Ory Keto and Ory Oathkeeper can play together! Ory Keto implements Google Zanzibar, it's basically a service where you can check if "x is allowed to do y". Ory Oathkeeper on the other hand is something which can check for any given HTTP request: who is the user making the request? is the user allowed to make the request? and finally convert all this information into a common format. However, Ory Oathkeeper does itself not make the decision, it uses e.g. Ory Keto to check the permission itself. Hope this makes sense
Thank you! :) We have an RFC for adding this type of short lived tokens to Ory Kratos. If you want to go deeper in the security space, there is also Ory Hydra which supports things like Service Accounts using OAuth2 Client Credentials (with PKI!) as well as OAuth2 Token Exchange :)
That is so great to hear! We are in the midst of refactoring the documentation structure for different audiences: people who want to try it out quickly, those who want in depth understanding (like you), code contributors, non-dev
It’s a long journey! If you ever see some of our docs again and feel that it has lost it’s way please reach out; It’s very important to us to not only show how the product works but also why :)
One of the co-maintainers here. Ory Kratos has been in development since 2018 and is finally out of beta! If you have any questions about the project, tech, flows, or Ory as a whole I’m here to help :)
We evaluated Ory a few months ago. My understanding:
1. Ory Kratos provides session-based authentication and user management.
2. Ory Hydra is a self-managed server that secures access to your applications and APIs with OAuth 2.0 and OpenID Connect.
Basically we want to replace AWS Cognito (which is pretty much abandonware) to secure our API so we needed both applications. Unfortunately we had to put our efforts on hold:
1. Bugs around traits meant we had issues around password change, password recovery and email change/reverifications for our use-case
2. Lack of documentation prevented us making progress on 2FA/WebAuthn
3. Bearer token/Oauth consent flow wasn't available without a lot of work because Kratos and Hydra are not "integrated" [1]. Someone shows how they rolled their own integration [2].
I'd love for someone to advise that we were wrong or misunderstood things or that things have moved on since then!
> 1. Ory Kratos provides session-based authentication and user management.
>
> 2. Ory Hydra is a self-managed server that secures access to your applications and APIs with OAuth 2.0 and OpenID Connect.
Sounds about right.
> 1. Bugs around traits meant we had issues around password change, password recovery and email change/reverifications for our use-case
Can't comment much on these as I haven't experienced those issues, but I'm curious to hear what the issues were.
> 2. Lack of documentation prevented us making progress on 2FA/WebAuthn
Things have moved on in the last months, and the 2FA/WebAuthn implementation seems more mature and documented.
> 3. Bearer token/Oauth consent flow wasn't available without a lot of work because Kratos and Hydra are not "integrated" [1]. Someone shows how they rolled their own integration [2].
That's right, sadly there's no 'integration' available officially. There've been at least two pull requests (I made one of them) to add Hydra integration to the official demo Kratos UI, which for different reasons weren't merged. I'm not sure I'd say it's so much work (essentially, it's getting the existing Kratos session and translating those into a Hydra session, with a couple of API calls), but it's not something very well documented (or at all) and you're left to figure it out by yourself from the API documentation. I hope that integration between the two is improved, at least with an official demo showcasing the calls needed in order and with the right parameters.
Hey, I've seen the project in the past and it's very interesting, and definitely an improvement over existing alternatives. That said, I have one complaint quite unrelated to tech itself: I think the liberal use of the term "identity" is very inappropriate. Of course "identity" is an extremely hard term to even define, but as far as I can see ory kratos is only assisting with email and phone verification. To talk about "identity" on that context seems very out of place to me. Maybe there's more that I've missed, and if that's the case I'm sorry. I understand words have more than one meaning, but there are big challenges to solve with regards to identity in the digital world that as far as I can see ory doesn't try to solve at all, and we end up spending time reading through the docs and trying to see if someone is making a meaningful contribution to the field for nothing. I know competitors use the term irresponsibly too, but... nevermind.
Sorry for the rant and what may sound like a very negative comment, I wrote this quickly. I think it would be great to right away stop using the term "identity" so freely and use something else, or at least clearly explain what do you understand for identity. I think it would be great for programmers to start disambiguating the concept, and I think projects like ory have a good opportunity (that you yourselves created and built, of course!) to make it a bit better.
I understand what you're saying here. I'm doing some looking-into identity as the concept of a verification that a person is who they say they are, not in the context of authentication but in the "real world". I've learned to read that word "identity" very loosely. As you said - it's very had to define.
Hm. I agree with you: Identity is a user account or role. Verification is backing up the assertion of initial registration with phone, email, address, and so on.
Authentication is the verification of identity after registration.
Authorization is the verification of permission for an identity to take an action.
I usually understand "Identity" in the context of authentication and authorization to mean "who is the person or process trying to access the service", what do you think is inappropriate about this use of the word? Or another way to put it, from what should it be disambiguated?
A user account, an email or a phone number do not uniquely identify a person or process, and it doesn't tell you whether it's actually a person or a process.
Edit: "account" may not fully capture everything ory might be trying to do, but it's definitely closer than "identity".
Is there an SSO for api/rpc just like how github cli (gh) did their auth (gh auth login)? I've been looking for simple tutorials on how to get started with a bunch of openid libraries, and still not sure how to get it working with ory. I didn't proceed spelunking github code and end up settling on session management.
This was one of the primary reasons I ended up going with Keycloak, it's "batteries included" as far as UI goes.
UI for management, impersonation, configuration, etc... with RBAC, end-user UI for account preferences, profile, login, password reset, etc... all customizable/themeable.
With the switch to quarkus, is has a much more "single binary" feel and is very easy to deploy / configure.
Would it be possible to migrate from IdentityServer4 & ASP.NET Identity Core? I currently have a SaaS running those 2 and would love to eventually migrate all users to Kratos.
I also heard that there’s a blog post for migration coming, but it has to be translated from Japanese first. If you sign up to the newsletter you should receive a notice when it’s released :)
Ory Keto and Ory Oathkeeper can play together! Ory Keto implements Google Zanzibar, it's basically a service where you can check if "x is allowed to do y". Ory Oathkeeper on the other hand is something which can check for any given HTTP request: who is the user making the request? is the user allowed to make the request? and finally convert all this information into a common format. However, Ory Oathkeeper does itself not make the decision, it uses e.g. Ory Keto to check the permission itself. Hope this makes sense