I have a couple of projects: main.com, proj1.com, proj2.com, proj3.com. I wanted to make it so that main.com hosts all the authentication accounts, and then the projects can oauth with it to sign in/sign up. This was I can continue to add more projects without touching auth at all and instead just have to quickly implement oauth (which there are premade libraries for). Do you think this is a good idea? If not, why not? If so, then should main.com use kratos + hydra or do I need more than those two?
Awesome, thanks very much for the links, ill give it a shot. Good to know that you are successful in setting up a similar system to what I want
@User Question for you, each of your clients, how do you fetch vital information such as the user's name? Do you fetch once when signing in and cache it? Do you fetch it from your main.com server every time? Or maybe is there a JWT you read from and refreshes every couple minutes? What happens if user changes their name on main.com, when does proj1.com get that information?
01/18/2022, 1:41 AM
I fetch it from my main.com server every time. However I am also looking at ways I can cache this information. Haven't gotten around to implementing it yet.
The long explanation follows:
I only store user email and password in main.com and let each service such as proj1.com that connects to main.com for authentication manage other user information such as name etc.
This way I can let each service manage their own user information and only use Kratos/Hydra for just authentication/authorization with email and password.
Once proj1.com successfully authenticates with main.com, I store the email and kratos identity id within the access token created by Hydra.
Then proj1.com uses hydra’s introspect token endpoint to get the kratos identity id and also check if the token is active.
Each service such as proj1.comproj2.com has a kratos identity id column in their respective user tables to verify if the user has access to the respective services.
Let me know if you need any clarification regarding my explanation.
I have also updated my repo to demonstrate how I use metadata to turn registration on and off for example.