Hacker News new | past | comments | ask | show | jobs | submit login
Ory Kratos v1.0 with passkeys, MFA and multi-region (github.com/ory)
146 points by gvusfraber 7 months ago | hide | past | favorite | 43 comments

There are so many frameworks/companies in this domain : Zanzibar okta istio auth0 … , is there a way to build a high level understanding of how to build a authentication and authorization stack that can evolve to support all capabilities for an application: authentication, Iam, oauth, samp, mfa, rbac etc? Somewhere we can start small but keep adding capabilities and is high quality?

The problem is that everyone has their own implementation of it following loose, at best, standards. Some like Auth0 are fully hosted by them, but ORY’s is self hosted, configurable software. Then you also have Amazon’s IAM which is its own proprietary software. Many of the things you listed performs different tasks at different levels of auth flows.

I would first start by fully understanding the difference between authentication and authorization. The way we describe theses terms with the word “auth” does this distinction a disservice.

The OAuth 2.0 and OpenID standards are the best places to start. They are where standardization begins and (unfortunately) ends. OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.

Basic intro to OAuth2: https://auth0.com/intro-to-iam/what-is-oauth-2

In depth explanation: https://www.digitalocean.com/community/tutorials/an-introduc...

>OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.

This is what I don't get. Using OAuth2 for authentication is so complex, whereas Ory has a simple authentication system based o cookies: https://www.ory.sh/docs/security-model

With OAuth2 it seems to me to be the same just with extra steps keeping track of tokens and expiration. Why use OAuth2 for authentication, it was never designed for that.

My understanding is that this is usually done by companies that need to implement delegated authorization which is the bread and butter of OAuth 2.0. By starting and implementing their authentication flows with OAuth2, you can support both delegated authorization and native authentication where your own apps are simply OAuth clients with some special casing. That isn’t absolutely necessary since you could build authentication separately from OAuth but then you would still need those OAuth2 flows for delegated authz eventually if you do.

If Ory would have a UI for self hosted instances… that would be insane! User Management etc without a user interface is weird, not sure why it’s missing in the self hosted version.

It sounds like you’re conflating IDPs with other technology.

Istio is a service mesh that can be used to bolt on a proxy that requires authz/authn, but Istio itself is not managing the users or groups. It communicates with whatever IDP was chosen.

I recommend first deciding on which protocol you wish to use for authn/authz.

Some choices are:



- OAuth

Most of the protocols have different configuration strategies depending on the application (i.e mobile vs cli tool vs webapp).

The protocols will enable you to create an RBAC system, but the actual implementation of RBAC is done application side not within the IDP.

One of the biggest factors in choosing a solution will be cost. SaaS IDPs become incredibly expensive at social media level of scale (10k+ users).

Personally I recommend starting out in a SaaS IDP and migrating your users to a self hosted service later if needed. As long as you leverage a well supported protocol the migration shouldn’t be _too_ difficult.

Frameworks and companies are so potentially unrelated I'm not sure how to respond to your question. I think it's like any other tech: you have to evaluate it and see if it works for you.

Just also curious, how difficult/complex would be passkey/password/access recovery with what apppears to be so many layers of auth?

No more complicated than usual, as there's separation of concerns. You'd have your IdP, which provides authentication and account management. The IdP then integrates with an application or service using some authentication protocol (OIDC, SAML, LDAP, etc), so downstream only relies on the protocol.

It could get messy if you had some identity-aware proxy in front of your IdP.

Glad to see Ory Kratos getting some HN love :) If you have any questions please ask ahead!

Is there an easy way to deploy Ory? Even just to test?

At the moment I'm using Keycloak at work, authentik for side projects and authelia for personal ones where I don't need anything complicated. I couldn't find a deployment guide or a quick docker-compose. Also, If this link is still up-to date the self-hosted version is missing user and configuration management UIs https://www.ory.sh/ory-network-or-self-hosting-explained-use...

Any reason to pick this over keycloak? we're planning to deploy passkeys and web-auth and it's also supported https://keycloak.ch/keycloak-tutorials/tutorial-passkey/ https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/

For experimenting on your own machine, you can run Ory Kratos + the default user-facing UI in Docker. You can find the Docker Quickstart here: https://www.ory.sh/docs/kratos/quickstart

Generally, all self-hosting docs are in the self-hosting section of the docs: https://www.ory.sh/docs/ecosystem/projects

Ory Kratos does not do everything that we offer in the managed service. In particular the admin UI is not available (but the APIs and business logic are!), and the things we built around multi-region and multi-tenancy are not available in the open source self-hosted version.

> Any reason to pick this over keycloak?

Keycloak is an awesome open-source project! I never used Keycloak myself in a large production system. Here is a bit of feedback we hear from users who approach us. Keycloak

- is great for small-to-medium user bases (e.g. for employee management which it was originally designed for) but has issues when scaling to millions of users / customer-facing

- has a larger footprint due to Java

- has no managed service

- is tied to IBM (can be both good and bad, as we see with the RHEL changes. Can happen to any project though)

Generally speaking, Ory is more componetized and domain driven. If you don't want OAuth2, you don't need it. If you only want OAuth2, you don't need to also use sign in from Ory. And so on!

There's probably more differences but I think others with operational Keycloak experience can answer this better than me.

Generally speaking, both projects have their place. If you're looking more for web-based customer identity management I would go in Ory's direction. If it's about enterprise employee management, Keycloak is an easier plug-and-play solution.

Thank you so much for the links. I'll give it a shot this weekend.

- You're probably right about Keycloak having a larger footprint.

- We have between 400 to 500k users and it hasn't been an issue.

- Can't comment on the IBM connection, I just don't know enough about it.

- We do use multiple auth methods and deploying that was really easy.

So it's definitely an easier plug-and-play solution, we've deployed it with k8s.

> Ory Kratos does not do everything that we offer in the managed service. In particular the admin UI is not available (but the APIs and business logic are!), and the things we built around multi-region and multi-tenancy are not available in the open source self-hosted version.

Does the managed service use the same repo as Kratos with additional services not available to open source or do you use a forked/modified version of Kratos?

It’s mostly what’s on master plus ~15% additional code for multi-region and multi-tenancy. Other components such as the Ory Console are not open source

Thanks for the reply much appreciated!!!

Authentik and authlia are the easiest for me.

Absolutely, Authentik when you need complicated workflows but if you just need to put a login screen in front of page and use OIDC or LDAP with 2FA Authelia's got you covered.

Hi Aenea, I'm still trying to understand, sorry for the newbie question, could this be some sort of replacement of Keycloak? Can it be used to manage authn/authz with JWT between a react front-end and a Django backend?

Kratos + Hydra can be used to replace Keycloak’s authn. Authz is a little bit mord involved. Keycloak comes with UMA2. In the Ory stack this would be Keto with some sprinkle of Oathkeeper.

Are there are books on the topic, or at least good tutorials? I know the underlying concepts (have even read most of the specs), and the documentation has gotten better since I last looked at it, but I'd love to have a more comprehensive resource.

I found this book useful: https://www.keycloak.org/2021/06/book.adoc. Little bit dated because Keycloak is moving so fast now. But concepts never get old.

More comprehensive in what topic exactly? I found the Ory docs to be pretty thorough on the OAuth2/OIDC topics, a bit light on the AuthZ topics.

How easy do you estimate to be adding new storage backends to Kratos?

I would like to use it as a way to do user management, but I need to be able to save data about users to custom storage backends (built on top of boltdb, badger, etc)

Can we use Ory as the basis for a multi-tenant system? Or would we need to have one instance per tenant It hasn’t been clear to figure this out, open source or paid.

What was the reason behind not clearing outdated flows automatically?

Interesting to see Ory Corp's US presence[0] is just a PO Box at some UPS store in Doylestown PA. Is that pretty normal for foreign companies?


Normal for lots of companies even domestic.

Remote companies still have to be able to receive mail to their registered agent (legal requirement).

It's normal if you just need some place to send bills & cheques and register your business in the country. They might have an administrative assistant working from home go check the mail twice a week, or maybe forward it internationally

slightly off-topic, but related to what ory is doing in general. How do you usually do authorization-aware search?

Imagine, I have a bunch of Google docs and using https://github.com/ory/keto for authorization. I can quickly answer the question "does user X have access to document Y", but it is not easy to do "search all documents with word Hello in it, for which I have access" because access can be granted through nested groups (give read access to everyone in DepartmentA, and I am part of child department)

Probably via a Zanzibar-based system, excerpt from the Zanzibar paper [1]:

> [...] useful common infrastructure can be built on top of a unified access control system, in particular, a search index that respects access control and works across applications.

[1] https://authzed.com/zanzibar/28Sa8hWHLG:e:1I

> Probably via a Zanzibar-based system ... > ... a search index that respects access control

This is the exactly the part I want to understand. How are you modifying your search index, so that it respects the access control.

There are some ways I can think of, but want to learn more from others on how they are doing it:

* each object stores metadata of which access groups can access this data, at the search query time, first I fetch groups user belongs to and send it as part of search query

* fetch all matching objects and hope that list is not huge and for each item assess at run time if object can be accessed by this user, if not, remove from results

* ...

You either compute at query time, which might be costly or you pre-compute it at write time, but then you need to keep at least 2 data sources in sync objects (who can access can change on object level) and groups (group can get more permissions or less)

One approach that can be used is to use the centralized service to answer a broader question like: given this user, what rules can I use to know if a document is accessible for them. And have the service give you a set of rules to apply. Then take the result and embed those restrictions in your query.

An example access service response would be: this user can access data from groups they are part of + documents for which a share exists towards this user + documents for which a share exists to any of the users' groups.

Such an approach using OPA is described in https://blog.openpolicyagent.org/write-policy-in-opa-enforce....

This is not exactly the same as the first option you described, because instead of storing access controls in the index data, you use the available metadata + the rules from the access control service.

When I had to do this in the past for access control and compliance reasons, it was easy to just layer them. If you have a) fast search b) fast authorization, you can just do filter(lambda resource: can_read(resource, user), search(query)). There is some tuning necessary involved with pagination and such as you effectively have 2 paginations to maintain (one for user facing, one for your index which will included pruned resources).

Great looking project. Is this something that could replace https://workos.com ? - We have a number of customers that want to use their own authentication providers to access our applications. Would Ory provide such a bridge or are there any alternatives?

Yes you can add any OIDC compliant provider to Ory Kratos. With Ory Hydra you can serve your own OIDC flows, basically "Login with $yourcorp"

Great project, but I'm using Casdoor already: https://github.com/casdoor/casdoor , it seems to have a nice UI.

What's their difference? Keycloak, Casdoor and Ory?

It's quite cool,but quite hard.

That is IAM generally, imagine having to implement it yourself

Auth* is hard :/

Nice, the Ory suite is really looking good!

On a related note, does anybody have experiences to share about one of their other projects - Ory Keto, and integrating it into their product?

I've been playing with Kratos for some time now and it's been really great. So glad to see they've finally reached the v1 milestone!

We recently implemented a kratos frontend in elixir and in general it was quite a plesant developer experience, despite some small rought edges in the documentation

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact