Hey I am trying to replace Pomerium with Oathkeeper+Kratos+w Ory Community #talk-oathkeeper

Join Slack

Channels

announcements

ory-copilot

Hey. I am trying to replace Pomerium with Oathkeep...

# talk-oathkeeper

witty-midnight-20567

02/27/2023, 9:20 AM

Hey. I am trying to replace Pomerium with Oathkeeper+Kratos+what-have-you to allow different sets of users to different endpoints, kind of like a glorified oauth-proxy. Now, since the kratos users should not all be allowed to the different subdomains, I assume I need a oathkeeper authorizer that looks at the host and the mail, preferably that can be setup programmatically from within Kubernetes. I will post my current manifest with pomerium in a thread

witty-midnight-20567

02/27/2023, 9:20 AM

Copy code

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: Ingress
metadata:
  name: adguard
  annotations:
    <http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: "<https://fwd.example.com/verify?uri=$scheme://$host$request_uri>"
    <http://nginx.ingress.kubernetes.io/auth-signin|nginx.ingress.kubernetes.io/auth-signin>: "<https://fwd.example.com?uri=$scheme://$host$request_uri>"
    <http://ingress.pomerium.io/policy|ingress.pomerium.io/policy>: |
      - allow:
          or:
            - email:
                is: <mailto:example@gmail.com|example@gmail.com>
spec:
  rules:
    - host: "<http://adguard.example.com|adguard.example.com>"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: adguard-home
                port:
                  number: 80

witty-midnight-20567

02/28/2023, 3:59 PM

Am I right in my assumption that this usecase is not possible right now with the ORY stack alone? Proxying different subdomains allowing different sets of users.

witty-midnight-20567

03/02/2023, 2:53 PM

Made a discussion for this: https://github.com/ory/oathkeeper/discussions/1075 TL;DR: replacing Pomerium (oauth-proxy) with the ORY stack

limited-oyster-10584

03/02/2023, 6:07 PM

I’m working on a project which will do something similar. You’ll likely need to use Ory Keto with remote_json authorizer in oathkeeper pointing to Keto. Then Keto will be used to decide if a user can login.

limited-oyster-10584

03/02/2023, 6:08 PM

You might also be able to use extra traits in Keto for this if the setup you have is relatively simple.

limited-oyster-10584

03/02/2023, 6:09 PM

But to make it all manageable you’ll need to build a custom backend and frontend for the entire stack (which is what I’m working on).

witty-midnight-20567

03/02/2023, 8:00 PM

I would just like to use kubernetes annotations 😄

limited-oyster-10584

03/03/2023, 9:16 AM

You’re going to need to build some form of frontend (and likely an accompanying backend) for Kratos anyway to be able to use it for login

witty-midnight-20567

03/03/2023, 9:28 AM

I am using https://github.com/ory/kratos-selfservice-ui-node. Works well enough…

13 Views

Open in Slack

Previous Next