Hey all. Basic question. Today I'm gonna go thro...
# general
Hey all. Basic question. Today I'm gonna go through the docs and docker instances. My use case is that I have two apps. A main SaaS app which is a straight up admin panel, reporting and other misc functions. But then a customer facing FE app. Each FE app has it's own registration, login and authentication process. But instead of each FE being it's own silo. I want a centralised place for the FE accounts. So if a customer visits www.foo.com and registers an account. If they visit www.bar.com, they can still authenticate and not have to re-register. Basically being my own identity provider. Is this the right use case here for OAuth2 Server and OpenID Connect Provider? Thanks
I think you have 2 options in general: • Dedicated Ory Kratos instance (can be in Ory Cloud or selfhosted) for each FE account. This is a good solution if you don’t have a great number of FE accounts / Kratos instances. • Kratos for self-service/ auth and Hydra for federation of identities through OAuth2/OIDC. This way you only need one Kratos instance but you need to configure the login to use the OAuth2 consent flow. The second option - meaning the OAuth2 APIs - will be available in Ory Cloud soon, and this will also make integration with Kratos easier. I hope this makes it clearer, let me know.
Thank you for the reply appreciate it. I'll describe my use case in more detail and hopefully that will provide some more clarity. I'm building out an end to end ecommerce platform. It's a combination of webflow (landing pages), shopify (store), intercom (webchat), discourse (forums), slack (group chat), and many more. I'm now looking at auth as I've actually built a lot of the "stack" and now seems like a good opportunity to bring much of the functionality together. I've enabled a scenario where an individual can spin up many FE silos with as many domains as they have - using the BE SaaS I mentioned before. So someone can spin up a coffee store community, or a pet community or [insert whatever fad they are passionate about fad] community. Users who use the SaaS can spin up as many FE silos as they want. If they have 50 domains, then so be it. Each FE could have from hundreds to thousands of user registrations because it's the general public who encounters the domain and who would register to join that community. But for the SaaS user, they could have millions of accounts to manage depending on how popular they get. For the enterprise (me) which manages all the domains, and FE instances via the SaaS. Now it runs into the tens of millions 😅. ------ This is why I felt being an identity provider would be better. From the customer point of view. I want them to register just once. Then if they come across another store, forum, group chat, they don't have to register again, they can just auth to that FE. Also from my point of view, I want just 1 auth infra to maintain, but managing millions of domains. Another thing, this is a bootstrapped startup. I'm merely trying to set-up a proof of concept. I'm launching next year and my intention is to initially get out of the gate with very low costs (for the infra) and grow slowly and then transition to cloud services when it's sustainable enough to do so. Hopefully this makes my use case clear. Let me know if you need more info. Thanks
Thanks Paul, yea this makes it clearer.
I felt being an identity provider would be better.
I agree in this case and with the planned scale in mind it definitely would make sense to go with option 2. You probably need a good RBAC style authorization solution as well, check out Ory Keto We don’t have extensive tutorials how to do this, but check out the community examples: https://www.ory.sh/docs/ecosystem/community https://github.com/ory/examples Finally there are some talks from the last Ory Summit that might be relevant/interesting:




🙌 1
Thanks, I've already started to consume a few of the videos on YT. Many thanks for you feedback!