The Oathkeeper proxy is one piece of the puzzle which basically takes incoming HTTP requests, evaluates them on a set of rules (e.g. authentication of credentials used, checking if the user has the right permissions, transforming the session data to a e.g. JWT) and either grants or denies access.
Other services include, for example, ORY Hydra ( https://github.com/ory/hydra ) which is an OAuth2 & OpenID Connect (certification pending) server that you can put "on top" of your existing user management.
While most developers opt to build these systems (permissions, user management) themselves, it is our vision to build a reliable, broadly adopted set of OSS tools that get you started quickly and that scale well as the requirements of your organization change.
Everything we do is build on top of open standards, we do not want to reinvent the wheel (unless nothing exists wrt to open standards). So everything in this ecosystem integrates well with existing systems.
If you have any questions, feel free to ask.
ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Is this how you're hoping to monetise all your hard work? I don't begrudge that at all :-) It's just a little unclear?
If there's going to be a security console, I wouldn't want it hosted by anyone else. Especially if I'm the type of person to deploy all the other components I'll undoubtedly want to deploy the console myself.
[EDIT] There's also some on by default telemetry.. and the link for details is 404'ing: https://github.com/ory/oathkeeper#telemetry -> https://www.ory.sh/docs/guides/latest/9-telemetry I might not mind this, but I can't tell if the links don't go anywhere.
I don't want to sound negative, other than these queries the ORY ecosystem looks lovely and something I might implement.
How do you envision integration of existing external OAuth2 or OpenID Connect servers, such as Google, GitHub, etc., or an OAuth2-compliant directory of a B2B customer?
As part of that service, we will add connectivity adapters for generic OAuth2/OIDC providers as well as (probably) LDAP/AD and SAML integration.
We're still in prototyping phase (building a good API here is really tricky because no open standards exist to our knowledge for this) and it will take some time. But hopefully, it will be something many people can build on!
And thank you so much for the positive feedback :)
There are two main patterns for B2B apps:
- One org per user, like G Suite. A user is a member of a single org, to be a member of another org requires another user account. This creates a challenge when it is a system where someone might be a member of multiple orgs, because it requires logging in as multiple users and having cookies that can handle that.
- One user in many orgs, like GitHub. A users "owns" their user account, and is invited to one or more orgs. This makes working in multiple orgs easier, but can create challenges for companies that want to enforce things within their org, like SSO or 2FA. It also creates issues with routing of notifications (you want work notifications going to work email), and identity of users within a company (an org admin may have trouble identifying users if they aren't tied to company emails).
An ecosystem like ORY obviously can't alleviate all the issues, but maybe it can help with some of them, like org membership and org friendly cookies.
I think in the end it boils down to what we can solve in a generic manner and what we can let developers solve for themselves. The distinction between the two use cases is definitely something we'll take a closer look at and include in our design decisions, so this won't be an afterthought but something built into the architecture!
Thank you for your constructive feedback!
One suggestion for the docs, especially since the tagline is that this is a cloud-native solution, would be examples of how to run it in common cloud setups. For instance I'm looking at the deployment page and it mentions that in the gateway configuration you'll want to run it behind a load balancer but in front of the API router. But if you're using an ELB, which as far as I'm aware is still part of basically the default way to run web apps on AWS, the load balancer and router are combined and there's no way to hook something like this in. So it would be cool to see some examples involving specific tools like ELBs, maybe a note on other ways to run it if using Kubernetes, etc.
We're a very small team, so it might take a while for us to tackle this (especially because we mostly use k8s with oathkeeper proxy as a sidecar), but that does make this not lesser of an issue!
Super excited to see more players move in this space btw!
Oathkeeper looks very interesting... Congrats and best of luck!
I've added this to our internal list and we will check it out and see if any synergies are possible with our products. Our vision is that these services work so well and easy with the rest of the ecosystem, that you can get started with a new project in a day or two and have everything set up - from users, to permissions, to routing (e.g. via ambassador), to testing (there's still ton of space for this), and so on.
I think the journey of software development beyond 2020 will be very exciting!
ps: Sorry for slow responses, HN has a very high post wait time once you hit the limit. And thank you for the positive vibes :)
The main differentiator is that Oathkeeper is capable of performing more sophisticated permission checks (think RBAC / AWS IAM Policies) and is specifically geared towards solving authentication and authorization in front of "your" service.
Most other implementations I saw (and I think this also goes a bit for envoy) is that they solve access control as one of the things in the feature set, while also focusing strongly on routing, load balancing, and other typical API gateway issues.
We're explicitly not trying to build another API gateway but instead something that you deploy alongside your existing API gateway (or maybe as a sidecar) with the sole purpose of checking answering: "is the request that's coming through really allowed to perform that action?".
Hope this clarifies it, if not I'm more than happy to go into more detail :)
really great. please comment on the intersection with auth0. clearly there is some overlap, it would be great to have a concise explanation.
> we do not want to reinvent the wheel
IMHO, were I you I would not shy away from that. Existing wheels are oval in shape. Of course where you have to interoperate, you are limited.
> ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Well you just lost me. You are developing IAM components and you can't get basic password management correct? email has nothing to do with it, we are well past the point where password managers are de rigueur, certainly for anyone involved with security matters.
The password in my password manager is not correct. No idea how that happened, maybe it was overwritten by accident or I copied the wrong one during account creation. Since I had to reset my FF profile it was no longer stored in the FF password manager, so I had to recover it from KeePass, which well - didn't work out so well. Since I do use a password manager, it's impossible to recover it as I have no idea what the password is.
Has nothing to do with the fact he's developing auth software.
Besides, HN does not do oauth. If it did and he would still lose access then it's a different story ;-)
It's good to know there's an option to do this in the future for projects that don't have all that groundwork done already, if this is easy to set up – at least initally – without having to include all the parts of the ecosystem.
- Forums: https://community.ory.am/
- Chat: https://discord.gg/PAMQWkr
Thank you all for the awesome discussions!
We do not share nor endorse extremist views nor "values", nor have anything to do with extremist groups whatsoever. We have not heard about them (Oath Keepers) before.
We'll discuss a name change internally & with the community.
ps: It also shares the name of the sword from Game of Thrones and is a wordplay on OAuth :)
edit:// Forgot to thank you for raising awareness on this.
For what it's worth, I was unaware of the reference that was used as this project's namesake. That is ignorance on my part.
Furthermore I would like to apologize, as my comment seems to have inspired quite a bit of unproductive ideological bickering.
Any individuals that try to imply that the naming of a proxy server product within a larger software ecosystem indicate an endorsement of the position of an organization with a similar name are displaying pathological behavior and should generally be disregarded.
I doubt anyone will think this product endorses the hate group but it could prove to be an unnecessary distraction.
I hope for a future where ideas are toxic, not sequences of letters.
As one of your potential customers / users, I would not base any judgement of your company or product based on some a shared name with a small fringe organization that some people find unsavory which uses a pretty common term or combination of terms.
Got any examples of this strategy succeeding?
There definitely needs to be a series of libraries named after keyblades.
Maybe I should pay attention to the discussion with the community when that occurs, but I'm interested in which "values" you take issue with. Care to share here?
Note well: I take no position on whether Oath Keepers is using "upholding the Constitution" as a cover for white supremacy.
And those people are incorrect. It's incorrect to believe that all modern Constitutional law and Supreme Court decisions are the result of judges and lawmakers simply making up whatever interpretation they like without any basis in, study of, or respect for the Constitution.
The alternative would be to pretend to know in all cases what an eighteenth century philosopher would decide about an issue of law in the context of modern society.
> The alternative would be to pretend to know in all cases what an eighteenth century philosopher would decide about an issue of law in the context of modern society.
No, the alternative would be to know what they said the rules are.
(Now, I will admit that deciding how the rules they agreed on apply in a specific situation can be very complicated. But I trust "let's look at the rules and see how they apply" more than I trust "interpreting the Constitution in accordance with its original meaning or intent is sometimes unacceptable as a policy matter, and thus that an evolving interpretation is necessary". The former view makes the Constitution the final law; the latter makes policy the master over the Constitution.)
 From the Wikipedia article on "Living Constitution". The quote was marked "citation needed". If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
Problem is, parts of the text are maddeningly vague, and they didn't exactly agree in their politics, so a single, simple, objective and provably correct interpretation of those rules is not always possible.
>If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
I do think that's an accurate statement. I disagree with 'people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law.'
One can disagree with the doctrine of a 'living Constitution' but there is more nuance and thought put behind the rationale than some conservatives want to admit. Both sides believe, in good faith, that what they're doing is upholding the Constitution.
>The former view makes the Constitution the final law; the latter makes policy the master over the Constitution.)
I prefer to see it as the former making the Founding Fathers the master over the Constitution, the latter making the people the master over it. The Constitution is a legal document, not the word of God, and nothing in the Constitution explicitly requires that it be interpreted according to strict originalist intent, so interpreting it either way is equally valid, and equally a matter of politics.
> Problem is, parts of the text are maddeningly vague, and they didn't exactly agree in their politics, so a single, simple, objective and provably correct interpretation of those rules is not always possible.
>>If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
The original statement was "interpreting the Constitution in accordance with its original meaning or intent is sometimes unacceptable as a policy matter, and thus that an evolving interpretation is necessary". Deciding that "the original meaning is unacceptable" is exactly "deciding what you want and calling it the law". It's deciding, on the basis of what you think policy should be, what the Constitution should have said.
Let me put it this way: Trump may, before he's done, nominate three Supreme Court justices. Do you want those justices to decide based on what they think is "acceptable as a policy matter"? Or do you want them to be bound by what the text says?
> One can disagree with the doctrine of a 'living Constitution' but there is more nuance and thought put behind the rationale than some conservatives want to admit.
I will admit that - for at least some of those who hold that position. Others... their behavior seems to indicate that they want to rule over the Constitution, not to faithfully interpret it.
> so interpreting it either way is equally valid
Is it? We don't accept that reasoning with contracts, why should we with the Constitution?
(That is, if you have a contract, and you try to interpret the terms in ways that are outside the bounds of the words of the contract, a court isn't going to care how much you see the contract as a living document. They also aren't going to care how much you care about original intent. They're going to care about the words on the paper. I've seen it happen in court, with one side arguing creative meaning plus intent, and the other destroying them with the actual words.)
Nice discussion. I'll leave you the last word; I'm out for the next two days.
If I support decisions by previous courts, such as Roe V. Wade and Obergefell v. Hodges, then the intellectually honest position would be to concede that whomever Trump nominates has the right to do the same. I may not like it, but I do believe that is the Court's prerogative.
I don't think it's harmful to consider updated interpretations of the Constitution per se, although particular decisions can do harm even when they correctly reflect the attitudes of the time (as with Plessy V. Ferguson and segregation.) But then, obviously wrong interpretations can also be reversed. I think that we're a stronger democracy for being able to ask these questions, and consider the Constitution as evolving philosophy as much as a legal document, than if we were prevented from doing so.
>Is it? We don't accept that reasoning with contracts, why should we with the Constitution?
Well... the Constitution isn't a contract. If it were, it would be far more precise and verbose in its language, and you wouldn't have entire bodies of scholarship around the meaning of a comma.
But here we are in 2018, in the age of the internet, global surveillance, 3d printed guns, genome sequencing and a thousand other things the Founders would probably never have conceived of. If we remain bound only by the original intent of the original definition of the words of the Constitution when interpreting challenges and questions of Constitutional law, then I'm afraid the result is going to be that Constitution becoming less and less relevant to modern society.
Although I cannot imagine Americans being happy that racists opposed to the rule of law are cowering behind their constitution.
> organization founded on premise of upholding the Constitution
Also, look at this wild display of racism! /s
> The Oath Keepers are more extreme than nearly all other
> white people. Just a fact. Read up on them and I think
? you will agree.
For non-americans, the idea of a group of people who do not instantly submit to individual figures in authority, but instead, resist those in authority if they believe that those in authority are infringing on rights that are protected by the constitution, may seem really bizarre.
To condemn an organization because their raison d'etre is such resistance, would be normal in other countries, but it's a little frightening how a quick google search shows that condemnation here in America (assuming the people who wrote those pages were American).
I know a lot of HN readers are not American, so just wanted to clarify that we do have a slightly less submissive culture over here.
The racist part is pretty amusing as 5 minutes watching interviews with black oath keepers would make obvious.
I will post a motherjones (not exactly conservative friendly site) that, while not complementary, at least highlights that oath keepers is composed of individuals of diverse backgrounds and beliefs, and that they do strive to weed out bad actors when they are identified, just like any other group would do. I found the reporting to be relatively unscathing, considering it's source, and I learned from it myself.
To you, somebody calling her a name is not honorable. You don't care what she did to earn that name.
Men of authority pledging not to bow to unconstitutional orders against citizens. Actually seems noble.
I suspect they get the "radical" and "extremist" label from our culture where those who aren't on the "correct" political side are labeled a Nazi or Communist.
You did not read your own link, or you are putting all your eggs on the "McCain is a traitor" quote, which since McCain is a republican, you should love, and the Hilary rant about house to house confiscation of guns, which she has never outright advocated publicly, but has strongly suggested in speeches. That quote may be a bit paranoid, which is why it was selected from thousands of quotes to be included on that web page.
EDIT: Sorry, but there are a pretty small universe of reasons for your dislike on the page linked. I listed them. That's not mind-reading, that's just deduction.
It's the same smear campaign that real extremist groups (the Marxist identity politics left) do to Jordan Peterson and Ben Shapiro.