> I found it hard to quickly determine whether Kratos can run completely
> self-hosted, or that there's always some connection to Ory / Ory Cloud services.
I have some questions:
- Is it possible to have multiple organizations in one single instance? Can I have some superusers that have access to all organizations?
- Can I delegate authentication for a subset of users (in my case this will always be an entire organization) to another authentication provider (say Microsoft ADFS)?
- Do you support SAML 2.0 clients?
- Do you have a REST API which can be used to create / deactivate users?
To answer your questions:
- Is it possible to have multiple organizations in one single instance? Can I have some superusers that have access to all organizations?
Depends how you interpret multiple organizations. If those are distinct users (meaning the same person has a profile in org A and org B and does not reuse them), so a true multi-tenant system, then this is not built in and we do not plan to add it.
Running Ory Kratos is very cheap in terms of resources (few MB of ram and no CPU on idle) so it's very affordable to spin up another instance. This doesn't work well for fully-automated deployments such as SaaS systems, but it does work if you are thinking about corporate systems.
You might also look for Ory Cloud, where you can deploy a new Ory Kratos instance with a simple API call.
- Can I delegate authentication for a subset of users (in my case this will always be an entire organization) to another authentication provider (say Microsoft ADFS)?
Yes! Right now we only support OpenID Connect and OAuth1/OAuth2 delegation but more to come.
- Do you support SAML 2.0 clients?
Not yet, but there's an active design document with discussions on different implementation scenarios.
- Do you have a REST API which can be used to create / deactivate users?
Creation - absolutely! Deactivation is not yet available as an API but identity state is already implemented, so adding it is really just a few lines of code.
There are also endpoints for revoking all active sessions which logs out users immediately of one to all systems.
There be dragons.
(Disclosure: I work for FusionAuth.)
Funny story. We had a client doing a SAML integration using HTTP-redirect bindings. It worked when you turned off request signature verification (which is fine for testing, but is like using alg="none" for JWTs, a non-starter in production), but failed when that was turned on. We dug in with the client and another vendor, set up some test servers, and identified the bug[0]. Turns out that you can't canonicalize the signature's URL encoded form, because both uppercase and lowercase hex values are allowed, by the SAML spec.
Our open source SAML library[1] has been around for years and used by many clients in FusionAuth and our other projects. It'd never run into this particular edge case. It is a wild west out there in SAML land and it takes years to build a bulletproof implementation. Ory folks, if you can leverage an existing implementation rather than rolling your own, I'd highly advise that approach.
That is also to say nothing of the incoming privacy/cookie limitation changes that are coming in the next few years. This will unfortunately probably negatively affect SAML, which is not a specification that has evolved much. If this is of interest to you, I'd recommend the Federated Identity W3C community group[2].
That said, FusionAuth supports SAML in many forms[3]. SAML support varies across vendors and implementations, but other providers like Keycloak and IdentityServer do so as well.
0: https://github.com/FusionAuth/fusionauth-issues/issues/1496
1: https://github.com/FusionAuth/fusionauth-samlv2
2: https://www.w3.org/community/fed-id/
3: https://fusionauth.io/docs/v1/tech/core-concepts/integration...
Ory Cloud is still in it's early phases and we have not been very good at communicating it well. Basically, we run Ory Kratos in Ory Cloud and it has full API and configuration and data compatibility with the version that is on GitHub! Our goal is to also allow users to easily switch from self-hosted to ory cloud and back - but it's still a bit of work until we get there.
If you just want to check our Ory Kratos and don't want to use the docker-compose command in the blog post, you can create an Ory Cloud account and use that instead of your local docker environment. That's basically the trade off you're making in a local environment. We have of course tons of plans for Ory Cloud but it's yet too early to share them with a broad audience.
We're currently focusing on gettin all of this much better communicated, and to make it easier to understand what the differences are. So totally get your confusion on it and can only say, we're working on making it better :) Hope this helped at least a little bit!
If you do want to store users locally, you have some adapters you can use. They leave a lot of room for interpretation (or rather implementation), meaning that you will probably have to implement a lot of stuff from zero!
Ory Kratos is like the system behind the Google, Twitch, or Pipedrive profile management, so it has the database of users and it offers variety of user flows for e.g. updating sensitive information, adding WebAuthn 2FA, managing one's profile, and so on.
To conclude, you most likely will be able to combine NextAuth with Ory Kratos or Ory Hydra if it makes sense for your use case!
> The functionality provided for credentials based authentication is intentionally limited to discourage use of passwords due to the inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords
I cannot disagree more. Using 3rd party auth has a lot of issues such as data privacy (requirement of stating that in your privacy/GDPR policy if you are in the EU), increased user support request when they cannot remember which auth provider they used, or the ever growing cases in which Facebook/Google/Whatnot decide to close someones account without possibility to appeal and effectively shutting them out of your App. Or the risk that if Google/FB/Github might not like your webapp, they can disable auth for your users with the flip of a switch. Me personally, I avoid 3rd party auth for those reasons alltogether.
Also, authentication and authorization are core for an app. If we do authentication here, how does authorization work? Can I bring my own authorization like oso etc.
We have on the list to add a section about using Next's new middleware feature to protect API routes. Is that something you'd be interested in?
I'm interested in how you allow folks to customize the login flows (probably because my employer, FusionAuth, offers a competitive product :) ). Is this UX customization solely through custom react components?
Is there any ability to customize the actual login sequence, like Azure ADB2C allows? For example: for install A, I want to ask for login, then password, then MFA. for install B, I want to ask for email domain first, then login and password.
All of Ory's Open Source software is unique in a way that we strictly follow domain-driven design. Solve one problem only, but solve it extremely well, and solve it in isolation. Ory Kratos (and other Ory Projects) are API only. The UI is up to you. You can use Ory for CLIs, fridges, TVs, native mobile apps, Java Server Pages, and React apps.
So, you're also free to choose the UX for your users with a very high degree of freedom - something we found very frustrating before we started working on Ory. Of course, there are some limitations (as always in software) but we try to focus them around security and not how we interpret that sign up flows should look like.
For those who just want something to work, we have templates one can use to get off the ground in a few minutes!
My only real pain points are the docs and the JS SDK - the docs can be rough depending on what you're looking at, and the SDK has no documentation at all. I get that it's automatically generated, but it's enough of a pain to figure out that I resorted to just making the HTTP requests myself.
I'm always hesitant to use third party Auth for fear that some bug in our app would generate otps and I won't be able to fix that in an emergency because of a lack of familiarity/access to source code/database