Hey team, can someone “sell me” Keto? I already use Kratos, but with Casbin. But I’m really keen to switch Casbin with Keto. Would someone like to spend sometime why I should do that?

What you are asking is very subjective to the project, budget, and engineer bandwidth. If you have a solution that works, and you have no additional budget to invest in replacing a working feature, then stick with Casbin. However, if you have some spare time and resources, then perhaps unifying your auth stack with Ory could be a nice refactor. I think you would benefit from making a super minimal proof of concept that mimics what your system is using Casbin for, and see if it is a good fit. Then you can decide whether you think the switch is worth it. Using Keto does make Oathkeeper a little easier to integrate with to further unify your auth. It also allows you to outsource your auth to Ory Network. As for personal reasons why I think someone should use Keto: • super simple API and concept • can be used to build powerful authorisation systems such as ABAC/RBAC • they recently released Ory Permission Language (typescript-based language for defining roles and actions) • I have enjoyed using Kratos + Keto together 🙂

Thanks a lot! That’s really helpful. I’ve been having a great time with kratos and the whole ory community so I’ll give it a try. I’m in the beginning of a project so now it’s the time to try.

If you are at the beginning and feel like you can afford to make the switch, it might be worth doing sooner than later. I imagine migrating an authorisation database would be a pain, especially in production!

One thing that kept me off it felt that rbac using keto was hackish. At least the docs made me feel that way. But I’ll give it a shot

Keto has changed 3 times completely over the last two or three years. Hopefully the story with OPL is going to be the stable one. Although, I'm pretty confused by the reimplementation of TypeScript interpreter for this task. It's a nice engineering problem but fairly complex. OPA rego approach has a smaller footprint.

@swift-island-66287 Keto gives you the building blocks to implement your own interpretation of RBAC; it is very much open to the developer. This can be done via middleware (keto check to see if a user has a specific role), through some sort of abstraction (some sort of

RoleRepository

or service), or simply using keto

Check

higher up in your code to prevent unauthorised access. For the PoC I’d suggest getting a really simple OPL config setup with one or two of your resources (e.g. if you protect files, make a File namespace). Define an interface that performs the checks you want. Implement the interface with keto/proto SDK and see how it feels 🙂

In the end, it's all subjective. Give it a try, figure out if you can live with it. If it ain't broke, don't fix it.

Awesome. I’ll give it a shot for sure. Thank you both

btw @white-greece-76805 we did not implement a ts interpreter, but just a parser the code is never executed or interpreted, it is just a more convenient and useful config language

understood, a parser, I wish I was in the room to hear the justification of implementing a TypeScript parser for this job, there are some many existing config languages out there already

Yeah it was a journey and we were hesitant at first, but now I can say it makes sense You probably know the original Zanzibar config, and what other projects did. All invented a completely new language.

yeah, I know, been in this rabbit hole for way too long, somehow everybody still misses the fact that the union is only one of the set operations

In Ory’s defence, they went through quite a few iterations of config languages and ran interviews to determine which to use. The fact that it is in a language that many developers can understand (or could easily learn with the amount of resources available) was probably worth writing a parser for. There’s a too!

@swift-island-66287 btw I don't really have anything to add to the original discussion, I think all important points were already made 😉

There is a detailed blogpost on it as well, I dont know if that was posted before: https://www.ory.sh/what-is-the-ory-permission-language/