HackerTrans
TopNewTrendsCommentsPastAskShowJobs

claystraw

no profile record

Submissions

When is OAuth2 and Open ID Connect Useful?

ory.dev
87 points·by claystraw·4 năm trước·17 comments

comments

claystraw
·5 năm trước·discuss
We actually want to have it work natively together, but just can't find the time to implement it. But the team is growing, so we'll definitely have something here soon! :)
claystraw
·5 năm trước·discuss
Does https://news.ycombinator.com/item?id=29330103 answer your questions or can I clarify further? :)
claystraw
·5 năm trước·discuss
Clerk (your profile says you're CTO) has a per-user pricing though? Or are you planning on changing it?

> It says "First 900 free" and "First 100 free" without any indication of what those numbers mean.

Thank you, we'll clarify that! It means that we're giving the first 900 "start up" and 100 "growth" plans away for free for a year
claystraw
·5 năm trước·discuss
Ah, thank you for the clarification and I agree! Another point is that 3rd party tools can easily deactivate profiles (we've seen enough posts on HN about being locked out of a Google account) which means users loose access to your system unless you have fallbacks in place.

It's also important to note that almost no 3rd party providers offer the ability to require 2FA as part of their flows. So if you need 2FA and similar, you'll end up with your own system again. And you'll probably use passwords, because proving that you own two things - eg email and device - is not a second factor. If someone steals your laptop (something you no longer own :D ) it's just one factor!
claystraw
·5 năm trước·discuss
Thank you Sytten, this comment makes me happy because it confirms our bias! MAU pricing has always been my personal enemy. Ory is and never will charge on a MAU basis. Instead, we'll be working with CPU, Memory, and Disk usage (like any other cloud provider) and with additional services on top. We're not fully there yet to communicate this clearly, but if you're interested check out the pricing page to understand where we want to land at: https://ory.dev/pricing/
claystraw
·5 năm trước·discuss
Nice, we'll add a guide shortly. This is already possible but we just didn't have time yet to add it to the guide :) If you want, create an issue in the GH (https://github.com/ory/kratos-nextjs-react-example/issues/ne...) repo for this so you get notified once it's available, and so we don't forget!
claystraw
·5 năm trước·discuss
With great power comes great responsibility :) Having the flexibility to build persistence yourself is great, it comes at the cost and responsibility of continuously maintaining it! We have run into so, so many edge cases. Here are some examples:

1. What do you do when a user with email "[email protected]" has already signed up, and now is trying to sign up using Google with "[email protected]"?

2. How do you ensure that a user can update sensitive information (e.g. their recovery email address, or linking additional "Sign in with" providers) while keeping a balance between security and user experience?

3. What if you now want to add biometric auth for native mobile apps, or 2FA?

The complexity in building your own is not starting with the first 10%. As your app and business grows, teams are faced with ever increasing requirements. Leaning on an established open source provider built by experts in the area just saves you so much time, headaches, and potential security oversights!

> What Db does Ory use? Should we set up our own.?

We support all prominent SQL systems - so PostgreSQL, MySQL, CockroachDB, SQLite, ... - and of course all cloud SQL vendors. You can also choose to run Ory in Ory Cloud, then we take care of all of this for you!

> Also, authentication and authorization are core for an app. If we do authentication here, how does authorization work? Can I bring my own authorization like oso etc.

Absolutely! We have a project for this also: https://github.com/ory/keto

Hope this clarifies your questions!
claystraw
·5 năm trước·discuss
Yes absolutely, you can use the Ory SDK's `toSession()` function to resolve a Session Cookie (for browsers) or Session Token (for non-browsers, e.g. native mobile apps) to its identity.

We have on the list to add a section about using Next's new middleware feature to protect API routes. Is that something you'd be interested in?
claystraw
·5 năm trước·discuss
Thank you for these questions! First of all I want to say that Ory Kratos is built for customer facing authentication first, so many of the enterprise requirements (e.g. LDAP integration) are still missing. Our vision is to build the de-facto open standard for auth, so enterprise IAM is on the roadmap. It just needs time & community feedback to get there :)

To answer your questions:

- Is it possible to have multiple organizations in one single instance? Can I have some superusers that have access to all organizations?

Depends how you interpret multiple organizations. If those are distinct users (meaning the same person has a profile in org A and org B and does not reuse them), so a true multi-tenant system, then this is not built in and we do not plan to add it.

Running Ory Kratos is very cheap in terms of resources (few MB of ram and no CPU on idle) so it's very affordable to spin up another instance. This doesn't work well for fully-automated deployments such as SaaS systems, but it does work if you are thinking about corporate systems.

You might also look for Ory Cloud, where you can deploy a new Ory Kratos instance with a simple API call.

- Can I delegate authentication for a subset of users (in my case this will always be an entire organization) to another authentication provider (say Microsoft ADFS)?

Yes! Right now we only support OpenID Connect and OAuth1/OAuth2 delegation but more to come.

- Do you support SAML 2.0 clients?

Not yet, but there's an active design document with discussions on different implementation scenarios.

- Do you have a REST API which can be used to create / deactivate users?

Creation - absolutely! Deactivation is not yet available as an API but identity state is already implemented, so adding it is really just a few lines of code.

There are also endpoints for revoking all active sessions which logs out users immediately of one to all systems.
claystraw
·5 năm trước·discuss
Both! :)

Ory Cloud is still in it's early phases and we have not been very good at communicating it well. Basically, we run Ory Kratos in Ory Cloud and it has full API and configuration and data compatibility with the version that is on GitHub! Our goal is to also allow users to easily switch from self-hosted to ory cloud and back - but it's still a bit of work until we get there.

If you just want to check our Ory Kratos and don't want to use the docker-compose command in the blog post, you can create an Ory Cloud account and use that instead of your local docker environment. That's basically the trade off you're making in a local environment. We have of course tons of plans for Ory Cloud but it's yet too early to share them with a broad audience.

We're currently focusing on gettin all of this much better communicated, and to make it easier to understand what the differences are. So totally get your confusion on it and can only say, we're working on making it better :) Hope this helped at least a little bit!
claystraw
·5 năm trước·discuss
Thank you! We've updated the links and they should work in a few minutes :)

All of Ory's Open Source software is unique in a way that we strictly follow domain-driven design. Solve one problem only, but solve it extremely well, and solve it in isolation. Ory Kratos (and other Ory Projects) are API only. The UI is up to you. You can use Ory for CLIs, fridges, TVs, native mobile apps, Java Server Pages, and React apps.

So, you're also free to choose the UX for your users with a very high degree of freedom - something we found very frustrating before we started working on Ory. Of course, there are some limitations (as always in software) but we try to focus them around security and not how we interpret that sign up flows should look like.

For those who just want something to work, we have templates one can use to get off the ground in a few minutes!
claystraw
·5 năm trước·discuss
I have not used NextAuth, so take my analysis with caution. As far as I can tell, NextAuth is similar to Passport.js as it offers many adapters to sign in with different providers (e.g. Twitch or Pipedrive). It is not an identity system though, so it does not have things like "update your profile info" or "link Google to this account". I think this manifests with missing password authentication. Even though that's no longer en-vogue and lots of marketing $$$ go into start ups promoting that passwords are bad, "something you know" (vs something you have, something you are) is still and always will be an important security factor in authentication that will most likely never go away.

If you do want to store users locally, you have some adapters you can use. They leave a lot of room for interpretation (or rather implementation), meaning that you will probably have to implement a lot of stuff from zero!

Ory Kratos is like the system behind the Google, Twitch, or Pipedrive profile management, so it has the database of users and it offers variety of user flows for e.g. updating sensitive information, adding WebAuthn 2FA, managing one's profile, and so on.

To conclude, you most likely will be able to combine NextAuth with Ory Kratos or Ory Hydra if it makes sense for your use case!
claystraw
·5 năm trước·discuss
Passport.js is an integration library for an identity system - so it's like a client library. As far as I know (it's been a while) it does not solve the "registration" or "password recovery" part itself. The system used in the blog post however does all of those things, from WebAuthn, to 2FA, to linking additional social sign in systems (e.g. Google or Twitter), and so on! So in this example, you could use Passport.js in combination with e.g. Ory Kratos. Hope this helps :)
claystraw
·5 năm trước·discuss
Hello, one of the maintainers of https://github.com/ory/kratos (the system used in the blog post) here :) We started Ory Kratos because we saw so many developers struggle with OAuth2 and OpenID Connect. If you have any questions around application auth, OAuth2, or Go, open source I'll try to do my best to answer them accurately!