I would first start by fully understanding the difference between authentication and authorization. The way we describe theses terms with the word “auth” does this distinction a disservice.
The OAuth 2.0 and OpenID standards are the best places to start. They are where standardization begins and (unfortunately) ends. OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.
Basic intro to OAuth2: https://auth0.com/intro-to-iam/what-is-oauth-2
In depth explanation: https://www.digitalocean.com/community/tutorials/an-introduc...
This is what I don't get. Using OAuth2 for authentication is so complex, whereas Ory has a simple authentication system based o cookies: https://www.ory.sh/docs/security-model
With OAuth2 it seems to me to be the same just with extra steps keeping track of tokens and expiration.
Why use OAuth2 for authentication, it was never designed for that.
Istio is a service mesh that can be used to bolt on a proxy that requires authz/authn, but Istio itself is not managing the users or groups. It communicates with whatever IDP was chosen.
I recommend first deciding on which protocol you wish to use for authn/authz.
Some choices are:
Most of the protocols have different configuration strategies depending on the application (i.e mobile vs cli tool vs webapp).
The protocols will enable you to create an RBAC system, but the actual implementation of RBAC is done application side not within the IDP.
One of the biggest factors in choosing a solution will be cost. SaaS IDPs become incredibly expensive at social media level of scale (10k+ users).
Personally I recommend starting out in a SaaS IDP and migrating your users to a self hosted service later if needed. As long as you leverage a well supported protocol the migration shouldn’t be _too_ difficult.
It could get messy if you had some identity-aware proxy in front of your IdP.
At the moment I'm using Keycloak at work, authentik for side projects and authelia for personal ones where I don't need anything complicated.
I couldn't find a deployment guide or a quick docker-compose. Also, If this link is still up-to date the self-hosted version is missing user and configuration management UIs https://www.ory.sh/ory-network-or-self-hosting-explained-use...
Any reason to pick this over keycloak? we're planning to deploy passkeys and web-auth and it's also supported https://keycloak.ch/keycloak-tutorials/tutorial-passkey/
Generally, all self-hosting docs are in the self-hosting section of the docs: https://www.ory.sh/docs/ecosystem/projects
Ory Kratos does not do everything that we offer in the managed service. In particular the admin UI is not available (but the APIs and business logic are!), and the things we built around multi-region and multi-tenancy are not available in the open source self-hosted version.
> Any reason to pick this over keycloak?
Keycloak is an awesome open-source project! I never used Keycloak myself in a large production system. Here is a bit of feedback we hear from users who approach us. Keycloak
- is great for small-to-medium user bases (e.g. for employee management which it was originally designed for) but has issues when scaling to millions of users / customer-facing
- has a larger footprint due to Java
- has no managed service
- is tied to IBM (can be both good and bad, as we see with the RHEL changes. Can happen to any project though)
Generally speaking, Ory is more componetized and domain driven. If you don't want OAuth2, you don't need it. If you only want OAuth2, you don't need to also use sign in from Ory. And so on!
There's probably more differences but I think others with operational Keycloak experience can answer this better than me.
Generally speaking, both projects have their place. If you're looking more for web-based customer identity management I would go in Ory's direction. If it's about enterprise employee management, Keycloak is an easier plug-and-play solution.
- You're probably right about Keycloak having a larger footprint.
- We have between 400 to 500k users and it hasn't been an issue.
- Can't comment on the IBM connection, I just don't know enough about it.
- We do use multiple auth methods and deploying that was really easy.
So it's definitely an easier plug-and-play solution, we've deployed it with k8s.
Does the managed service use the same repo as Kratos with additional services not available to open source or do you use a forked/modified version of Kratos?
I would like to use it as a way to do user management, but I need to be able to save data about users to custom storage backends (built on top of boltdb, badger, etc)
Remote companies still have to be able to receive mail to their registered agent (legal requirement).
Imagine, I have a bunch of Google docs and using https://github.com/ory/keto for authorization. I can quickly answer the question "does user X have access to document Y", but it is not easy to do "search all documents with word Hello in it, for which I have access" because access can be granted through nested groups (give read access to everyone in DepartmentA, and I am part of child department)
> [...] useful common infrastructure can be built on top of a unified access control system, in particular, a search index that respects access control and works across applications.
This is the exactly the part I want to understand. How are you modifying your search index, so that it respects the access control.
There are some ways I can think of, but want to learn more from others on how they are doing it:
* each object stores metadata of which access groups can access this data, at the search query time, first I fetch groups user belongs to and send it as part of search query
* fetch all matching objects and hope that list is not huge and for each item assess at run time if object can be accessed by this user, if not, remove from results
You either compute at query time, which might be costly or you pre-compute it at write time, but then you need to keep at least 2 data sources in sync objects (who can access can change on object level) and groups (group can get more permissions or less)
An example access service response would be: this user can access data from groups they are part of + documents for which a share exists towards this user + documents for which a share exists to any of the users' groups.
Such an approach using OPA is described in https://blog.openpolicyagent.org/write-policy-in-opa-enforce....
This is not exactly the same as the first option you described, because instead of storing access controls in the index data, you use the available metadata + the rules from the access control service.
What's their difference? Keycloak, Casdoor and Ory?
On a related note, does anybody have experiences to share about one of their other projects - Ory Keto, and integrating it into their product?