Eclipse Ditto now supports all OAuth 2.0 providers which implement OpenID Connect out-of-the-box. You can find a list of certified providers at OpenID Connect - Certified OpenID Provider Servers and Services.

With this post, we want to give an example of this new feature using the open source provider ORY Hydra. Follow their installation guide for a docker based setup on your development machine.


Download the self-signed certificate form the ORY Hydra server: https://localhost:9000/.well-known/openid-configuration

Use the downloaded certificate for the pekko-http ssl configuration.

ssl-config {
  trustManager = {
    stores = [
      { type = "PEM", path = "/path/to/cert/globalsign.crt" }

The authentication provider must be added to the ditto-gateway configuration.

ditto.gateway.authentication {
    oauth {
      openid-connect-issuers = {
        ory = "https://localhost:9000/"

The configured subject-issuer will be used to prefix the value of the “sub” claim, e.g.

  "subjects": {
    "": {
    "type": "generated"

Authenticate Ditto API

Create an OAuth client with hydra to be able to create ID Tokens.

docker run --rm -it \
  -e HYDRA_ADMIN_URL=https://ory-hydra-example--hydra:4445 \
  --network hydraguide \
  oryd/hydra:v1.0.0 \
  clients create --skip-tls-verify \
    --id eclipse-ditto \
    --secret some-secret \
    --grant-types authorization_code,refresh_token,client_credentials,implicit \
    --response-types token,code,id_token \
    --scope openid,offline \

Use the client to generate an ID Token.

docker run --rm -it \
  --network hydraguide \
  -p 9010:9010 \
  oryd/hydra:v1.0.0 \
  token user --skip-tls-verify \
    --port 9010 \
    --auth-url https://localhost:9000/oauth2/auth \
    --token-url https://ory-hydra-example--hydra:4444/oauth2/token \
    --client-id eclipse-ditto \
    --client-secret some-secret \
    --scope openid

After that perform the OAuth 2.0 Authorize Code Flow by opening the link, as prompted, in your browser, and follow the steps shown there.

Use the generated token to authenticate Ditto API.

curl -X POST \
  http://localhost:8080/api/2/things \
  -H 'Authorization: Bearer <JWT>' \
  -H 'Content-Type: application/json' \
  -d '{}'


The Eclipse Ditto team