Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello <@U04RU72RMM0>


Here are some steps to get started with Ory:

- Create free developer account on <https://console.ory.sh/|Ory Network>
- Read <https://www.ory.sh/docs/security-model>
- Build PoC for your Angular app: <https://www.ory.sh/docs/getting-started/local-development>
- Add social login to the PoC: <https://www.ory.sh/docs/kratos/social-signin/overview>
- Investigate API solutions: <https://www.ory.sh/zero-trust-api-security-ory-tutorial/>

I agree that OAuth2 is often overkill.
I would recommend going with the cookie route for web apps - see the security-model doc above.

However if you want to keep your JWT architecture, we <https://github.com/ory/kratos/pull/3472|just implemented> the option to return a JWT on /whoami calls.
This is not in production yet, but should be coming very soon!

Thank you very much <@U011D3UQKNY>. Everything is more clear now. Yes we decided to switch to cookie for the web app. For APIs we'd like to move towards something like API Keys... have you some useful Ory resource about that?