Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi,

I’ve asked a few times in the past, but I’d really appreciate a definitive answer to my question.

Here’s an overview of my current setup using Kratos, Keto, and Oathkeeper:

	1.	*User Registration*:
		Users register through Kratos.
		User verification is currently disabled but will be enabled soon.
	2.	*Role Management*:
		User roles are stored in the metadata_public column in Kratos.
	3.	*Token Generation and Middleware*:
		Oathkeeper is configured with authorizers and mutators (id_token).
		When a user makes a request, Oathkeeper generates a JWT token containing claims derived from the user’s metadata_public.
		This token is passed upstream to my service.
	4.	*Role-Based Access Control*:
		A middleware in my Go backend decrypts the JWT token and extracts the user role.
		The role is then used to validate access to specific endpoints.
		Endpoint access is managed through access roles defined as objects in a remote JSON authorization handler.

I’d like to know:

		Is this flow optimal, or are there any best practices I should adopt to simplify or enhance security and performance?
		Are there any alternative approaches to streamline this setup while retaining flexibility for role-based access control?

Looking forward to your advice!