Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

is it best-practice to put kratos public endpoints behind oauthkeeper?

It is required for the admin endpoints to have some protection, but the public is fine to be exposed without.
edit: Not sure if it is the "best" practice to have it exposed without protecction.

yes. that was my assumption.. i had figured oathkeeper could be the exposed point to the internet and configured to expose kratos public callbacks.. the private endpoints would be inside an internal vpc and not exposed through oathkeeper

Yup from my side that makes a lot of sense :+1:

Let me know how it goes.

<@U02U9MSKL9X> is also working on a Oathkeeper + Kratos guide if i am not mistaken, so he might be able to share something :slightly_smiling_face:

Yep. Updated configs are available for the guide ‘<https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy|Configuring IAP proxy with Ory Kratos>’. However there can be versions mismatch because updated configs are in master branch of `ory/kratos` repo

Also, I have some configuration examples for my demo projects. Feel free to ask questions.