This message was deleted Ory Community #general

However, it can be hard to setup Ory Kratos in multi-domain configuration because Ory Kratos has the only one way to enable multi-tenant environments. On that case you can have a couple of kratos instances configured for each domain and you can manage admin identities using Kratos hooks.

creamy-fall-97349

04/25/2022, 5:37 PM

@User yes they would run on different domain.

creamy-fall-97349

04/25/2022, 5:38 PM

What do you mean by manage admin identities using kratos hooks? like registrations cloned over and managed via hooks?

damp-sunset-69236

04/26/2022, 8:43 AM

The idea is to manage admin identities on all Ory Kratos instances, and I think you need one instance per domain based on your initial request. You have two options here. 1. Create an additional user interface to manage admin identities, and you can use adminCreateIdentity API endpoint to create admin identities on all Kratos instances you have 2. You can also use a after registration webhook to create admin identity on other kratos instances

damp-sunset-69236

04/26/2022, 8:44 AM

And the first recommendation was the first thing that came to my mind on how to solve your case, but I think that you need to go with and additional webinterface to handle admin identities across services

creamy-fall-97349

04/26/2022, 8:54 AM

That makes sense, great! thanks Andrew! I'm looking forward to implementing Ory as part of our IAM and microservice architecture. Just one last question, is Oathkeeper what I would need to manage Machine-to-Machine authentication? As in, if I have one micro-service that wants to talk to another, should I be using Oathkeeper to manage that or is Oathkeeper strictly for managing requests from reverse proxy?

creamy-fall-97349

04/26/2022, 8:58 AM

Also, I do believe the docs are great but could use more detail, could I recommend taking note of peoples questions in Slack and populating the documentation with the most popular questions and answers>

damp-sunset-69236

04/26/2022, 9:12 AM

Oathkeeper is identity and iam proxy. It can help you to build applications without thinking about authentication. For instance you use nginx as ingress proxy and oathkeeper can act as decision api for subrequest authentication and nginx will proxy only authenticated requests for your services. As an example you can check the shorts project. Oathkeeper handles authentication part, makes requests to kratos to check session, mutate request and adds X-User with the id of authenticated user or redirects unauthenticated. On the backend I implemented middleware that gets X-user and uses it for the CRUDL operations

damp-sunset-69236

04/26/2022, 9:13 AM

For machine-to-machine authentication I think you need to use Hydra, since Ory Kratos does not support it at the moment

damp-sunset-69236

04/26/2022, 9:14 AM

Also, I do believe the docs are great but could use more detail, could I recommend taking note of peoples questions in Slack and populating the documentation with the most popular questions and answers>

We have slack harvest routine each month. We collect answered questions and write guides/update documentation 😃

damp-sunset-69236

04/26/2022, 9:15 AM

Oathkeeper helps you to build Zero Trust Network architecture when you pass only authenticated/authorized requests to your network

creamy-fall-97349

04/26/2022, 10:03 AM

That is great, love the support you guys are giving. I love Ory and like I said in my previous message, as long as the costs seem reasonable for Ory cloud then I am happy to pay them and include them in our production app! Pass my thanks to the entire team, absolutely great work and great product!

microscopic-forest-58980

04/27/2022, 8:23 AM

@User just to add here that that was also my impression of the Ory docs. At one point I volunteered to suggest a way to illustrate things that would work well for a new user, but then I got too busy. Good luck :)

✅ 1

13 Views

Open in Slack

Previous Next