Hydra OIDC guide

2025-09-09 · 444 words · 2 min read

Previously, we covered how to set up Kanidm's read-only LDAP interface and get SSO working on Hydra. That's great and all, but LADP is a bit too old school. In this patch, @lheckemann and @ners added support for OpenID Connect to Hydra.

# Hydra setup

Since the PR is not merged yet, bring in the patch manually (ignore this step if it is merged by the time you read this):

# in flake.nix
{
  inputs.hydra.url = "github:ners/hydra/oidc";
  inputs.hydra.inputs.nixpkgs.follows = "nixpkgs";
  ...
}

# in hydra config
{ inputs, pkgs, ... }:

{
  services.hydra = {
    package = inputs.hydra.packages.${pkgs.stdenv.hostPlatform.system}.default;
  };
}

# Kanidm config

Assuming your login user name is somebody, the Hydra user and admin groups are hydra.users and hydra.admins, and your Hydra instance is at https://hydra.example.com, the Kanidm config should looks like this:

{
  # i only added configs related to hydra here
  # and its assumed that the kanidm domain is set to sso.example.com (where cookie is valid)
  # and kanidm is running at https://sso.example.com
  services.kanidm.provision = {
    groups = {
      "hydra.admins" = { };
      "hydra.users" = { };
    };

    persons = {
      somebody = {
        displayName = "Somebody";
        legalName = "Real Name";
        mailAddresses = [ "somebody@example.com" ];
        groups = [
          "hydra.admins"
          "hydra.users"
        ];
      };
    };

    systems.oauth2 = {
      hydra = {
        displayName = "Hydra";
        allowInsecureClientDisablePkce = true;
        originUrl = "https://hydra.example.com/oidc-login";
        originLanding = "https://hydra.example.com/";
        basicSecretFile = ""; # path to your secret file
        preferShortUsername = true;
        scopeMaps."hydra.users" = [
          "openid"
          "email"
          "profile"
          "groups"
        ];
      };
    };
  };
}

At the time of writing, Hydra OIDC implementation does not support PKCE, so allowInsecureClientDisablePkce must be set to prevent login failure.

# Hydra config

{
  # i'm using sops for secret management
  # but you can also use other solutions
  sops.secrets.hydra = {
    owner = "hydra";
    group = "hydra";
    mode = "440";
  };

  services.hydra.extraConfig = ''
    enable_hydra_login = 0                                                     # disable default hydra login page
    enable_oidc_login = 1                                                      # enable OIDC
    oidc_client_id = "hydra"                                                   # this should match the client id in kanidm config
    oidc_scope = "openid email profile groups"                                 # scopes to request
    oidc_auth_uri = "https://sso.example.com/ui/oauth2"                        # kanidm oauth2 auth endpoint
    oidc_token_uri = "https://sso.example.com/oauth2/token"                    # kanidm oauth2 token endpoint
    oidc_userinfo_uri = "https://sso.example.com/oauth2/openid/hydra/userinfo" # kanidm userinfo endpoint, client id must match
    include ${config.sops.secrets.hydra.path}                                  # should contain `oidc_client_secret = <secret>`

    # change the role mapping according to your needs
    # but the the format is:
    # <group in kanidm> = <role in hydra>
    # where group in kanidm is in the form of
    # <group>@<kanidm cookie domain>
    <oidc_role_mapping>
      hydra.admins@sso.example.com = admin
      hydra.admins@sso.example.com = bump-to-front
      hydra.users@sso.example.com = cancel-build
      hydra.users@sso.example.com = eval-jobset
      hydra.users@sso.example.com = create-projects
      hydra.users@sso.example.com = restart-jobs
    </oidc_role_mapping>
  '';
}