We're using ORY Hydra to implement OpenID Connect
ORY Hydra is an open source OpenID connect server which is written in Go and is designed to be deployed using Docker. It is a completely stand-alone system which can integrate with an existing user database using HTTP APIs
ORY Hydra exposed 2 HTTP ports, port 4444 is the public endpoint and should be exposed to the internet and 4445 is the admin API endpoint and should only be available internally as it provides unauthenticated access to the admin function of ORY Hydra.
ORY Hydra requires a database to store its internal data. This can be either PostgreSQL or MySQL.
To allow users to sign in using ORY Hydra a login, consent and log out user interface must be implemented which verifies the username and password with the user database and communicates with ORY Hydra using the admin API.
We are using the below AWS systems to host ORY-Hydra
We are running a PostgreSQL instance on Amazon Relational Database Service (Amazon RDS).
We are running the ORY Hydra docker container using the Amazon Elastic Container Service (Amazon ECS). The 2 HTTP ports are connected to 2 Elastic Load Balancers. The public endpoint load balancer is directly exposed to the internet and uses an SSL certificate to secure the connection, while the admin endpoint is restricted to a private internal VPC network. This VPC endpoint is then connected via an API Gateway which authenticates the connection using IAM.
https://github.com/creative-passport/hydra-login-consent-aws
The user interface front end is an SPA made using Create React App and Typescript and hosted on AWS Amplify.
The API for the UI is written in Typescript and uses the Serverless framework to deploy on AWS Lambda and API Gateway.
The API contains