The idea of the ory ecosystem ( https://github.com/ory / https://www.ory.am ) is to build a reliable, cloud native suite of tools which allow you to solve simple and complex IAM (identity and access management) use cases. Each service works standalone, but you can obviously combine them all.
The Oathkeeper proxy is one piece of the puzzle which basically takes incoming HTTP requests, evaluates them on a set of rules (e.g. authentication of credentials used, checking if the user has the right permissions, transforming the session data to a e.g. JWT) and either grants or denies access.
Other services include, for example, ORY Hydra ( https://github.com/ory/hydra ) which is an OAuth2 & OpenID Connect (certification pending) server that you can put "on top" of your existing user management.
While most developers opt to build these systems (permissions, user management) themselves, it is our vision to build a reliable, broadly adopted set of OSS tools that get you started quickly and that scale well as the requirements of your organization change.
Everything we do is build on top of open standards, we do not want to reinvent the wheel (unless nothing exists wrt to open standards). So everything in this ecosystem integrates well with existing systems.
If you have any questions, feel free to ask.
ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Where is the ORY Security Console hidden? I can't see it on GitHub and all links lead to a running instance of it?
Is this how you're hoping to monetise all your hard work? I don't begrudge that at all :-) It's just a little unclear?
If there's going to be a security console, I wouldn't want it hosted by anyone else. Especially if I'm the type of person to deploy all the other components I'll undoubtedly want to deploy the console myself.
I really like this suite of projects, it splits the problem nicely into flexible building blocks.
How do you envision integration of existing external OAuth2 or OpenID Connect servers, such as Google, GitHub, etc., or an OAuth2-compliant directory of a B2B customer?
We're currently starting to work on ORY Hive (project name wip) which is going to be a fully functional identity management service (user registration, login, social sign in, password reset, MFA, ...) sort of along the lines of Auth0 or AWS Cognito, but as an OSS solution.
As part of that service, we will add connectivity adapters for generic OAuth2/OIDC providers as well as (probably) LDAP/AD and SAML integration.
We're still in prototyping phase (building a good API here is really tricky because no open standards exist to our knowledge for this) and it will take some time. But hopefully, it will be something many people can build on!
And thank you so much for the positive feedback :)
That sounds awesome! I'd really like to see organizational management, i.e., users in orgs. It is something most B2B SaaS apps have to do, and they tend to do it differently and often very poorly. Maybe it is out of the scope of ORY Hive, but I think it would be really useful. I'm thinking it would tie into an RBAC system to give users different permissions within orgs (member, admin, owner, etc.).
There are two main patterns for B2B apps:
- One org per user, like G Suite. A user is a member of a single org, to be a member of another org requires another user account. This creates a challenge when it is a system where someone might be a member of multiple orgs, because it requires logging in as multiple users and having cookies that can handle that.
- One user in many orgs, like GitHub. A users "owns" their user account, and is invited to one or more orgs. This makes working in multiple orgs easier, but can create challenges for companies that want to enforce things within their org, like SSO or 2FA. It also creates issues with routing of notifications (you want work notifications going to work email), and identity of users within a company (an org admin may have trouble identifying users if they aren't tied to company emails).
An ecosystem like ORY obviously can't alleviate all the issues, but maybe it can help with some of them, like org membership and org friendly cookies.
Good use cases, we in fact are looking at multi-tenancy or "realms" but have not progressed very far here as it can get quite complicated. One major issue with true multi-tenancy is obviously data isolation, so usually you don't want data to "bleed" from tenant a to tenant b (think G Suite) whereas in other systems it's not truly a tenant but more of a business entity that shares users.
I think in the end it boils down to what we can solve in a generic manner and what we can let developers solve for themselves. The distinction between the two use cases is definitely something we'll take a closer look at and include in our design decisions, so this won't be an afterthought but something built into the architecture!
This is a cool project, I'll definitely keep an eye on it. I've long wished that something framework & language agnostic like this existed.
One suggestion for the docs, especially since the tagline is that this is a cloud-native solution, would be examples of how to run it in common cloud setups. For instance I'm looking at the deployment page and it mentions that in the gateway configuration you'll want to run it behind a load balancer but in front of the API router. But if you're using an ELB, which as far as I'm aware is still part of basically the default way to run web apps on AWS, the load balancer and router are combined and there's no way to hook something like this in. So it would be cool to see some examples involving specific tools like ELBs, maybe a note on other ways to run it if using Kubernetes, etc.
We're a very small team, so it might take a while for us to tackle this (especially because we mostly use k8s with oathkeeper proxy as a sidecar), but that does make this not lesser of an issue!
This solution seems comparable to running Envoy Proxy as a reverse / frontend proxy with a JWT filter. Would you say that's a fair comparison? What would you say are the benefits of using this over such an Envoy setup with Envoy becoming so popular?
Super excited to see more players move in this space btw!
Nice, I have heard about Ambassador before but did not have the time to look into it in detail. It is just amazing how much OSS is being created around the k8s/container ecosystem and I truly believe that it will greatly improve our lives as developers in the future.
I've added this to our internal list and we will check it out and see if any synergies are possible with our products. Our vision is that these services work so well and easy with the rest of the ecosystem, that you can get started with a new project in a day or two and have everything set up - from users, to permissions, to routing (e.g. via ambassador), to testing (there's still ton of space for this), and so on.
I think the journey of software development beyond 2020 will be very exciting!
ps: Sorry for slow responses, HN has a very high post wait time once you hit the limit. And thank you for the positive vibes :)
I was just speaking with Datawire/Ambassador CEO in their slack about Oathkeeper... you should reach out and speak with them. Interesting synergies IMO.
I have not used envoy extensively yet, but there are obviously many more options such as Apache2 + mod_oidc, Kong + oauth2 plugin, and so on.
The main differentiator is that Oathkeeper is capable of performing more sophisticated permission checks (think RBAC / AWS IAM Policies) and is specifically geared towards solving authentication and authorization in front of "your" service.
Most other implementations I saw (and I think this also goes a bit for envoy) is that they solve access control as one of the things in the feature set, while also focusing strongly on routing, load balancing, and other typical API gateway issues.
We're explicitly not trying to build another API gateway but instead something that you deploy alongside your existing API gateway (or maybe as a sidecar) with the sole purpose of checking answering: "is the request that's coming through really allowed to perform that action?".
Hope this clarifies it, if not I'm more than happy to go into more detail :)
really great. please comment on the intersection with auth0. clearly there is some overlap, it would be great to have a concise explanation.
> we do not want to reinvent the wheel
IMHO, were I you I would not shy away from that. Existing wheels are oval in shape. Of course where you have to interoperate, you are limited.
> ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Well you just lost me. You are developing IAM components and you can't get basic password management correct? email has nothing to do with it, we are well past the point where password managers are de rigueur, certainly for anyone involved with security matters.
> Well you just lost me. You are developing IAM components and you can't get basic password management correct? email has nothing to do with it, we are well past the point where password managers are de rigueur, certainly for anyone involved with security matters.
The password in my password manager is not correct. No idea how that happened, maybe it was overwritten by accident or I copied the wrong one during account creation. Since I had to reset my FF profile it was no longer stored in the FF password manager, so I had to recover it from KeePass, which well - didn't work out so well. Since I do use a password manager, it's impossible to recover it as I have no idea what the password is.
Getting the wrong password in your password manager happens occasionally. Usually from password resets that somehow don't make it into your password manager. The fact that HN allows accounts without email addresses is the real problem. Also, maybe he just doesn't value his HN account all that much.
I'm currently looking how to protect internal websites used within our company behind github oauth (we're a small company and we all have a github account connected to the company's github organization). Would this or one of the other tools that are part of the ory ecosystem work for this?
I just wrote a simple proxy myself that takes an OIDC authenticated user and forwards the request to backend servers if their session is valid. It only took me two days to get this proxy functionality up and running, but of course the main application itself was handling all of the authentication, authorisation and session stuff already.
It's good to know there's an option to do this in the future for projects that don't have all that groundwork done already, if this is easy to set up – at least initally – without having to include all the parts of the ecosystem.
The day is coming to an end here, I'll try to monitor this thread but in case you don't get an answer from me any more, you will definitely get one in the community forums or chat by tomorrow:
I'm really excited to try this out. Microsoft's Azure App Proxy is a great technology, but it has licensing constraints that make it difficult to use with all user personas.
Do you have a Slack? I'm interested in OIDC and have some questions and interest in the user management component that is mentioned to be in the works.
Are you aware that this project shares a name with an extremist group[0]? I'm not sure how concerned you are about that, especially if you're not American, but I'd want to know if it were one of my projects.
It is extremely important to be sensitive to extremism of any kind, condemn extremist practices, beliefs, and views and take a stance against extremist ideologies.
We do not share nor endorse extremist views nor "values", nor have anything to do with extremist groups whatsoever. We have not heard about them (Oath Keepers) before.
We'll discuss a name change internally & with the community.
ps: It also shares the name of the sword from Game of Thrones and is a wordplay on OAuth :)
edit:// Forgot to thank you for raising awareness on this.
Hi, thanks for your reply. I don't mean to insinuate in any way that you or your team support any particular ideology, I merely wanted to make you aware of an unfortunate namespace collision.
For what it's worth, I was unaware of the reference that was used as this project's namesake. That is ignorance on my part.
Furthermore I would like to apologize, as my comment seems to have inspired quite a bit of unproductive ideological bickering.
This is a really unfortunate tangent and not worthy of any time or trouble on your end IMHO. At the very most a footnote somewhere in the site to say that this project is not affiliated with any groups or organizations would be more than adequate.
Any individuals that try to imply that the naming of a proxy server product within a larger software ecosystem indicate an endorsement of the position of an organization with a similar name are displaying pathological behavior and should generally be disregarded.
It's unfortunate but I wouldn't just dismiss it as a tangent. The second result from googling "oathkeeper" is the hate group and it's pretty well known in the US at least.
I doubt anyone will think this product endorses the hate group but it could prove to be an unnecessary distraction.
I would encourage that you not bend to the will of those who would impose upon you what your brand might be or might be associated with. If you make a meaningful product in your space and the origins of the name are easily explained through 1: your aforementioned wordplay and 2: the GoT reference (likely more common), then I think you should fight to keep a name you love and find meaning in.
As one of your potential customers / users, I would not base any judgement of your company or product based on some a shared name with a small fringe organization that some people find unsavory which uses a pretty common term or combination of terms.
If you make a meaningful product in your space and the origins of the name are easily explained through 1: your aforementioned wordplay and 2: the GoT reference (likely more common), then I think you should fight to keep a name you love and find meaning in.
Just to clarify, are you speaking for the team to condemn extremism in general, or the specific belief in upholding the U.S. Constitution within the U.S., or something else?
Maybe I should pay attention to the discussion with the community when that occurs, but I'm interested in which "values" you take issue with. Care to share here?
"Upholding the Constitution", among the far right, is dogwhistle for supporting white supremacy or other regressive policies. There's even a fringe political party called the Constitution Party that draws its planks not from the Constitution, the Federalist papers, or other constitutional scholarship -- but the King James Version of the Bible.
Upholding the Constitution can be a dogwhistle for various malign ideas. But there are also people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law. There are people who see executive orders (whether by Bush, Obama, or Trump) as not the way the country is supposed to be governed, and worry about the constitutional legitimacy of those orders. Probably the majority of the people who worry about such things are conservatives; my feel is that the majority (at a minumum) are not concerned about such issues as a cover for white supremacy.
Note well: I take no position on whether Oath Keepers is using "upholding the Constitution" as a cover for white supremacy.
>But there are also people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law.
And those people are incorrect. It's incorrect to believe that all modern Constitutional law and Supreme Court decisions are the result of judges and lawmakers simply making up whatever interpretation they like without any basis in, study of, or respect for the Constitution.
The alternative would be to pretend to know in all cases what an eighteenth century philosopher would decide about an issue of law in the context of modern society.
If you'll re-read my post a bit more carefully, you'll see that the word "all" is nowhere in it. Nobody (that I know) believes that " all modern Constitutional law and Supreme Court decisions are the result of judges and lawmakers simply making up whatever interpretation they like without any basis in, study of, or respect for the Constitution." I suppose that bit of hyperbole might serve to make my original statement seem less reasonable; if you did it deliberately, you're putting words in my mouth to try to discredit me, which is pretty scummy.
> The alternative would be to pretend to know in all cases what an eighteenth century philosopher would decide about an issue of law in the context of modern society.
No, the alternative would be to know what they said the rules are.
(Now, I will admit that deciding how the rules they agreed on apply in a specific situation can be very complicated. But I trust "let's look at the rules and see how they apply" more than I trust "interpreting the Constitution in accordance with its original meaning or intent is sometimes unacceptable as a policy matter, and thus that an evolving interpretation is necessary"[1]. The former view makes the Constitution the final law; the latter makes policy the master over the Constitution.)
[1] From the Wikipedia article on "Living Constitution". The quote was marked "citation needed". If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
>No, the alternative would be to know what they said the rules are.
Problem is, parts of the text are maddeningly vague, and they didn't exactly agree in their politics, so a single, simple, objective and provably correct interpretation of those rules is not always possible.
>If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
I do think that's an accurate statement. I disagree with 'people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law.'
One can disagree with the doctrine of a 'living Constitution' but there is more nuance and thought put behind the rationale than some conservatives want to admit. Both sides believe, in good faith, that what they're doing is upholding the Constitution.
>The former view makes the Constitution the final law; the latter makes policy the master over the Constitution.)
I prefer to see it as the former making the Founding Fathers the master over the Constitution, the latter making the people the master over it. The Constitution is a legal document, not the word of God, and nothing in the Constitution explicitly requires that it be interpreted according to strict originalist intent, so interpreting it either way is equally valid, and equally a matter of politics.
Well, the former makes the people of the Founding Fathers' generation the master over the Constitution (they ratified it). The latter makes the people of this generation the masters over it.
> Problem is, parts of the text are maddeningly vague, and they didn't exactly agree in their politics, so a single, simple, objective and provably correct interpretation of those rules is not always possible.
True.
>>If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
I do think that's an accurate statement. I disagree with 'people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law.'
The original statement was "interpreting the Constitution in accordance with its original meaning or intent is sometimes unacceptable as a policy matter, and thus that an evolving interpretation is necessary". Deciding that "the original meaning is unacceptable" is exactly "deciding what you want and calling it the law". It's deciding, on the basis of what you think policy should be, what the Constitution should have said.
Let me put it this way: Trump may, before he's done, nominate three Supreme Court justices. Do you want those justices to decide based on what they think is "acceptable as a policy matter"? Or do you want them to be bound by what the text says?
> One can disagree with the doctrine of a 'living Constitution' but there is more nuance and thought put behind the rationale than some conservatives want to admit.
I will admit that - for at least some of those who hold that position. Others... their behavior seems to indicate that they want to rule over the Constitution, not to faithfully interpret it.
> so interpreting it either way is equally valid
Is it? We don't accept that reasoning with contracts, why should we with the Constitution?
(That is, if you have a contract, and you try to interpret the terms in ways that are outside the bounds of the words of the contract, a court isn't going to care how much you see the contract as a living document. They also aren't going to care how much you care about original intent. They're going to care about the words on the paper. I've seen it happen in court, with one side arguing creative meaning plus intent, and the other destroying them with the actual words.)
Nice discussion. I'll leave you the last word; I'm out for the next two days.
>Let me put it this way: Trump may, before he's done, nominate three Supreme Court justices. Do you want those justices to decide based on what they think is "acceptable as a policy matter"? Or do you want them to be bound by what the text says?
If I support decisions by previous courts, such as Roe V. Wade and Obergefell v. Hodges, then the intellectually honest position would be to concede that whomever Trump nominates has the right to do the same. I may not like it, but I do believe that is the Court's prerogative.
I don't think it's harmful to consider updated interpretations of the Constitution per se, although particular decisions can do harm even when they correctly reflect the attitudes of the time (as with Plessy V. Ferguson and segregation.) But then, obviously wrong interpretations can also be reversed. I think that we're a stronger democracy for being able to ask these questions, and consider the Constitution as evolving philosophy as much as a legal document, than if we were prevented from doing so.
>Is it? We don't accept that reasoning with contracts, why should we with the Constitution?
Well... the Constitution isn't a contract. If it were, it would be far more precise and verbose in its language, and you wouldn't have entire bodies of scholarship around the meaning of a comma.
But here we are in 2018, in the age of the internet, global surveillance, 3d printed guns, genome sequencing and a thousand other things the Founders would probably never have conceived of. If we remain bound only by the original intent of the original definition of the words of the Constitution when interpreting challenges and questions of Constitutional law, then I'm afraid the result is going to be that Constitution becoming less and less relevant to modern society.
> The Oath Keepers are more extreme than nearly all other
> white people. Just a fact. Read up on them and I think
? you will agree.
Are they more extreme than nearly all other non-white people as well? Or just more extreme than white people? ;-)
For non-americans, the idea of a group of people who do not instantly submit to individual figures in authority, but instead, resist those in authority if they believe that those in authority are infringing on rights that are protected by the constitution, may seem really bizarre.
To condemn an organization because their raison d'etre is such resistance, would be normal in other countries, but it's a little frightening how a quick google search shows that condemnation here in America (assuming the people who wrote those pages were American).
I know a lot of HN readers are not American, so just wanted to clarify that we do have a slightly less submissive culture over here.
For non-americans, the idea of a group of people who do not instantly submit to individual figures in authority, but instead, resist those in authority if they believe that those in authority are infringing on rights that are protected by the constitution, may seem really bizarre.
Oath Keepers is a non-partisan association of current and formerly serving military, police, and first responders, who pledge to fulfill the oath all military and police take to “defend the Constitution against all enemies, foreign and domestic.” That oath, mandated by Article VI of the Constitution itself, is to the Constitution, not to the politicians, and Oath Keepers declare that they will not obey unconstitutional orders, such as orders to disarm the American people, to conduct warrantless searches, or to detain Americans as “enemy combatants” in violation of their ancient right to jury trial. See the Oath Keepers Declaration of Orders We Will Not Obey for details.
Oath Keepers is a far-right militia group with a history of racism and conspiracy-theorism (e.g. birtherism, sovereign citizenry) which regularly advocates and defends violent means of asserting these ideas. Pretty words from their mouths don't change that.
I read the southern poverty law center's summary of why they dislike the oath keepers. The cases they touch upon in very one-sided ways, the Bundy ranch, the Malheur Standoff, the Oregon miners, are all cases well known to me, where the oath keepers acted commendably. I invite you to read about those events in more detail, from other sources.
I am hardly the peanut gallery here. An accusation was flung at an honorable organization from out of the blue, and I responded to that accusation. Since this is your first appearance in the thread, I would suggest you are the peanut gallery here.
I will post a motherjones (not exactly conservative friendly site) that, while not complementary, at least highlights that oath keepers is composed of individuals of diverse backgrounds and beliefs, and that they do strive to weed out bad actors when they are identified, just like any other group would do. I found the reporting to be relatively unscathing, considering it's source, and I learned from it myself.
https://www.motherjones.com/politics/2010/02/oath-keepers/
FWIW, I knew it was a clever reference to the GOT sword after reading the title. It's obvious the project isn't based on or associated with a group using the same common words. Whether they are actually "extremist" is a different matter.
Not only is suggesting that this project change its name, but that the oath keepers are a racist extremist group are both absurd. From a little reading and watching of YouTube news clips it was quite easy to see that 2nd amendment and constitutional politics are not the same as racsim and extremist groups. The oath keepers have African American members.
It's the same smear campaign that real extremist groups (the Marxist identity politics left) do to Jordan Peterson and Ben Shapiro.
If we were living in the colonial days, only the British would be calling them "radical" or "extremists". :D
Men of authority pledging not to bow to unconstitutional orders against citizens. Actually seems noble.
I suspect they get the "radical" and "extremist" label from our culture where those who aren't on the "correct" political side are labeled a Nazi or Communist.
It's more the rampant racism, conspiracy theorism, and calls to violence. Ironically their leadership engages in both of the labeling behaviors of which you complain. This is all documented in the link SauciestGNU provided.
There are only 2577 words on that page you linked, and most of them talk about the oathkeepers protecting businesses in Fergusson, the oathkeepers forming a buffer around the Malheur protestors in Oregon, and the oathkeepers responding to the Bundy and Oregon gold miner situations.
You did not read your own link, or you are putting all your eggs on the "McCain is a traitor" quote, which since McCain is a republican, you should love, and the Hilary rant about house to house confiscation of guns, which she has never outright advocated publicly, but has strongly suggested in speeches. That quote may be a bit paranoid, which is why it was selected from thousands of quotes to be included on that web page.
EDIT: Sorry, but there are a pretty small universe of reasons for your dislike on the page linked. I listed them. That's not mind-reading, that's just deduction.
The Oathkeeper proxy is one piece of the puzzle which basically takes incoming HTTP requests, evaluates them on a set of rules (e.g. authentication of credentials used, checking if the user has the right permissions, transforming the session data to a e.g. JWT) and either grants or denies access.
Other services include, for example, ORY Hydra ( https://github.com/ory/hydra ) which is an OAuth2 & OpenID Connect (certification pending) server that you can put "on top" of your existing user management.
While most developers opt to build these systems (permissions, user management) themselves, it is our vision to build a reliable, broadly adopted set of OSS tools that get you started quickly and that scale well as the requirements of your organization change.
Everything we do is build on top of open standards, we do not want to reinvent the wheel (unless nothing exists wrt to open standards). So everything in this ecosystem integrates well with existing systems.
If you have any questions, feel free to ask.
ps: New account because I lost my password and didn't set up a backup email. Stupid me.