Hi Ory people, I'm trying to see if kratos is the right fit for my usecase. I was thinking of the following problem, where my underlying question would be: What data do you store inside kratos, and what data do you store in your own api? The scenario: A multi tenant application where a user can be a part of one or more organizations. This is the data model I would use for a more standard (to me) approach where i'd handle the user authentication and authorization in the api itself. Now my question is what data would you save inside kratos (traits or metadata) along with the user, the organizations a user is a part of? the roles? How would I retrieve a list of users that belong to a certain organization including their traits/metadata stored in kratos when the admin api does not support search? would I have to make a seperate request for each user? This is my first time looking into any IaaS solution, so feel free to send links to blog posts/concepts I should understand before moving forward.

What data do you store inside kratos, and what data do you store in your own api?

Generally a good practice is to to store everything related to your app/business logic outside of Kratos and only store the information that is relevant for authentication purposes in Kratos/the identity schema

How would I retrieve a list of users that belong to a certain organization including their traits/metadata stored in kratos when the admin api does not support search? would I have to make a seperate request for each user?

We handle authorization like RBAC or permissions in general with Ory Keto - it provides APIs that make this possible. we have an example that integrates both here: https://github.com/ory/examples/tree/master/kratos-keto-flask - maybe as an example how the flow would be.

Hi Vincent, to reply to your keto example. In keto you would store the user id alongside the organization a user is a member of right? How would you present that data to the user? The user wouldn't be able to do much with just the userid, so you'd have to retrieve the email from somewhere. If you have a list of members to display, would you have to retrieve each of those users seperatly from kratos?

You would probably use namespaces for the organizations - and yea you probably have to retrieve each of the user from Kratos if you need their credentials - or alternatively from your application backend where you store all businesslogic and so on. Maybe @steep-lamp-91158 also has an opinion on how this best works with Keto & Kratos.

Right, that would mean you store the email both in kratos as the identifier and in your own backend for display to the user?

there are webhooks in kratos we have some ideas on supporting custom list filters with Keto, but that will take some time to complete currently, what you can do is get the list of tuples (user-id, "member", org-id) and map the IDs using either your own backend or Kratos admin APIs you can try first with Kratos to see how the latency turns out, but as you said you could also sync the mapping to your own back-end

The latency wouldn't be the biggest problem I think, but the need of making a lot of requests to retrieve user data is. So i'm probably going with the approach of storing the minimal amount of data in kratos (just the email probably) and storing the rest of the info like full name etc on my own backend