The Oathkeeper proxy is one piece of the puzzle which basically takes incoming HTTP requests, evaluates them on a set of rules (e.g. authentication of credentials used, checking if the user has the right permissions, transforming the session data to a e.g. JWT) and either grants or denies access.
Other services include, for example, ORY Hydra ( https://github.com/ory/hydra ) which is an OAuth2 & OpenID Connect (certification pending) server that you can put "on top" of your existing user management.
While most developers opt to build these systems (permissions, user management) themselves, it is our vision to build a reliable, broadly adopted set of OSS tools that get you started quickly and that scale well as the requirements of your organization change.
Everything we do is build on top of open standards, we do not want to reinvent the wheel (unless nothing exists wrt to open standards). So everything in this ecosystem integrates well with existing systems.
If you have any questions, feel free to ask.
ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Is this how you're hoping to monetise all your hard work? I don't begrudge that at all :-) It's just a little unclear?
If there's going to be a security console, I wouldn't want it hosted by anyone else. Especially if I'm the type of person to deploy all the other components I'll undoubtedly want to deploy the console myself.
[EDIT] There's also some on by default telemetry.. and the link for details is 404'ing: https://github.com/ory/oathkeeper#telemetry -> https://www.ory.sh/docs/guides/latest/9-telemetry I might not mind this, but I can't tell if the links don't go anywhere.
I don't want to sound negative, other than these queries the ORY ecosystem looks lovely and something I might implement.
Cheers
How do you envision integration of existing external OAuth2 or OpenID Connect servers, such as Google, GitHub, etc., or an OAuth2-compliant directory of a B2B customer?
As part of that service, we will add connectivity adapters for generic OAuth2/OIDC providers as well as (probably) LDAP/AD and SAML integration.
We're still in prototyping phase (building a good API here is really tricky because no open standards exist to our knowledge for this) and it will take some time. But hopefully, it will be something many people can build on!
And thank you so much for the positive feedback :)
One suggestion for the docs, especially since the tagline is that this is a cloud-native solution, would be examples of how to run it in common cloud setups. For instance I'm looking at the deployment page and it mentions that in the gateway configuration you'll want to run it behind a load balancer but in front of the API router. But if you're using an ELB, which as far as I'm aware is still part of basically the default way to run web apps on AWS, the load balancer and router are combined and there's no way to hook something like this in. So it would be cool to see some examples involving specific tools like ELBs, maybe a note on other ways to run it if using Kubernetes, etc.
We're a very small team, so it might take a while for us to tackle this (especially because we mostly use k8s with oathkeeper proxy as a sidecar), but that does make this not lesser of an issue!
Super excited to see more players move in this space btw!
Oathkeeper looks very interesting... Congrats and best of luck!
[0] https://www.getambassador.io
[1] https://www.getambassador.io/reference/services/auth-service
The main differentiator is that Oathkeeper is capable of performing more sophisticated permission checks (think RBAC / AWS IAM Policies) and is specifically geared towards solving authentication and authorization in front of "your" service.
Most other implementations I saw (and I think this also goes a bit for envoy) is that they solve access control as one of the things in the feature set, while also focusing strongly on routing, load balancing, and other typical API gateway issues.
We're explicitly not trying to build another API gateway but instead something that you deploy alongside your existing API gateway (or maybe as a sidecar) with the sole purpose of checking answering: "is the request that's coming through really allowed to perform that action?".
Hope this clarifies it, if not I'm more than happy to go into more detail :)
really great. please comment on the intersection with auth0. clearly there is some overlap, it would be great to have a concise explanation.
> we do not want to reinvent the wheel
IMHO, were I you I would not shy away from that. Existing wheels are oval in shape. Of course where you have to interoperate, you are limited.
> ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Well you just lost me. You are developing IAM components and you can't get basic password management correct? email has nothing to do with it, we are well past the point where password managers are de rigueur, certainly for anyone involved with security matters.
The password in my password manager is not correct. No idea how that happened, maybe it was overwritten by accident or I copied the wrong one during account creation. Since I had to reset my FF profile it was no longer stored in the FF password manager, so I had to recover it from KeePass, which well - didn't work out so well. Since I do use a password manager, it's impossible to recover it as I have no idea what the password is.
Has nothing to do with the fact he's developing auth software.
Besides, HN does not do oauth. If it did and he would still lose access then it's a different story ;-)
[0]https://www.splcenter.org/fighting-hate/extremist-files/grou...
We do not share nor endorse extremist views nor "values", nor have anything to do with extremist groups whatsoever. We have not heard about them (Oath Keepers) before.
We'll discuss a name change internally & with the community.
ps: It also shares the name of the sword from Game of Thrones and is a wordplay on OAuth :)
edit:// Forgot to thank you for raising awareness on this.
For what it's worth, I was unaware of the reference that was used as this project's namesake. That is ignorance on my part.
Furthermore I would like to apologize, as my comment seems to have inspired quite a bit of unproductive ideological bickering.
Any individuals that try to imply that the naming of a proxy server product within a larger software ecosystem indicate an endorsement of the position of an organization with a similar name are displaying pathological behavior and should generally be disregarded.
As one of your potential customers / users, I would not base any judgement of your company or product based on some a shared name with a small fringe organization that some people find unsavory which uses a pretty common term or combination of terms.
:P
Maybe I should pay attention to the discussion with the community when that occurs, but I'm interested in which "values" you take issue with. Care to share here?
It's the same smear campaign that real extremist groups (the Marxist identity politics left) do to Jordan Peterson and Ben Shapiro.
Men of authority pledging not to bow to unconstitutional orders against citizens. Actually seems noble.
I suspect they get the "radical" and "extremist" label from our culture where those who aren't on the "correct" political side are labeled a Nazi or Communist.
It's good to know there's an option to do this in the future for projects that don't have all that groundwork done already, if this is easy to set up – at least initally – without having to include all the parts of the ecosystem.
- Forums: https://community.ory.am/
- Chat: https://discord.gg/PAMQWkr
Thank you all for the awesome discussions!
