Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I'm wondering, is there a way to secure keto-write endpoint and prevent unauthorized users of creating/editing/deleting relation tuples?

<@U01AECANPHP> yes, I saw oathkeeper but we have an issue there. Let's consider the following use case:
A user wants to edit/create a relationship in ory keto. In order to do so, the request goes through the oathkeeper, right? The othkeeper rule ory:keto:write would first check against keto if the user is allowed to send requests to keto-write/admin/relation-tuples. If it it's allowed, the request should then proceed to keto-write. However, this endpoint needs to receive some data. And this is the data that we need to be forwarded as welll but isn't forwarderd. So, from what I see oathkeeper wouldn't be a solution to protect keto write endpoint

Oathkeeper forwards the write request on to Keto so I'm not sure what data you are worried about not being forwarded? Can you clarify?