docker.recipes

Ory Hydra

advanced

OAuth 2.0 and OpenID Connect provider.

Overview

Ory Hydra is a hardened, cloud-native OAuth 2.0 and OpenID Connect server that implements the OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0. Developed by Ory Corp as part of their open-source identity infrastructure ecosystem, Hydra is designed as a security-first authorization server that handles token issuance, client authentication, and consent flows while delegating user authentication to external systems. Unlike monolithic identity solutions, Hydra follows a microservices architecture where it focuses solely on OAuth2/OIDC protocols, making it highly scalable and integration-friendly for modern distributed applications. This deployment combines Ory Hydra with PostgreSQL to create a production-grade authorization infrastructure. PostgreSQL serves as Hydra's persistence layer, storing OAuth2 clients, authorization codes, access tokens, refresh tokens, and OIDC sessions with ACID compliance and advanced transaction support. The PostgreSQL backend ensures data integrity for security-critical operations while providing the performance characteristics needed for high-throughput token operations. Hydra exposes two distinct APIs: the public OAuth2 API on port 4444 for standard authorization flows and token endpoints, and the administrative API on port 4445 for client management and token introspection. This stack is ideal for organizations implementing zero-trust architectures, API-first companies requiring centralized authorization, and development teams building microservices that need robust OAuth2/OIDC capabilities. The separation of concerns between Hydra's authorization logic and external authentication systems makes it particularly valuable for enterprises with existing identity providers or custom authentication requirements. The PostgreSQL backend ensures this configuration can handle enterprise-scale workloads while maintaining the security guarantees required for authorization infrastructure.

Key Features

  • RFC-compliant OAuth 2.0 Authorization Server with support for all standard grant types including authorization code, client credentials, and refresh token flows
  • OpenID Connect Provider implementation with support for ID tokens, userinfo endpoint, and discovery mechanisms
  • Dual-port architecture with separate public OAuth2 API (4444) and administrative API (4445) for security isolation
  • PostgreSQL-backed persistence with ACID-compliant storage for OAuth2 clients, tokens, and authorization grants
  • Consent and login flow delegation allowing integration with existing authentication systems and custom user interfaces
  • Advanced token introspection and revocation capabilities through the administrative API
  • Built-in support for JWT access tokens with configurable signing algorithms and key rotation
  • Database migration system ensuring schema versioning and upgrade compatibility across Hydra releases

Common Use Cases

  • 1API gateway authorization for microservices architectures requiring centralized OAuth2 token validation
  • 2Single sign-on (SSO) implementation for multi-application environments with existing user authentication systems
  • 3Third-party application integration hub allowing external developers to build applications against your APIs
  • 4Zero-trust network security implementation where every service-to-service communication requires valid OAuth2 tokens
  • 5Mobile application backend providing secure token-based authentication for iOS and Android applications
  • 6Enterprise B2B integration platform enabling partner applications to access internal APIs through standardized OAuth2 flows
  • 7Multi-tenant SaaS platform requiring isolated OAuth2 clients and scopes for different customer organizations

Prerequisites

  • Minimum 1GB RAM for PostgreSQL database operations and Hydra token processing
  • Available ports 4444 (OAuth2 public API) and 4445 (administrative API) for external access
  • Separate login and consent application implementation as Hydra delegates user authentication flows
  • Understanding of OAuth 2.0 authorization flows and OpenID Connect concepts for proper client configuration
  • TLS certificate management knowledge for production deployments requiring HTTPS endpoints
  • Database backup and recovery procedures for protecting OAuth2 client credentials and token data

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  hydra: 
3    image: oryd/hydra:latest
4    container_name: hydra
5    restart: unless-stopped
6    environment: 
7      DSN: postgres://hydra:${DB_PASSWORD}@postgres:5432/hydra?sslmode=disable
8      SECRETS_SYSTEM: ${SECRETS_SYSTEM}
9      URLS_SELF_ISSUER: http://localhost:4444
10      URLS_LOGIN: http://localhost:3000/login
11      URLS_CONSENT: http://localhost:3000/consent
12    command: serve all --dev
13    ports: 
14      - "4444:4444"
15      - "4445:4445"
16    depends_on: 
17      - postgres
18
19  postgres: 
20    image: postgres:15-alpine
21    container_name: hydra-db
22    environment: 
23      POSTGRES_USER: hydra
24      POSTGRES_PASSWORD: ${DB_PASSWORD}
25      POSTGRES_DB: hydra
26    volumes: 
27      - hydra_db:/var/lib/postgresql/data
28
29volumes: 
30  hydra_db:

.env Template

.env
1DB_PASSWORD=changeme
2SECRETS_SYSTEM=generate-32-char-secret

Usage Notes

  1. 1Docs: https://www.ory.sh/docs/hydra/
  2. 2Public OAuth2 API on port 4444 (token, authorize endpoints)
  3. 3Admin API on port 4445 (client management, introspection)
  4. 4Requires separate login/consent UI - Hydra handles only OAuth2 flows
  5. 5Create clients: hydra create oauth2-client --endpoint http://localhost:4445
  6. 6Run migrations first: hydra migrate sql --yes $DSN

Individual Services(2 services)

Copy individual services to mix and match with your existing compose files.

hydra
hydra:
  image: oryd/hydra:latest
  container_name: hydra
  restart: unless-stopped
  environment:
    DSN: postgres://hydra:${DB_PASSWORD}@postgres:5432/hydra?sslmode=disable
    SECRETS_SYSTEM: ${SECRETS_SYSTEM}
    URLS_SELF_ISSUER: http://localhost:4444
    URLS_LOGIN: http://localhost:3000/login
    URLS_CONSENT: http://localhost:3000/consent
  command: serve all --dev
  ports:
    - "4444:4444"
    - "4445:4445"
  depends_on:
    - postgres
postgres
postgres:
  image: postgres:15-alpine
  container_name: hydra-db
  environment:
    POSTGRES_USER: hydra
    POSTGRES_PASSWORD: ${DB_PASSWORD}
    POSTGRES_DB: hydra
  volumes:
    - hydra_db:/var/lib/postgresql/data

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  hydra:
5    image: oryd/hydra:latest
6    container_name: hydra
7    restart: unless-stopped
8    environment:
9      DSN: postgres://hydra:${DB_PASSWORD}@postgres:5432/hydra?sslmode=disable
10      SECRETS_SYSTEM: ${SECRETS_SYSTEM}
11      URLS_SELF_ISSUER: http://localhost:4444
12      URLS_LOGIN: http://localhost:3000/login
13      URLS_CONSENT: http://localhost:3000/consent
14    command: serve all --dev
15    ports:
16      - "4444:4444"
17      - "4445:4445"
18    depends_on:
19      - postgres
20
21  postgres:
22    image: postgres:15-alpine
23    container_name: hydra-db
24    environment:
25      POSTGRES_USER: hydra
26      POSTGRES_PASSWORD: ${DB_PASSWORD}
27      POSTGRES_DB: hydra
28    volumes:
29      - hydra_db:/var/lib/postgresql/data
30
31volumes:
32  hydra_db:
33EOF
34
35# 2. Create the .env file
36cat > .env << 'EOF'
37DB_PASSWORD=changeme
38SECRETS_SYSTEM=generate-32-char-secret
39EOF
40
41# 3. Start the services
42docker compose up -d
43
44# 4. View logs
45docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/ory-hydra/run | bash

Troubleshooting

  • Error 'migration required': Run 'docker exec hydra hydra migrate sql --yes $DSN' to initialize or upgrade database schema
  • Connection refused on port 4444/4445: Check that Hydra container started successfully and PostgreSQL connection is established before Hydra initialization
  • Login flow errors with 'invalid_request': Verify URLS_LOGIN and URLS_CONSENT environment variables point to accessible login/consent applications
  • Database connection errors: Ensure PostgreSQL container is fully initialized before Hydra starts using depends_on and health checks
  • Token validation failures: Confirm URLS_SELF_ISSUER matches the issuer claim expected by resource servers validating tokens
  • Client creation fails: Use administrative API on port 4445 with proper authentication headers when creating OAuth2 clients programmatically

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

hydrapostgres

Tags

#ory#hydra#oauth#oidc

Category

Security & Networking

Related Recipes

Ad Space