There are so many frameworks/companies in this domain : Zanzibar okta istio auth0 … , is there a way to build a high level understanding of how to build a authentication and authorization stack that can evolve to support all capabilities for an application: authentication, Iam, oauth, samp, mfa, rbac etc? Somewhere we can start small but keep adding capabilities and is high quality?
The problem is that everyone has their own implementation of it following loose, at best, standards. Some like Auth0 are fully hosted by them, but ORY’s is self hosted, configurable software. Then you also have Amazon’s IAM which is its own proprietary software. Many of the things you listed performs different tasks at different levels of auth flows.
I would first start by fully understanding the difference between authentication and authorization. The way we describe theses terms with the word “auth” does this distinction a disservice.
The OAuth 2.0 and OpenID standards are the best places to start. They are where standardization begins and (unfortunately) ends. OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.
>OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.
This is what I don't get. Using OAuth2 for authentication is so complex, whereas Ory has a simple authentication system based o cookies: https://www.ory.sh/docs/security-model
With OAuth2 it seems to me to be the same just with extra steps keeping track of tokens and expiration.
Why use OAuth2 for authentication, it was never designed for that.
My understanding is that this is usually done by companies that need to implement delegated authorization which is the bread and butter of OAuth 2.0. By starting and implementing their authentication flows with OAuth2, you can support both delegated authorization and native authentication where your own apps are simply OAuth clients with some special casing. That isn’t absolutely necessary since you could build authentication separately from OAuth but then you would still need those OAuth2 flows for delegated authz eventually if you do.
If Ory would have a UI for self hosted instances… that would be insane! User Management etc without a user interface is weird, not sure why it’s missing in the self hosted version.
It sounds like you’re conflating IDPs with other technology.
Istio is a service mesh that can be used to bolt on a proxy that requires authz/authn, but Istio itself is not managing the users or groups. It communicates with whatever IDP was chosen.
I recommend first deciding on which protocol you wish to use for authn/authz.
Some choices are:
- OIDC
- SAML
- OAuth
Most of the protocols have different configuration strategies depending on the application (i.e mobile vs cli tool vs webapp).
The protocols will enable you to create an RBAC system, but the actual implementation of RBAC is done application side not within the IDP.
One of the biggest factors in choosing a solution will be cost. SaaS IDPs become incredibly expensive at social media level of scale (10k+ users).
Personally I recommend starting out in a SaaS IDP and migrating your users to a self hosted service later if needed. As long as you leverage a well supported protocol the migration shouldn’t be _too_ difficult.
Frameworks and companies are so potentially unrelated I'm not sure how to respond to your question. I think it's like any other tech: you have to evaluate it and see if it works for you.
No more complicated than usual, as there's separation of concerns. You'd have your IdP, which provides authentication and account management. The IdP then integrates with an application or service using some authentication protocol (OIDC, SAML, LDAP, etc), so downstream only relies on the protocol.
It could get messy if you had some identity-aware proxy in front of your IdP.
Is there an easy way to deploy Ory? Even just to test?
At the moment I'm using Keycloak at work, authentik for side projects and authelia for personal ones where I don't need anything complicated.
I couldn't find a deployment guide or a quick docker-compose. Also, If this link is still up-to date the self-hosted version is missing user and configuration management UIs https://www.ory.sh/ory-network-or-self-hosting-explained-use...
For experimenting on your own machine, you can run Ory Kratos + the default user-facing UI in Docker. You can find the Docker Quickstart here: https://www.ory.sh/docs/kratos/quickstart
Ory Kratos does not do everything that we offer in the managed service. In particular the admin UI is not available (but the APIs and business logic are!), and the things we built around multi-region and multi-tenancy are not available in the open source self-hosted version.
> Any reason to pick this over keycloak?
Keycloak is an awesome open-source project! I never used Keycloak myself in a large production system. Here is a bit of feedback we hear from users who approach us. Keycloak
- is great for small-to-medium user bases (e.g. for employee management which it was originally designed for) but has issues when scaling to millions of users / customer-facing
- has a larger footprint due to Java
- has no managed service
- is tied to IBM (can be both good and bad, as we see with the RHEL changes. Can happen to any project though)
Generally speaking, Ory is more componetized and domain driven. If you don't want OAuth2, you don't need it. If you only want OAuth2, you don't need to also use sign in from Ory. And so on!
There's probably more differences but I think others with operational Keycloak experience can answer this better than me.
Generally speaking, both projects have their place. If you're looking more for web-based customer identity management I would go in Ory's direction. If it's about enterprise employee management, Keycloak is an easier plug-and-play solution.
> Ory Kratos does not do everything that we offer in the managed service. In particular the admin UI is not available (but the APIs and business logic are!), and the things we built around multi-region and multi-tenancy are not available in the open source self-hosted version.
Does the managed service use the same repo as Kratos with additional services not available to open source or do you use a forked/modified version of Kratos?
It’s mostly what’s on master plus ~15% additional code for multi-region and multi-tenancy. Other components such as the Ory Console are not open source
Absolutely, Authentik when you need complicated workflows but if you just need to put a login screen in front of page and use OIDC or LDAP with 2FA Authelia's got you covered.
Hi Aenea,
I'm still trying to understand, sorry for the newbie question, could this be some sort of replacement of Keycloak?
Can it be used to manage authn/authz with JWT between a react front-end and a Django backend?
Kratos + Hydra can be used to replace Keycloak’s authn. Authz is a little bit mord involved. Keycloak comes with UMA2. In the Ory stack this would be Keto with some sprinkle of Oathkeeper.
Are there are books on the topic, or at least good tutorials? I know the underlying concepts (have even read most of the specs), and the documentation has gotten better since I last looked at it, but I'd love to have a more comprehensive resource.
How easy do you estimate to be adding new storage backends to Kratos?
I would like to use it as a way to do user management, but I need to be able to save data about users to custom storage backends (built on top of boltdb, badger, etc)
Can we use Ory as the basis for a multi-tenant system? Or would we need to have one instance per tenant
It hasn’t been clear to figure this out, open source or paid.
It's normal if you just need some place to send bills & cheques and register your business in the country. They might have an administrative assistant working from home go check the mail twice a week, or maybe forward it internationally
slightly off-topic, but related to what ory is doing in general. How do you usually do authorization-aware search?
Imagine, I have a bunch of Google docs and using https://github.com/ory/keto for authorization. I can quickly answer the question "does user X have access to document Y", but it is not easy to do "search all documents with word Hello in it, for which I have access" because access can be granted through nested groups (give read access to everyone in DepartmentA, and I am part of child department)
Probably via a Zanzibar-based system, excerpt from the Zanzibar paper [1]:
> [...] useful common infrastructure can be built on top of a unified access control system, in particular, a search index that respects access control and works across applications.
> Probably via a Zanzibar-based system ...
> ... a search index that respects access control
This is the exactly the part I want to understand. How are you modifying your search index, so that it respects the access control.
There are some ways I can think of, but want to learn more from others on how they are doing it:
* each object stores metadata of which access groups can access this data, at the search query time, first I fetch groups user belongs to and send it as part of search query
* fetch all matching objects and hope that list is not huge and for each item assess at run time if object can be accessed by this user, if not, remove from results
* ...
You either compute at query time, which might be costly or you pre-compute it at write time, but then you need to keep at least 2 data sources in sync objects (who can access can change on object level) and groups (group can get more permissions or less)
One approach that can be used is to use the centralized service to answer a broader question like: given this user, what rules can I use to know if a document is accessible for them. And have the service give you a set of rules to apply. Then take the result and embed those restrictions in your query.
An example access service response would be: this user can access data from groups they are part of + documents for which a share exists towards this user + documents for which a share exists to any of the users' groups.
This is not exactly the same as the first option you described, because instead of storing access controls in the index data, you use the available metadata + the rules from the access control service.
When I had to do this in the past for access control and compliance reasons, it was easy to just layer them. If you have a) fast search b) fast authorization, you can just do filter(lambda resource: can_read(resource, user), search(query)). There is some tuning necessary involved with pagination and such as you effectively have 2 paginations to maintain (one for user facing, one for your index which will included pruned resources).
Great looking project. Is this something that could replace https://workos.com ? - We have a number of customers that want to use their own authentication providers to access our applications. Would Ory provide such a bridge or are there any alternatives?
We recently implemented a kratos frontend in elixir and in general it was quite a plesant developer experience, despite some small rought edges in the documentation