There isn't even anything remotely similar in any other language, not even thinking about Rust.
There's Ory if you want to use Go instead, but it doesn't have an admin interface.
Unless you are highly knowledgeable about setting up authentication portals… there a decent chance Keycloak will cause your brain to bleed.
I also use Authelia, and I highly recommend it. But according to your description, you are probably looking for something with OIDC or oauth integration, which Authelia doesn’t have (although I believe it’s planned iirc).
I haven’t set it up yet, so I can’t comment on it… but this was the one that stood out to me when I was looking around for that myself https://www.ory.sh/ (Authelia fits my use case just fine, so it hasn’t been a priority).
Other Open Source (partial) solutions are - Ory Hydra (OAuth2 and OpenID Connect server) and Oathkepper (access proxy). Hydra does not handle identity management and you need a service to handle that part. - Dex. Again an OAuth2 and OpenID Connect server that does not handle identity but delegate to know services (Google, GitHub, Gitlab, SAML, etc.).
For simpler integration, Traefik and Nginx can use an "authentication" service that handle authorization of an HTTP request before forwarding it upstream.
Indeed, requiring credentials on every request would hurt. What you do is to put an identity-aware proxy in front of everything.
Here's a list of open source products that aim at doing that: - Pomerium - Ory - Keycloak*
*Keycloak is not really a proxy but more of an authentication/authorization tool but your application needs to know how to implement OpenID
Looks nice!
Except that it provides a Frontend, how does it compare to kratos? https://www.ory.sh/kratos/ (also written in go)
Did you consider only implementing the UI and using an already existing backend?
If it's for a startup then I STRONGLY recommend you not build this yourself. Look at the Certified OpenID Connect Implementations and pick one that suits your needs best.
You should also ask yourself the question - do you need to handle AuthN yourself? What kind of login flows would you like to provide for your consumers? Are you happy with just providing an array of OIDC links (google/apple/github/twitter etc) then maybe you only need a thin service layer that handles your OIDC connections. However, you did state that you need B2B so I'm guessing you've had a gander at the Client Credentials grant type and decided you want that.
I have had a look at Ory Hydra (they are certified) and I believe their solution is really quite neat. They only supply the API for AuthZ so you will have to build the AuthN server and login client yourself, but those are child's play in comparison to OAuth2.0/OIDC :)
You're welcome to keep asking questions if you like. I'll answer whatever I have confidence in :)
Hey _slimbrady.
I am working for Ory, mainly taking care of our open source community.
Our managed cloud offering is currently still in early access mode and we were a bit overwhelmed by the massive influx of requests.
But I will see to it that we reach out to everyone who requested early access by the end of next week.
In the meantime, check out Ory Kratos, which is the same library that we run in the Ory Cloud:
https://www.ory.sh/kratos/docs/quickstart
We started ory/keto with the OPA implementation, then added AWS IAM conventions.
Last year we started with Zanzibar since we were looking for a solution that would scale horizontally and could provide global low latency for wide scale geographic deployment.
At the moment, Ory Keto implements the basic API contracts for managing and checking relations ("permissions") with HTTP and gRPC APIs.
There are more features planned too: https://www.ory.sh/keto/docs/implemented-planned-features .
I've been trying to build multi tenant oauth2 auth into my product. After a round with keycloak and oauth2-proxy and finally understanding Oauth well enough, it looks like the ORY ecosystem fits my requirements much better. Giving oauthkeeper a whirl with keycloak in K8S today. Looks like I can control the oauth proxies in mass with a CRD too. Very excited to dive into this. ORY Oathkeeper
I think you need to call /sessions/whoami
or call new PublicApi(new Configuration({basePath})).whoami()
if you use the sdk. This will return a JSON-Object containing information about the user.
{ "active": true, "authenticated_at": "2019-08-24T14:15:22Z", "expires_at": "2019-08-24T14:15:22Z", "id": "string", "identity": { "id": "string", "recovery_addresses": [ { "id": "string", "value": "string", "via": "string" } ], "schema_id": "string", "schema_url": "string", "traits": {}, "verifiable_addresses": [ { "id": "string", "status": "string", "value": "string", "verified": true, "verified_at": "2019-08-24T14:15:22Z", "via": "string" } ] }, "issued_at": "2019-08-24T14:15:22Z" }
See: https://www.ory.sh/kratos/docs/reference/api#schemasession
If you have defined a schema with e.g. first_name and last_name, this information should be accessible in by the `traits` key.
Check out the Ory Kratos Quickstart, will get you started with the basics in minutes.
There is also some extensive documentation on the concepts!
Ory Kratos can be very easy to set up if you are just looking for simple authentication and maybe a cookie based login.
Check out the Quickstart, will get you started with a docker image in a couple of minutes.
Keycloak is very easy to set up as well, so would also be a possibility.
You have to learn a bit about OAuth and the flows with Ory, but I think its always good to know what is happening under the hood.
In any case I would discourage rolling your own auth and rely on a security-tested solution here!
Great example. It definitely helps someone getting started with their own OAuth2 auth server integration with spring security.
As a side note, it might be worth mentioning that clustering keycloak (running more than one instance) is not a straightforward setup.
It does place some operational burden on whoever manages infrastructure. Another option would be https://www.ory.sh/hydra/, since it scales horizontally without any complicated setup.
A cons of hydra is that it doesn't really do user auth/management like Keycloak. It delegates that role to a companion application. This might be what you want, depending on your use case.
There are other solutions like https://www.gluu.org/ but again, the setup/scaling feels very complicated.
I've been using and liking the ORY ecosystem a lot: https://www.ory.sh/oathkeeper/
It's a new paradigm where you don't configure your program to be aware of auth at all. It makes things pretty simple.
Oathkeeper is a proxy which handles auth, and Kratos is what handles identity management.
Allright, many ways to skin this cat, but before you bring a db query to the mix, see if you can get by with creating a lambda and hooking it to the pre-token generation hook https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
This way you can add what you want to the jwt.
Besides this, you might have to think hard and deep into what sort of authorization structure you really need. On one side you are correct, it is a common problem. On the other is one that very few invest enough time into thinking enough and it constantly backfires after a while.
Let me try to break it down a bit:
First, you have users, roles and groups? Or you need more granular access control (eg block specific fields in the payload, or block user from lending money to his cousin)? The first is called “RBAC” as in role based access control. The second is “ABAC” as attribute based. In both cases, use this exercise to flesh out your use cases. And document it.
Then you have 3 options:
My personal recommendation is to read about how casbin etc does, try to understand if you are ready to invest now, and depending on what you can, try to do it right early on. You are on the good path asking good questions. GL.
Last, you are probably better off asking on r/aws for this stuff.
We switch between environments and clients currently we have GitHub/GitLab/AzureAD/ and Google/GSuite :)
ORY Hydra is nice if you want to host your IDP yourself. If you want to have your own IDP use Authelia, I guess it will be less complicated good enough for personal SME scope.
Regarding proxy or forward auth. I know about issues with proxy, (hard to debug, latency, streams etc.) Forward auth should not have those issues, as ingress is communicating with the service. apart from that it should both work finde for webapps
Your guide was actually what started me on my quest for SSO. (I'm akrantz01 on GitHub) With Pomerium, what are you using as your IdP? I've been looking at using ORY Hydra for myself.
Also, do you know if one of the modes (proxy or forward auth) is recommended over the other? I'd personally prefer to use forward auth mode, but if there are any major downsides to it then I'd rather not.
It depends on what you're looking for - Okta and Auth0 seem to be better at integration with enterprise users (multiple SAML sources, etc.), Azure AD B2C seems to fit more in the traditional website space.
There's also AWS Cognito and GCP Identity Platform, which also allow the first 50k users per month for free. AWS Cognito looks interesting in that you can tie a user's Cognito ID to the ability to access items in AWS (e.g. objects in an S3 bucket, certain API endpoints, etc.).
The other option would be to bring it in-house using something like ORY Hydra, which provides a complete certified OIDC server that you can use in any cloud environment. Under the same umbrella, you have ORY Oathkeeper, which can act as an identity and authorization proxy (IAP) at the edge layer of things and ORY Keto that can handle authorization workflows.
Heya,
So I know its a learning exercise, but if you plan on releasing your app into the wild I would strongly recommend not using
JWTs. one example post (both okta and auth0 have some as well).
[https://www.ory.sh/docs/hydra/advanced#json-web-tokens]
Well I mean nobody should roll their own security, but shrug.
In the same ecosystem, ory/oathkeeper has some great config files as to what you should look for. Also: the rbac permissions of the user should not be stored in the database, but rather in the token. A user is always a super user of their own account, and if you store the permissions in the database then there's always a risk of locking out a user from themselves.
Even kubernetes and linux performs permissions on a config file basis, which is how I do RBAC too.
For example, if a user has role: admin on thing 1, and role: user on thing 2, the scope of the access token should be "openid offline admin:thing1 user:thing2 other:stuff:actionsheremaybe"