https://www.ory.sh/ logo
c

creamy-fall-97349

04/24/2022, 11:10 PM
Okay, first off I just want to say how amazing Ory looks, I love how it's developer/api first and I think it's a great product. It seems to cover all the use cases I could ever imagine needing so I just want to say props to the team for building such an awesome and elegant solution. In the past I have always just built my own half baked solutions for authentication, but this knocks everything out of the park. I'm looking to now use Ory in a production manner at my company and I thought this would just be a great place to make an introduction. I have looked at other solutions like Auth0 but after speaking to a few friends that have built products with it, they've all said the same thing "It's too expensive and the costs really creep up, we had to move away and build our own solution." Now what I love about Ory is the fact that if the cloud ever becomes to expensive, the open source aspect will allow us to transition over to our own hosting aspect, but I hope this never becomes the case as I would like to support the team as long as it makes financial sense for us to do so. Now I should explain that I haven't actually used Ory yet but I am looking forward to playing around with it over the next week or two. The first thing I would like to understand is the whole concept of flows, it seems a bit baffling to me and I feel like the documentation doesn't quite cover it to the depth I would like personally. So moving onto my question, let's say I have a registration form that would take a few things, such as phone number, date of birth and other things I would like to validate which would be stored outside of Ory. How would I actually achieve this and only persisting the user given my validation checks pass? Also, I saw that it was possible for you to create registrations based on type of identity i.e. customer, staff etc... Would it also be possible to create identities which aren't unique such as the same email being used twice, but under a different website? Allow me to clarify this question a bit further, we have a service which users are able to sign up to, but this service is also branded under different names too, we have users that are able to register on both branded sites separately but admins have one login for all brands. Is this possible with Ory or would it require multiple instances/projects?
d

damp-sunset-69236

04/25/2022, 8:31 AM
Hello. I have a small question. You said that you have branded websites. Does they run on different domains?
I saw that it was possible for you to create registrations based on type of identity i.e. customer, staff etc.
You can read about different identity schemas here
However, it can be hard to setup Ory Kratos in multi-domain configuration because Ory Kratos has the only one way to enable multi-tenant environments. On that case you can have a couple of kratos instances configured for each domain and you can manage admin identities using Kratos hooks.
c

creamy-fall-97349

04/25/2022, 5:37 PM
@User yes they would run on different domain.
What do you mean by manage admin identities using kratos hooks? like registrations cloned over and managed via hooks?
d

damp-sunset-69236

04/26/2022, 8:43 AM
The idea is to manage admin identities on all Ory Kratos instances, and I think you need one instance per domain based on your initial request. You have two options here. 1. Create an additional user interface to manage admin identities, and you can use adminCreateIdentity API endpoint to create admin identities on all Kratos instances you have 2. You can also use a after registration webhook to create admin identity on other kratos instances
And the first recommendation was the first thing that came to my mind on how to solve your case, but I think that you need to go with and additional webinterface to handle admin identities across services
c

creamy-fall-97349

04/26/2022, 8:54 AM
That makes sense, great! thanks Andrew! I'm looking forward to implementing Ory as part of our IAM and microservice architecture. Just one last question, is Oathkeeper what I would need to manage Machine-to-Machine authentication? As in, if I have one micro-service that wants to talk to another, should I be using Oathkeeper to manage that or is Oathkeeper strictly for managing requests from reverse proxy?
Also, I do believe the docs are great but could use more detail, could I recommend taking note of peoples questions in Slack and populating the documentation with the most popular questions and answers>
d

damp-sunset-69236

04/26/2022, 9:12 AM
Oathkeeper is identity and iam proxy. It can help you to build applications without thinking about authentication. For instance you use nginx as ingress proxy and oathkeeper can act as decision api for subrequest authentication and nginx will proxy only authenticated requests for your services. As an example you can check the shorts project. Oathkeeper handles authentication part, makes requests to kratos to check session, mutate request and adds X-User with the id of authenticated user or redirects unauthenticated. On the backend I implemented middleware that gets X-user and uses it for the CRUDL operations
For machine-to-machine authentication I think you need to use Hydra, since Ory Kratos does not support it at the moment
Also, I do believe the docs are great but could use more detail, could I recommend taking note of peoples questions in Slack and populating the documentation with the most popular questions and answers>
We have slack harvest routine each month. We collect answered questions and write guides/update documentation 😃
Oathkeeper helps you to build Zero Trust Network architecture when you pass only authenticated/authorized requests to your network
c

creamy-fall-97349

04/26/2022, 10:03 AM
That is great, love the support you guys are giving. I love Ory and like I said in my previous message, as long as the costs seem reasonable for Ory cloud then I am happy to pay them and include them in our production app! Pass my thanks to the entire team, absolutely great work and great product!
m

microscopic-forest-58980

04/27/2022, 8:23 AM
@User just to add here that that was also my impression of the Ory docs. At one point I volunteered to suggest a way to illustrate things that would work well for a new user, but then I got too busy. Good luck :)
1
3 Views