
Show HN: Oathkeeper – Cloud-Native Identity and Access Proxy - ibuildoss
https://github.com/ory/oathkeeper
======
ibuildoss
The idea of the ory ecosystem (
[https://github.com/ory](https://github.com/ory) /
[https://www.ory.am](https://www.ory.am) ) is to build a reliable, cloud
native suite of tools which allow you to solve simple and complex IAM
(identity and access management) use cases. Each service works standalone, but
you can obviously combine them all.

The Oathkeeper proxy is one piece of the puzzle which basically takes incoming
HTTP requests, evaluates them on a set of rules (e.g. authentication of
credentials used, checking if the user has the right permissions, transforming
the session data to a e.g. JWT) and either grants or denies access.

Other services include, for example, ORY Hydra (
[https://github.com/ory/hydra](https://github.com/ory/hydra) ) which is an
OAuth2 & OpenID Connect (certification pending) server that you can put "on
top" of your existing user management.

While most developers opt to build these systems (permissions, user
management) themselves, it is our vision to build a reliable, broadly adopted
set of OSS tools that get you started quickly and that scale well as the
requirements of your organization change.

Everything we do is build on top of open standards, we do not want to reinvent
the wheel (unless nothing exists wrt to open standards). So everything in this
ecosystem integrates well with existing systems.

If you have any questions, feel free to ask.

ps: New account because I lost my password and didn't set up a backup email.
Stupid me.

~~~
jiveturkey
> _solve simple and complex IAM_

really great. please comment on the intersection with auth0. clearly there is
some overlap, it would be great to have a concise explanation.

> _we do not want to reinvent the wheel_

IMHO, were I you I would not shy away from that. Existing wheels are oval in
shape. Of course where you have to interoperate, you are limited.

> _ps: New account because I lost my password and didn 't set up a backup
> email. Stupid me._

Well you just lost me. You are developing IAM components and you can't get
basic password management correct? email has nothing to do with it, we are
well past the point where password managers are de rigueur, certainly for
anyone involved with security matters.

~~~
ibuildoss
> Well you just lost me. You are developing IAM components and you can't get
> basic password management correct? email has nothing to do with it, we are
> well past the point where password managers are de rigueur, certainly for
> anyone involved with security matters.

The password in my password manager is not correct. No idea how that happened,
maybe it was overwritten by accident or I copied the wrong one during account
creation. Since I had to reset my FF profile it was no longer stored in the FF
password manager, so I had to recover it from KeePass, which well - didn't
work out so well. Since I do use a password manager, it's impossible to
recover it as I have no idea what the password is.

------
wereHamster
I'm currently looking how to protect internal websites used within our company
behind github oauth (we're a small company and we all have a github account
connected to the company's github organization). Would this or one of the
other tools that are part of the ory ecosystem work for this?

~~~
ibuildoss
Yes, this could definitely solve that. Another service which might be well
suited for this specific task is:
[https://github.com/bitly/oauth2_proxy](https://github.com/bitly/oauth2_proxy)

------
wvh
I just wrote a simple proxy myself that takes an OIDC authenticated user and
forwards the request to backend servers if their session is valid. It only
took me two days to get this proxy functionality up and running, but of course
the main application itself was handling all of the authentication,
authorisation and session stuff already.

It's good to know there's an option to do this in the future for projects that
don't have all that groundwork done already, if this is easy to set up – at
least initally – without having to include all the parts of the ecosystem.

------
ibuildoss
The day is coming to an end here, I'll try to monitor this thread but in case
you don't get an answer from me any more, you will definitely get one in the
community forums or chat by tomorrow:

\- Forums: [https://community.ory.am/](https://community.ory.am/)

\- Chat: [https://discord.gg/PAMQWkr](https://discord.gg/PAMQWkr)

Thank you all for the awesome discussions!

------
youdontknowtho
I'm really excited to try this out. Microsoft's Azure App Proxy is a great
technology, but it has licensing constraints that make it difficult to use
with all user personas.

------
colemickens
Do you have a Slack? I'm interested in OIDC and have some questions and
interest in the user management component that is mentioned to be in the
works.

~~~
romanminkin
They have Discord [https://discord.gg/PAMQWkr](https://discord.gg/PAMQWkr)

------
SauciestGNU
Are you aware that this project shares a name with an extremist group[0]? I'm
not sure how concerned you are about that, especially if you're not American,
but I'd want to know if it were one of my projects.

[0][https://www.splcenter.org/fighting-hate/extremist-
files/grou...](https://www.splcenter.org/fighting-hate/extremist-
files/group/oath-keepers)

~~~
ibuildoss
It is extremely important to be sensitive to extremism of any kind, condemn
extremist practices, beliefs, and views and take a stance against extremist
ideologies.

We do not share nor endorse extremist views nor "values", nor have anything to
do with extremist groups whatsoever. We have not heard about them (Oath
Keepers) before.

We'll discuss a name change internally & with the community.

ps: It also shares the name of the sword from Game of Thrones and is a
wordplay on OAuth :)

edit:// Forgot to thank you for raising awareness on this.

~~~
andymockli
Just to clarify, are you speaking for the team to condemn extremism in
general, or the specific belief in upholding the U.S. Constitution within the
U.S., or something else?

Maybe I should pay attention to the discussion with the community when that
occurs, but I'm interested in which "values" you take issue with. Care to
share here?

~~~
bitwize
"Upholding the Constitution", among the far right, is dogwhistle for
supporting white supremacy or other regressive policies. There's even a fringe
political party called the Constitution Party that draws its planks not from
the Constitution, the Federalist papers, or other constitutional scholarship
-- but the King James Version of the Bible.

~~~
AnimalMuppet
Upholding the Constitution _can_ be a dogwhistle for various malign ideas. But
there are _also_ people who see, for example, the "living Constitution"
jurisprudence as not actually upholding the Constitution, but rather just
saying what you want and calling it the law. There are people who see
executive orders (whether by Bush, Obama, or Trump) as not the way the country
is supposed to be governed, and worry about the constitutional legitimacy of
those orders. Probably the majority of the people who worry about such things
are conservatives; my feel is that the majority (at a minumum) are not
concerned about such issues as a cover for white supremacy.

Note well: I take no position on whether Oath Keepers is using "upholding the
Constitution" as a cover for white supremacy.

~~~
krapp
>But there are also people who see, for example, the "living Constitution"
jurisprudence as not actually upholding the Constitution, but rather just
saying what you want and calling it the law.

And those people are incorrect. It's incorrect to believe that all modern
Constitutional law and Supreme Court decisions are the result of judges and
lawmakers simply making up whatever interpretation they like without any basis
in, study of, or respect for the Constitution.

The alternative would be to pretend to know in all cases what an eighteenth
century philosopher would decide about an issue of law in the context of
modern society.

~~~
AnimalMuppet
If you'll re-read my post a bit more carefully, you'll see that the word "all"
is nowhere in it. Nobody (that I know) believes that " all modern
Constitutional law and Supreme Court decisions are the result of judges and
lawmakers simply making up whatever interpretation they like without any basis
in, study of, or respect for the Constitution." I suppose that bit of
hyperbole might serve to make my original statement seem less reasonable; if
you did it deliberately, you're putting words in my mouth to try to discredit
me, which is pretty scummy.

> The alternative would be to pretend to know in all cases what an eighteenth
> century philosopher would decide about an issue of law in the context of
> modern society.

No, the alternative would be to _know what they said the rules are_.

(Now, I will admit that deciding how the rules they agreed on apply in a
specific situation can be very complicated. But I trust "let's look at the
rules and see how they apply" more than I trust "interpreting the Constitution
in accordance with its original meaning or intent is sometimes unacceptable as
a policy matter, and thus that an evolving interpretation is necessary"[1].
The former view makes the Constitution the final law; the latter makes policy
the master over the Constitution.)

[1] From the Wikipedia article on "Living Constitution". The quote was marked
"citation needed". If you don't think it's an accurate statement of how some
judges view the Constitution, make your case.

~~~
krapp
>No, the alternative would be to know what they said the rules are.

Problem is, parts of the text are maddeningly vague, and they didn't exactly
agree in their politics, so a single, simple, objective and provably correct
interpretation of those rules is not always possible.

>If you don't think it's an accurate statement of how some judges view the
Constitution, make your case.

I _do_ think that's an accurate statement. I disagree with 'people who see,
for example, the "living Constitution" jurisprudence as not actually upholding
the Constitution, but rather _just saying what you want and calling it the
law._ '

One can disagree with the doctrine of a 'living Constitution' but there is
more nuance and thought put behind the rationale than some conservatives want
to admit. Both sides believe, in good faith, that what they're doing is
upholding the Constitution.

>The former view makes the Constitution the final law; the latter makes policy
the master over the Constitution.)

I prefer to see it as the former making the Founding Fathers the master over
the Constitution, the latter making the people the master over it. The
Constitution is a legal document, not the word of God, and nothing in the
Constitution explicitly requires that it be interpreted according to strict
originalist intent, so interpreting it either way is equally valid, and
equally a matter of politics.

~~~
AnimalMuppet
Well, the former makes the people of the Founding Fathers' generation the
master over the Constitution (they ratified it). The latter makes the people
of this generation the masters over it.

> Problem is, parts of the text are maddeningly vague, and they didn't exactly
> agree in their politics, so a single, simple, objective and provably correct
> interpretation of those rules is not always possible.

True.

>>If you don't think it's an accurate statement of how some judges view the
Constitution, make your case.

I do think that's an accurate statement. I disagree with 'people who see, for
example, the "living Constitution" jurisprudence as not actually upholding the
Constitution, but rather just saying what you want and calling it the law.'

The original statement was "interpreting the Constitution in accordance with
its original meaning or intent is sometimes unacceptable as a policy matter,
and thus that an evolving interpretation is necessary". Deciding that "the
original meaning is unacceptable" is _exactly_ "deciding what you want and
calling it the law". It's deciding, on the basis of what you think policy
should be, what the Constitution should have said.

Let me put it this way: Trump may, before he's done, nominate three Supreme
Court justices. Do you want _those_ justices to decide based on what _they_
think is "acceptable as a policy matter"? Or do you want them to be bound by
what the text says?

> One can disagree with the doctrine of a 'living Constitution' but there is
> more nuance and thought put behind the rationale than some conservatives
> want to admit.

I will admit that - for at least some of those who hold that position.
Others... their behavior seems to indicate that they want to rule over the
Constitution, not to faithfully interpret it.

> so interpreting it either way is equally valid

Is it? We don't accept that reasoning with contracts, why should we with the
Constitution?

(That is, if you have a contract, and you try to interpret the terms in ways
that are outside the bounds of the words of the contract, a court isn't going
to care how much you see the contract as a living document. They also aren't
going to care how much you care about original intent. They're going to care
about the words on the paper. I've seen it happen in court, with one side
arguing creative meaning plus intent, and the other destroying them with the
actual words.)

Nice discussion. I'll leave you the last word; I'm out for the next two days.

~~~
krapp
>Let me put it this way: Trump may, before he's done, nominate three Supreme
Court justices. Do you want those justices to decide based on what they think
is "acceptable as a policy matter"? Or do you want them to be bound by what
the text says?

If I support decisions by previous courts, such as Roe V. Wade and Obergefell
v. Hodges, then the intellectually honest position would be to concede that
whomever Trump nominates has the right to do the same. I may not like it, but
I do believe that is the Court's prerogative.

I don't think it's harmful to consider updated interpretations of the
Constitution _per se,_ although particular decisions can do harm even when
they correctly reflect the attitudes of the time (as with Plessy V. Ferguson
and segregation.) But then, obviously wrong interpretations can also be
reversed. I think that we're a stronger democracy for being able to ask these
questions, and consider the Constitution as evolving philosophy as much as a
legal document, than if we were prevented from doing so.

>Is it? We don't accept that reasoning with contracts, why should we with the
Constitution?

Well... the Constitution isn't a contract. If it were, it would be far more
precise and verbose in its language, and you wouldn't have entire bodies of
scholarship around the meaning of a comma.

But here we are in 2018, in the age of the internet, global surveillance, 3d
printed guns, genome sequencing and a thousand other things the Founders would
probably never have conceived of. If we remain bound only by the original
intent of the original definition of the words of the Constitution when
interpreting challenges and questions of Constitutional law, then I'm afraid
the result is going to be that Constitution becoming less and less relevant to
modern society.

