"1. Request Access Token
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":4,"px":0,"py":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":93,"px":0.2928932188134524,"py":0}}},"linkMap":[]},{"x":148.2,"y":513,"rotation":0,"id":38,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":18,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[-4.374999999999943,-21.44108899330365],[-4.374999999999943,-58.62739266220245],[-4.374999999999972,-95.8136963311012],[-4.374999999999972,-133]],"lockSegments":{}}},"children":[],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":26,"px":0.5,"py":0}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":23,"px":0.5,"py":1}}},"linkMap":[]},{"x":87.4500000000001,"y":491.5,"rotation":0,"id":26,"uid":"com.gliffy.shape.flowchart.flowchart_v1.default.database","width":120,"height":130,"lockAspectRatio":false,"lockShape":false,"order":8,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.database.flowchart_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2.4,"y":0,"rotation":0,"id":39,"uid":null,"width":115.19999999999999,"height":112,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"\n
\n
Hydra Database (Rethink DB)\n
\n
Client Credentials, Access Tokens, Policies, ...
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":77.44999999999999,"y":290,"rotation":0,"id":23,"uid":"com.gliffy.shape.flowchart.flowchart_v1.default.multiple_documents","width":132.75000000000006,"height":90,"lockAspectRatio":false,"lockShape":false,"order":6,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.multiple_documents.flowchart_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2.655,"y":0,"rotation":0,"id":66,"uid":null,"width":127.44000000000005,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Hydra Host
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":385.08149350649353,"y":-52,"rotation":0,"id":58,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":25,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[-47.631493506493484,117],[282.9310064935065,117],[282.9310064935065,293.5]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":114,"uid":null,"width":117,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"3. Login and Consent
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":4,"px":1,"py":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":103,"px":0.5,"py":0}}},"linkMap":[]},{"x":247.45000000000005,"y":20,"rotation":0,"id":4,"uid":"com.gliffy.shape.network.network_v3.home.laptop","width":90,"height":90,"lockAspectRatio":true,"lockShape":false,"order":4,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.laptop_3d.network_v3","strokeWidth":2,"strokeColor":"#000000","fillColor":"#003366","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":559.6967532467534,"y":425,"rotation":0,"id":81,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":38,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":0,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[-4.368506493506516,-1],[-4.368506493506516,32.333333333333314],[-4.368506493506516,65.66666666666669],[-4.368506493506516,99]],"lockSegments":{}}},"children":[{"x":0,"y":0,"rotation":0,"id":83,"uid":null,"width":96,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"both","vposition":"none","hposition":"none","html":"Verify Credentials
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":29,"px":0.5,"py":1}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":78,"px":0.5,"py":0}}},"linkMap":[]},{"x":505.32824675324673,"y":524,"rotation":0,"id":78,"uid":"com.gliffy.shape.flowchart.flowchart_v1.default.database","width":100,"height":75,"lockAspectRatio":false,"lockShape":false,"order":36,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.database.flowchart_v1","strokeWidth":2,"strokeColor":"#333333","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":80,"uid":null,"width":96,"height":28,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"LDAP, MySQL, Google, ...
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":654.6967532467534,"y":346,"rotation":0,"id":76,"uid":"com.gliffy.shape.basic.basic_v1.default.line","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":35,"graphic":{"type":"Line","Line":{"strokeWidth":2,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endArrow":1,"startArrowRotation":"auto","endArrowRotation":"auto","ortho":true,"interpolationType":"linear","cornerRadius":10,"controlPath":[[0.6314935064934843,-2],[9.087662337662323,-2],[17.54383116883116,-2],[26,-2]],"lockSegments":{}}},"children":null,"constraints":{"constraints":[],"startConstraint":{"type":"StartPositionConstraint","StartPositionConstraint":{"nodeId":29,"px":1,"py":0.5}},"endConstraint":{"type":"EndPositionConstraint","EndPositionConstraint":{"nodeId":67,"px":0,"py":0.5}}},"linkMap":[]},{"x":691.2592532467534,"y":304,"rotation":0,"id":72,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.text_area","width":178.875,"height":50,"lockAspectRatio":false,"lockShape":false,"order":33,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#8D8D8D","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2.9812500000000006,"y":0,"rotation":0,"id":74,"uid":null,"width":172.91249999999994,"height":42,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"top","overflow":"none","vposition":"none","hposition":"none","html":"Do you want to grant app foo access to your pictures and email?
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":790.1342532467534,"y":374,"rotation":0,"id":70,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.button","width":80,"height":20,"lockAspectRatio":false,"lockShape":false,"order":31,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":2,"strokeColor":"#8D8D8D","fillColor":"#DADADA","gradient":true,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":71,"uid":null,"width":76,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Deny\n
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":691.2592532467534,"y":374,"rotation":0,"id":68,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.button","width":80,"height":20,"lockAspectRatio":false,"lockShape":false,"order":29,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":2,"strokeColor":"#8D8D8D","fillColor":"#DADADA","gradient":true,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":69,"uid":null,"width":76,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"
Allow
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":680.6967532467534,"y":264,"rotation":0,"id":67,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.window","width":200,"height":160,"lockAspectRatio":false,"lockShape":false,"order":28,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.window.ui_v2","strokeWidth":2,"strokeColor":"#000000","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]},{"x":495.32824675324684,"y":344,"rotation":0,"id":44,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.textbox","width":120,"height":20,"lockAspectRatio":false,"lockShape":false,"order":23,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#8D8D8D","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":47,"uid":null,"width":116,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Password
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":495.32824675324684,"y":319,"rotation":0,"id":42,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.textbox","width":120,"height":20,"lockAspectRatio":false,"lockShape":false,"order":21,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.rectangle.basic_v1","strokeWidth":2,"strokeColor":"#8D8D8D","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":46,"uid":null,"width":116,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"User
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":535.3282467532468,"y":374,"rotation":0,"id":40,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.button","width":80,"height":20,"lockAspectRatio":false,"lockShape":false,"order":19,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.round_rectangle.basic_v1","strokeWidth":2,"strokeColor":"#8D8D8D","fillColor":"#DADADA","gradient":true,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[{"x":2,"y":0,"rotation":0,"id":41,"uid":null,"width":76,"height":14,"lockAspectRatio":false,"lockShape":false,"order":"auto","graphic":{"type":"Text","Text":{"tid":null,"valign":"middle","overflow":"none","vposition":"none","hposition":"none","html":"Log in
","paddingLeft":2,"paddingRight":2,"paddingBottom":2,"paddingTop":2}},"children":null}],"linkMap":[]},{"x":455.32824675324684,"y":264,"rotation":0,"id":29,"uid":"com.gliffy.shape.ui.ui_v2.forms_components.window","width":200,"height":160,"lockAspectRatio":false,"lockShape":false,"order":2,"graphic":{"type":"Shape","Shape":{"tid":"com.gliffy.stencil.window.ui_v2","strokeWidth":2,"strokeColor":"#000000","fillColor":"#FFFFFF","gradient":false,"dropShadow":false,"state":0,"shadowX":0,"shadowY":0,"opacity":1}},"children":[],"linkMap":[]}],"background":"#FFFFFF","width":1018,"height":692,"maxWidth":5000,"maxHeight":5000,"nodeIndex":124,"autoFit":true,"exportBorder":false,"gridOn":true,"snapToGrid":true,"drawingGuidesOn":true,"pageBreaksOn":false,"printGridOn":false,"printPaper":"LETTER","printShrinkToFit":false,"printPortrait":true,"shapeStyles":{"com.gliffy.shape.network.network_v3.home":{"fill":"#003366"},"com.gliffy.shape.basic.basic_v1.default":{"fill":"#FFFFFF","stroke":"#333333","strokeWidth":2},"com.gliffy.shape.network.network_v3.business":{"fill":"#003366"},"com.gliffy.shape.flowchart.flowchart_v1.default":{"fill":"#FFFFFF","stroke":"#333333","strokeWidth":2}},"lineStyles":{"global":{"endArrow":1,"startArrow":0}},"textStyles":{},"themeData":null}} \ No newline at end of file diff --git a/_legacy/guides/hydra/images/google.png b/_legacy/guides/hydra/images/google.png new file mode 100644 index 000000000..9ccc6e6fd Binary files /dev/null and b/_legacy/guides/hydra/images/google.png differ diff --git a/_legacy/guides/hydra/images/google2.png b/_legacy/guides/hydra/images/google2.png new file mode 100644 index 000000000..0e908b669 Binary files /dev/null and b/_legacy/guides/hydra/images/google2.png differ diff --git a/_legacy/guides/hydra/images/hydra-arch-warden.png b/_legacy/guides/hydra/images/hydra-arch-warden.png new file mode 100644 index 000000000..890dfb7e1 Binary files /dev/null and b/_legacy/guides/hydra/images/hydra-arch-warden.png differ diff --git a/_legacy/guides/hydra/images/hydra-authentication.gif b/_legacy/guides/hydra/images/hydra-authentication.gif new file mode 100644 index 000000000..b6f789dee Binary files /dev/null and b/_legacy/guides/hydra/images/hydra-authentication.gif differ diff --git a/_legacy/guides/hydra/images/insecure-connection.png b/_legacy/guides/hydra/images/insecure-connection.png new file mode 100644 index 000000000..ee84371d3 Binary files /dev/null and b/_legacy/guides/hydra/images/insecure-connection.png differ diff --git a/_legacy/guides/hydra/images/install-result.png b/_legacy/guides/hydra/images/install-result.png new file mode 100644 index 000000000..29086d44e Binary files /dev/null and b/_legacy/guides/hydra/images/install-result.png differ diff --git a/_legacy/guides/hydra/images/login-consent-flow.png b/_legacy/guides/hydra/images/login-consent-flow.png new file mode 100644 index 000000000..8008538bf Binary files /dev/null and b/_legacy/guides/hydra/images/login-consent-flow.png differ diff --git a/_legacy/guides/hydra/images/login-success-a.gif b/_legacy/guides/hydra/images/login-success-a.gif new file mode 100644 index 000000000..7e5c32986 Binary files /dev/null and b/_legacy/guides/hydra/images/login-success-a.gif differ diff --git a/_legacy/guides/hydra/images/logo-essential.png b/_legacy/guides/hydra/images/logo-essential.png new file mode 100644 index 000000000..af6bfb93e Binary files /dev/null and b/_legacy/guides/hydra/images/logo-essential.png differ diff --git a/_legacy/guides/hydra/images/logo.png b/_legacy/guides/hydra/images/logo.png new file mode 100644 index 000000000..916d9d76f Binary files /dev/null and b/_legacy/guides/hydra/images/logo.png differ diff --git a/_legacy/guides/hydra/images/oauth2-flow.gif b/_legacy/guides/hydra/images/oauth2-flow.gif new file mode 100644 index 000000000..7054ddea9 Binary files /dev/null and b/_legacy/guides/hydra/images/oauth2-flow.gif differ diff --git a/_legacy/guides/hydra/images/run-the-example.gif b/_legacy/guides/hydra/images/run-the-example.gif new file mode 100644 index 000000000..85f02c490 Binary files /dev/null and b/_legacy/guides/hydra/images/run-the-example.gif differ diff --git a/_legacy/guides/hydra/images/sample_trace.png b/_legacy/guides/hydra/images/sample_trace.png new file mode 100644 index 000000000..51987091d Binary files /dev/null and b/_legacy/guides/hydra/images/sample_trace.png differ diff --git a/_legacy/guides/hydra/images/social-login-example.jpg b/_legacy/guides/hydra/images/social-login-example.jpg new file mode 100644 index 000000000..e3f737d5e Binary files /dev/null and b/_legacy/guides/hydra/images/social-login-example.jpg differ diff --git a/_legacy/guides/hydra/images/social-login-example.png b/_legacy/guides/hydra/images/social-login-example.png new file mode 100644 index 000000000..10f1ea262 Binary files /dev/null and b/_legacy/guides/hydra/images/social-login-example.png differ diff --git a/_legacy/guides/hydra/images/social-login.png b/_legacy/guides/hydra/images/social-login.png new file mode 100644 index 000000000..f4f4016da Binary files /dev/null and b/_legacy/guides/hydra/images/social-login.png differ diff --git a/_legacy/guides/hydra/images/sponsors/auth0.png b/_legacy/guides/hydra/images/sponsors/auth0.png new file mode 100644 index 000000000..8b49dc1fd Binary files /dev/null and b/_legacy/guides/hydra/images/sponsors/auth0.png differ diff --git a/_legacy/guides/hydra/metrics/telemetry-example.json b/_legacy/guides/hydra/metrics/telemetry-example.json new file mode 100644 index 000000000..b13791fe7 --- /dev/null +++ b/_legacy/guides/hydra/metrics/telemetry-example.json @@ -0,0 +1,58 @@ +[ + { + "context": { + "ip": "0.0.0.0", + "library": { + "name": "analytics-go", + "version": "3.0.0" + } + }, + "messageId": "21999137-d1d2-4102-9a94-57beed5e5fca", + "timestamp": "2018-01-18T18:41:37.028Z", + "traits": { + "buildTime": "2018-01-18 18:41:35.6222348 +0000 UTC", + "goarch": "amd64", + "goos": "windows", + "hash": "undefined", + "instanceId": "c2bdd39c-3b0a-4f3d-b394-8e51f23833c4", + "numCpu": 8, + "runtimeVersion": "go1.9", + "version": "dev-master" + }, + "type": "identify", + "userId": "22b137b6aae9bc40feb7ff14a08a1b9ecbc6305f77956214404c5b744c3b3fe2", + "writeKey": "yF6PTASTliRjCtRbUnwgsvjrvneqACDM", + "sentAt": "2018-01-18T18:41:42.546Z", + "integrations": {}, + "receivedAt": "2018-01-18T18:41:41.972Z", + "originalTimestamp": "2018-01-18T19:41:37.6027834+01:00" + }, + { + "context": { + "ip": "0.0.0.0", + "library": { + "name": "analytics-go", + "version": "3.0.0" + } + }, + "messageId": "258f0127-498a-4d71-8c55-ce678a5d92b8", + "name": "/clients", + "properties": { + "latency": 0, + "method": "GET", + "name": "/clients", + "path": "/clients", + "size": 154, + "status": 401, + "url": "http://22b137b6aae9bc40feb7ff14a08a1b9ecbc6305f77956214404c5b744c3b3fe2/clients" + }, + "timestamp": "2018-01-18T18:41:49.537Z", + "type": "page", + "userId": "22b137b6aae9bc40feb7ff14a08a1b9ecbc6305f77956214404c5b744c3b3fe2", + "writeKey": "yF6PTASTliRjCtRbUnwgsvjrvneqACDM", + "sentAt": "2018-01-18T18:41:52.547Z", + "integrations": {}, + "receivedAt": "2018-01-18T18:41:51.380Z", + "originalTimestamp": "2018-01-18T19:41:50.7046198+01:00" + } +] \ No newline at end of file diff --git a/_legacy/guides/images/basic-oauth2-system.png b/_legacy/guides/images/basic-oauth2-system.png new file mode 100644 index 000000000..d72042e73 Binary files /dev/null and b/_legacy/guides/images/basic-oauth2-system.png differ diff --git a/_legacy/guides/images/ory-ecosystem.png b/_legacy/guides/images/ory-ecosystem.png new file mode 100644 index 000000000..e38c16be0 Binary files /dev/null and b/_legacy/guides/images/ory-ecosystem.png differ diff --git a/_legacy/guides/images/ory-ecosystem.xml b/_legacy/guides/images/ory-ecosystem.xml new file mode 100644 index 000000000..46992e95c --- /dev/null +++ b/_legacy/guides/images/ory-ecosystem.xml @@ -0,0 +1 @@ +
+
+Next, clone (`git clone https://github.com/ory/hydra.git`), [download](https://github.com/ory-am/hydra/archive/master.zip),
+or use `go get -d github.com/ory/hydra` - if you have Go (1.10+) installed on you system - to download the Docker Compose
+set up.
+
+```
+$ git clone https://github.com/ory/hydra.git
+$ cd hydra
+$ git checkout tags/v1.0.0-beta.8
+
+$ docker-compose -p hydra up --build
+Starting hydra_mysqld_1
+Starting hydra_postgresd_1
+Starting hydra_hydra_1
+
+[...]
+```
+
+
+Everything should running now! Let's confirm that everything is working by creating our first OAuth 2.0 Client.
+The following commands will use Docker wizardry. You can obviously install the ORY Hydra CLI locally and avoid using
+Docker here. If you do use the CLI locally, you can omit `docker exec -it hydra_hydra_1 \` completely.
+
+You will notice that two ports are being used. Port `4444` and port `4445`. The former is for request to ORY Hydra's public
+endpoints. The latter to its administrative endpoints. For more information on this, head over to
+[Exposing Administrative and Public API Endpoints](production.md). If you want to run ORY Hydra admin and
+public services in two separate containers, run
+
+```
+$ docker-compose -p hydra -f docker-compose-twoc.yml up --build
+```
+
+Please be aware that you will not be able to run the hydra CLI from within docker if you
+use the docker-compose-twoc.yml file. Instead, you must install the CLI locally and
+omit `docker exec -it hydra_hydra_1 \` from your commands.
+
+Ok, let's continue by creating a new OAuth 2.0 Client.
+
+```
+# Creates a new OAuth 2.0 client
+$ docker exec -it hydra_hydra_1 \
+ hydra clients create \
+ --endpoint http://localhost:4445 \
+ --id my-client \
+ --secret secret \
+ -g client_credentials
+
+OAuth2 client id: hydra-my-client
+OAuth2 client secret: secret
+
+# Let's perform the client credentials grant.
+$ docker exec -it hydra_hydra_1 \
+ hydra token client \
+ --endpoint http://localhost:4444 \
+ --client-id my-client \
+ --client-secret secret
+
+UDYMha9TwsMBejEvKfnDOXkhgkLsnmUNYVQDklT5bD8.ZNpuNRC85erbIYDjPqhMwTinlvQmNTk_UvttcLQxFJY
+
+# Let's perform token introspection on that token. Make sure to copy the token you just got and not the dummy value.
+$ docker exec -it hydra_hydra_1 \
+ hydra token introspect \
+ --endpoint http://localhost:4445 \
+ --client-id my-client \
+ --client-secret secret \
+ UDYMha9TwsMBejEvKfnDOXkhgkLsnmUNYVQDklT5bD8.ZNpuNRC85erbIYDjPqhMwTinlvQmNTk_UvttcLQxFJY
+
+{
+ "active": true,
+ "client_id": "my-client",
+ "exp": 1527078658,
+ "iat": 1527075058,
+ "iss": "http://localhost:4444",
+ "sub": "my-client",
+ "token_type": "access_token"
+}
+```
+
+Next, we will perform the OAuth 2.0 Authorization Code Grant. For that, we must first create a client that is capable
+of performing that grant:
+
+```
+$ docker exec -it hydra_hydra_1 \
+ hydra clients create \
+ --endpoint http://localhost:4445 \
+ --id auth-code-client \
+ --secret secret \
+ --grant-types authorization_code,refresh_token \
+ --response-types code,id_token \
+ --scope openid,offline \
+ --callbacks http://127.0.0.1:5555/callback
+```
+
+Note that you need to add `--token-endpoint-auth-method none` if your clients are public (such as SPA apps and native apps) because the public clients could not provide client secret.
+
+
+The next command starts a server that serves an example web application. The application will perform the OAuth 2.0
+Authorization Code Flow using ORY Hydra. The web server runs on [http://127.0.0.1:5555](http://127.0.0.1:5555).
+
+```
+$ docker exec -it hydra_hydra_1 \
+ hydra token user \
+ --client-id auth-code-client \
+ --client-secret secret \
+ --endpoint http://localhost:4444/ \
+ --port 5555 \
+ --scope openid,offline
+
+Setting up home route on http://127.0.0.1:4445/
+Setting up callback listener on http://127.0.0.1:4445/callback
+Press ctrl + c on Linux / Windows or cmd + c on OSX to end the process.
+If your browser does not open automatically, navigate to:
+
+ http://127.0.0.1:5555/
+```
+
+Open the URL [http://127.0.0.1:5555/](http://127.0.0.1:5555/), log in, and authorize the application. Next, you should
+see at least an access token in the response. If you granted the `offline` scope, you will also see a refresh token.
+If you granted the `openid` scope, you will get an ID Token as well.
+
+Great! You installed hydra, connected the CLI, created a client and completed two authentication flows!
+Before you continue, clean up this set up in order to avoid conflicts with other tutorials form this guide:
+
+```
+$ docker-compose kill
+$ docker-compose rm -f
+```
diff --git a/docs/hydra/advanced.md b/docs/hydra/advanced.md
new file mode 100644
index 000000000..47d90e180
--- /dev/null
+++ b/docs/hydra/advanced.md
@@ -0,0 +1,282 @@
+---
+id: hydra-advanced
+title: Advanced Topics
+---
+
+This guide aims to help setting up a production system with ORY Hydra.
+
+
+
+## Mobile & Browser (SPA) Authorization
+
+We have an [excellent blog post](https://www.ory.sh/oauth2-for-mobile-app-spa-browser) on this topic. Read it now!
+
+### Creating a public OAuth 2.0 Client
+
+You can create a public OAuth 2.0 Client (e.g. for the authorize code + PKCE or implicit flow) with the CLI
+
+```
+hydra clients create --endpoint http://ory-hydra-admin-api --token-endpoint-auth-method none
+```
+
+or by setting in the HTTP API JSON body when POSTing to `/clients`:
+
+```
+{
+ "client_id": "...",
+ "token_endpoint_auth_method": "none"
+}
+```
+
+Be aware that when making requests to `/oauth2/token` with a public OAuth 2.0 Client, you can not authenticate with the
+HTTP Basic Authorization but must include the `client_id` in the POST body.
+
+## Key rotation
+
+Key rotation is simple with ORY Hydra. You can rotate OpenID Connect ID Token and OAuth 2.0 Access Tokens (JSON Web Token)
+keys with one simple command.
+
+ORY Hydra takes the latest key from the key store to sign JSON Web Tokens. All public keys will be shown at
+`http://ory-hydra-public-api/.well-known/jwks.json`.
+
+### OpenID Connect ID Token
+
+```
+hydra keys create --endpoint=http://ory-hydra-admin-api/ hydra.openid.id-token -a RS256
+```
+
+### OAuth 2.0 Access Tokens (JSON Web Token)
+
+```
+hydra keys create --endpoint=http://ory-hydra-admin-api/ hydra.jwt.access-token -a RS256
+```
+
+## OAuth 2.0
+
+### Audience
+
+There are two types of audience concept in the context of OAuth 2.0 and OpenID Connect:
+
+1. OAuth 2.0: Access and Refresh Tokens are "internal-facing". The `aud` claim of an OAuth 2.0 Access and Refresh token
+defines at which *endpoints* the token can be used.
+2. OpenID Connect: The ID Token is "external-facing". The `aud` claim of an OpenID Connect ID Token defines which
+*clients* should accept it.
+
+While modifying the audience of an ID Token is not desirable, specifying the audience of an OAuth 2.0 Access Token is.
+This is not defined as an IETF Standard but is considered good practice in certain environments.
+
+For this reason, Hydra allows you to control the aud claim of the access token. To do so, you must specify the intended
+audiences in the OAuth 2.0 Client's metadata on a per-client basis:
+
+
+```
+{
+ "client_id": "...",
+ "audience": ["https://api.my-cloud.com/user", "https://some-tenant.my-cloud.com/"]
+}
+```
+
+The audience is a list of case-sensitive URLs. **URLs must not contain whitespaces**.
+
+#### OAuth 2.0 Authorization Code, Implicit, Hybrid Flows
+
+When performing an OAuth 2.0 authorize code, implicit, or hybrid flow, you can request audiences at the `/oauth2/auth`
+endpoint `https://my-hydra.com/oauth2/auth?client_id=...&scope=...&audience=https%3A%2F%2Fapi.my-cloud.com%2Fuser+https%3A%2F%2Fsome-tenant.my-cloud.com%2F`
+which requests audiences `https://api.my-cloud.com/user` and `https://some-tenant.my-cloud.com/`.
+
+The `audience` query parameter may contain multiple strings separated by a url-encoded space (`+` or `%20`). The
+audience values themselves must also be url encoded. The values will be validated against the whitelisted
+audiences defined in the OAuth 2.0 Client:
+
+* An OAuth 2.0 Client with the allowed audience `https://api.my-cloud/user` is allowed to request audience values `https://api.my-cloud/user`
+`https://api.my-cloud/user/1234` but not `https://api.my-cloud/not-user` nor `https://something-else/`.
+
+The requested audience from the query parameter is then part of the login and consent request payload as field `requested_access_token_audience`.
+You can then alter the audience using `grant_audience.access_token` when accepting the consent request:
+
+```
+hydra.acceptConsentRequest(challenge, {
+ // ORY Hydra checks if requested audiences are allowed by the client, so we can simply echo this.
+ grant_audience: {
+ access_token: response.requested_access_token_audience,
+ // or, for example:
+ // access_token: ["https://api.my-cloud/not-user"]
+ },
+
+ // ... remember: false
+ // ...
+})
+```
+
+When introspecting the OAuth 2.0 Access Token, the response payload will include the audience:
+
+```
+{
+ "active": true,
+ // ...
+ "audience": ["https://api.my-cloud/user", "https://api.my-cloud/user/1234"]
+}
+```
+
+#### OAuth 2.0 Client Credentials Grant
+
+When performing the client credentials grant, the audience parameter from the POST body of the `/oauth2/token` is
+decoded and validated according to the same rules of the previous section, except for the login and consent part which
+does not exist for this flow.
+
+### JSON Web Tokens
+
+ORY Hydra supports issuing OAuth 2.0 Access Tokens as JSON Web Tokens. Using JSON Web Tokens as Access Tokens is **a bad idea and nobody
+serious, including Google, uses them in this place**. JSON Web Tokens are obviously not bad per se, but in the context
+of OAuth 2.0 Access Tokens they are an inferior tool for the job. Here are all the reasons why we *discourage you from
+using this feature:*
+
+1. OAuth 2.0 Access Tokens are "internal". They (often) contain internal/private session data such as a user's email
+or contact address, subscription status, and other potentially sensitive information. The user (often) did not
+consent to giving out this data and the OpenID Connect ID Token, which explicitly governs access to this data, should
+be the only place where OAuth 2.0 Clients get access to this information.
+2. OAuth 2.0 Access Tokens may contain information on the permission or access control system. This information
+should be treated as confidential information. Exposing it gives attackers one more source of knowledge about your system.
+3. Using this feature disables other features, like the pairwise Subject Identifier Algorithm.
+4. This feature is new and has not been battle-tested.
+
+If you are looking for stateless authorization at your APIs, that is a valid use case. Our recommendation however is
+to rely on opaque OAuth 2.0 Access Tokens and convert them to JSON Web Tokens at your API Gateway, for example by
+using [ORY Oathkeeper](https://github.com/ory/oathkeeper).
+
+If you still want to use this strategy despite all these warnings,
+you can do so by setting environment variable `OAUTH2_ACCESS_TOKEN_STRATEGY=jwt`.
+
+Be aware that only access tokens are formatted as JSON Web Tokens. Refresh tokens are not impacted by this strategy.
+By performing OAuth 2.0 Token Introspection you can check if the token is still valid. If a token is revoked or otherwise
+blacklisted, the OAuth 2.0 Token Introspection will return `{ "active": false }`. This is useful when you do not want
+to rely only on the token's expiry.
+
+#### JSON Web Token Validation
+
+You can validate JSON Web Tokens issued by ORY Hydra by pointing your `jwt` library (e.g. [node-jwks-rsa](https://github.com/auth0/node-jwks-rsa))
+to `http://ory-hydra-public-api/.well-known/jwks.json`. All necessary keys are available there.
+
+### OAuth 2.0 Client Authentication with RSA private/public keypairs
+
+ORY Hydra supports OAuth 2.0 Client Authentication with RSA private/public keypairs. This authentication method
+replaces the classic HTTP Basic Authorization and HTTP POST Authorization schemes. Instead of sending the `client_id`
+and `client_secret`, you authenticate the client with a signed JSON Web Token.
+
+To enable this feature for a specific OAuth 2.0 Client, you must set `token_endpoint_auth_method` to `private_key_jwt`
+and register the public key of the RSA signing key either using the `jwks_uri` or `jwks` fields of the client.
+
+When authenticating the client at the token endpoint, you generate and sign (with the RSA private key) a JSON Web Token
+with the following claims:
+
+* `iss`: REQUIRED. Issuer. This MUST contain the client_id of the OAuth Client.
+* `sub`: REQUIRED. Subject. This MUST contain the client_id of the OAuth Client.
+* `aud`: REQUIRED. Audience. The aud (audience) Claim. Value that identifies the Authorization Server (ORY Hydra) as an
+intended audience. The Authorization Server MUST verify that it is an intended audience for the token.
+The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.
+* `jti`: REQUIRED. JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token.
+These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties; any such
+negotiation is beyond the scope of this specification.
+* `exp`: REQUIRED. Expiration time on or after which the ID Token MUST NOT be accepted for processing.
+* `iat`: OPTIONAL. Time at which the JWT was issued.
+
+When making a request to the `/oauth2/token` endpoint, you include `client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
+and `client_assertion=++ ++ Software releases and versions follow the {} + + ORY Versioning Framework + . Please read it now if you have not already, it will save you a lot of time. +
+
Latest version.
+| {latestVersion} | ++ + Documentation + + | +
|---|
| master | ++ + Documentation + + | +
|---|
+ Here you can find documentation for previous versions. +
+| {version} | ++ + Documentation + + | +
|---|
+ You can find past versions of this project on{' '} + GitHub. +
+