https://www.ory.sh/ logo
Join Slack
Powered by
Not a technical question, more of a usage question...
# talk-kratos
m
Not a technical question, more of a usage question from someone who has lightly skimmed Kratos' documentation: I'm putting together a small web app that will only allow social login. Is Kratos overkill for such a case? There won't be passwords, email registration, recovery, etc... but it looks like Kratos has a pretty comprehensive set of SSO providers baked-in, which is a really important metric for my project. Thoughts?
For a little more detail: the rest of the project would use DynamoDB, so Kratos would have to have a relational database all to itself. My primary alternative is implementing all the social logins myself, which doesn't sound fun.
b
Are you using React/Vue for developing the web app ?
m
Yeah. React frontend, Micronaut backend
Eventually the app will need probably a dozen different social logins, some of which are not implemented in Kratos
I'm not sure how extensible the "generic" provider is
b
Ah I see… Nextjs has something called NextAuth which handles dozens of social logins and you can even add custom providers
m
Interesting, I'll look into that too
b
This is if you don't mind moving from using React to React Based Next.js on the frontend side
m
I wouldn't love that but it might be worth it
b
https://next-auth.js.org is a library made to work with Next.js
m
Have you used both? How does it compare to Kratos?
Yeah that's a good number of providers they have
b
I have used both. NextAuth probably works well in your usecase because you plan to not use Recovery/Registration etc and NextAuth doesn't provide those capabilities.
Kratos on the other hand is a full fledged identity provider and useful if you want Self service registration etc and integration with external identity providers.
m
Interesting, thanks for the input!
👍 1
I haven't used SSR before and don't love the idea but I'll look into it
👍 1
b
No problem. I have also tried just integrating external identity providers with an SPA before. It's not easy. Kratos provides a SPA api as well which is nice but probably overkill for your situation since you don't plan to use all of its capabilities.
m
That's good to know, I have limited experience integrating with OAuth providers so it's hard to judge the level of effort required there
I momentarily even considered using Auth0 because they have such a comprehensive list of providers but damn their pricing model is predatory
It looks like Next.js supports client-side rendering, which is news to me. So maybe I don't have to redesign my architecture to fit SSR. Have my cake and eat it too perhaps.
b
I spent a lot of time and effort trying to integrate an external OIDC with a SPA and in the end migrated my app to use Next.js + NextAuth.
m
Thanks for sharing that, you've spared me from learning the challenge of that the hard way
b
No problem 👍🏼 Yes Nextjs does support client side rendering as well. However NextAuth works on the server side. OAuth integration is mostly server side and NextAuth saves a lot of time for you because all you have to do is wire up the config file for NextAuth
What's unique about Kratos though is that it has a SPA api as well. Unfortunate that you won't be using all of its capabilities and hence my suggestion to use Nextjs and NextAuth🙏🏼
m
Hmm, I was hoping to be able to throw my SPA in S3 and just use servers for API calls. SSR would really complicate that. Does Next mandate using Node?
I really like Node but I'm not using it for this project
b
Unfortunately NextAuth requires that you run it using Node. So AWS S3 won't be enough 😞
m
Bummer
b
Maybe a docker image and fargate?
I am not well versed with AWS services unfortunately
m
Yeah, if I'm using microservices then a Node server wouldn't really cost anything more than a Kratos server would anyway
Still, serving static content is way cheaper than calling a service for every render
Hmmm, you've given me a lot to think on but I'm 10x more informed than I was a few minutes ago, so I appreciate that
I've gotta run but I'll be back later if you have anything else to add
Thanks!
b
No problem. Glad my info was helpful 🙏🏼
https://nextjs.org/docs/deployment#docker-image Nextjs docker build instructions in case you decide to go that route.
m
@User I'm back! So I took your advice to heart and drafted out a redesign of my architecture utilizing NextAuth. It's a lot simpler than Kratos, but this seems like a blessing and a curse. I've looked over some of the code and it seems like their review process is not as rigorous as I would hope for an auth library. On the other hand, I literally cannot read the Kratos code no matter how I try (not learning Go has caught up with me 😆 ) so I only assume that the project is as diligently managed as it seems
anyway, long story short, I'm wondering, based on your experience, whether you think Kratos would be more appropriate for a security-critical application – even though I still wouldn't be making use of anything but social login
b
Ah sorry, I had to re-read our conversation to catch up 😆 Hmmm... well since you mentioned that it is security-critical, using Kratos only for social login is probably overkill but is doable. There is an official NextJS integration sample repo. You can use that as starting point for application. https://github.com/ory/kratos-selfservice-ui-react-nextjs Although the above sample application implements all the flows provided by Kratos, you can remove them and implement only the social login part 👍
m
Thanks for the input!
👍 1
3 Views
Open in Slack
PreviousNext
Powered by