Basically all of them can run in a container, it's just hosting a few endpoints and generating tokens. The complexity is in the protocols and not the app. Some of them offer a user database as well and might require a SQL DB connection.
The difference is probably between "can be made to run in a container" (which is true for almost every app) and "designed from day 1 to be containerized" - which is obviously not true for solutions like Keycloak.
That being said, I'm not quite sure to which feature OP was referring in particular. Perhaps to the modular approach taken by Hydra when compared to Keycloak. Hydra has a much smaller scope than Keycloak, so it would be really hard to compare them. Keycloak does identity management, consent, access control and a lot of UI.
Hydra is not even a self-contained identity provider - it's basically just the shell of an OpenID Connect provider that provides tokens, sessions and security (hopefully avoiding implementing OIDC correctly yourself, which could be very tricky as the spec is downright massive). You have to provide in turn separate services which take care of login and consent.
I don't think Hydra is the only Open ID Connect implementation which follows this model of breaking down the IdP. Dex is another shell IdP that does that, and also built from the grounds up to be containerized (being started by CoreOS and all). The main difference is that is that Dex provides a more easy to use set of built-in connectors to popular identity management systems (and other identity provider protocols, such as SAML or even another OIDC provider). It's not as extensible and flexible as the Hydra model, but probably easier to use if you just want to quickly provide OIDC on top of an existing LDAP.
Thanks for this list! I wonder why Identity Servier is tied into .NET - an OAuth 2.0 / OIDC provider just provides OAuth services. Couldn't this be used by any service provider or client?
manigandham|6 years ago
https://fusionauth.io/
https://www.keycloak.org/
https://www.gluu.org/
Basically all of them can run in a container, it's just hosting a few endpoints and generating tokens. The complexity is in the protocols and not the app. Some of them offer a user database as well and might require a SQL DB connection.
unscaled|6 years ago
That being said, I'm not quite sure to which feature OP was referring in particular. Perhaps to the modular approach taken by Hydra when compared to Keycloak. Hydra has a much smaller scope than Keycloak, so it would be really hard to compare them. Keycloak does identity management, consent, access control and a lot of UI.
Hydra is not even a self-contained identity provider - it's basically just the shell of an OpenID Connect provider that provides tokens, sessions and security (hopefully avoiding implementing OIDC correctly yourself, which could be very tricky as the spec is downright massive). You have to provide in turn separate services which take care of login and consent.
I don't think Hydra is the only Open ID Connect implementation which follows this model of breaking down the IdP. Dex is another shell IdP that does that, and also built from the grounds up to be containerized (being started by CoreOS and all). The main difference is that is that Dex provides a more easy to use set of built-in connectors to popular identity management systems (and other identity provider protocols, such as SAML or even another OIDC provider). It's not as extensible and flexible as the Hydra model, but probably easier to use if you just want to quickly provide OIDC on top of an existing LDAP.
hans0l074|6 years ago
robotdan|6 years ago
Full disclosure I work for FusionAuth. We support all of these configurations.
longsleep|6 years ago
mikece|6 years ago