Hi, I'm currently building a spring boot application that I want to protect by authentication and authorization using Ory Kratos and Keto. Should I use Oathkeeper for that or implement the checks using a spring security middleware in the application itself? Oathkeeper seems promising, but I'm afraid that the config will explode at some time if I add every route, that has different Keto permission specifications

Hello @crooked-daybreak-71290 Yes, you can definitely use Ory Oathkeeper for your use case. Ory Oathkeeper is designed to authorize incoming HTTP requests and can act as a Policy Enforcement Point in your cloud architecture. See also this tutorial: https://www.ory.sh/zero-trust-api-security-ory-tutorial/

Hi @magnificent-energy-493 Thanks for your reply. I'm currently having a spring boot application and more microservices might come in the future. Frontend auth handling is currently done using the ory client lib and the self service flows to create sessions. I was planning on doing the authentication via spring security, calling the session/whomai in the middleware for validation manually instead of adding the whole oathkeeper in the front. I was planning to integrate ory Keto manually too. I think this is a valid approach too. What do you think, with your expertise? Are companies implementing the ory stack rather using oathkeeper or implement the authentication on their own?

@crooked-daybreak-71290 I would say if you already have the spring middleware in place use that! It is definitely a valid approach, Oathkeeper is just one option but not required. Generally I would add as little new code/services as possible 🙂