https://www.ory.sh/ logo
Join Slack
Powered by
Is it possible to run Keto as a library within a G...
# talk-keto
d
Is it possible to run Keto as a library within a Go application?
m
AFAIK no
d
@magnificent-energy-493 ah that's all good. Also to clarify, Keto doesn't handle authentication correct? So if I were to use it I'd still need to pair it with a service like Kratos or Fosite? I've an architecture in mind that I wanna see it's doable and before hosting determining min number of instances I'll require
w
i would think the bare minimum would be kratos + keto + (arguably) oathkeeper (for routing/rules)...
and by bare-minimum i'm thinking that's it. (cuz sqlite/memory dsn) - but you did say "min number of instances".
d
@witty-holiday-65473 thanks, my hosting provider of choice is fly and thus was hoping to fall within the 3x VM limit but that looks unlikely with what you've suggested. I'm also trying to experiment to see if I can get Kratos working with litefs to see what challenges I could face there (seems the small POC I've got worked just need to think of a slightly more useful demo)
I'll checkout oathkeeper as that's news to me (as is keto, work use it and trying to learn it in my spare time)
w
no worries. keep in mind (which i'm sure yo have 😉 ) that kratos is authentication/user profile/identity provider only. As soon as you jump into the realm of OAuth2/OpenID Connect, you need something more. (Hydra).
you actually may be able to get it all done in a single vm. (depends on how big the vm can be 🙂 )
for example, i have a full-scale "New" to "Legacy" SSO implementation running on my local network with 3 separate domains (lets encrypt + wildcard certs) with traefik reverse proxying into oathkeeper + kratos. I use api rules to route accordingly and kratos user profile "metadata_public" entries to feed keto tuple permission checks and from there i issue a redirect (read: return_to) with a `#url_fragment`containing a very short lived token that the legacy system can parse, post, and create a "legacy native" session.
all in docker compose single vm.
d
Ooo yh I don't really need Hydra (for this experiment) but will keep noted on that if I consider this litefs hack works. The only thing is when I deploy to fly each app will need to be deployed to a separate VM so I think via compose I'm fine, but on fly (excluding my personal) to fall within the free team tier I'd need to be a bit hacky on what I use for IAM. App, keto & Kratos would work but then I also would like this POC to have an object store (using minio) so im already over. Preferably if there was a way to use a library within my app (i think Fosite may be the one i see suggested) then i can just about manage.
But for now I'll get it working on docker compose as you've made it clear that is doable
m
I would recommend a Kratos + Keto combo, as adding Hydra to the mix is quite complex and usually not needed (unless you have a more "special" use case I guess...)
d
@magnificent-energy-493 thanks, I was planning on trying to implement my authentication with Fosite but Kratos (for now) will likely be more useful. I'm quite a fan on SQLite & specifically the new tooling around distributed databases built on top of SQLite, so my goal is really to see if that is viable with some of the Ory products. I've tried with keto & was almost straightforward. So hoping for IAM I can figure a potential solution
10 Views
Open in Slack
PreviousNext
Powered by