"Security is hard. You shouldn't implement it yourself.".
That's a phrase I heard a lot by now, and it's true for the most part.
Aside from that why bother with implementing the same functionality for different projects all over again.
To solve this issue often providers like Firebase, Auth0, ... step in an provide user-management and permission-management.
These solutions work fine but get costly very quickly.
But the main 'not-selling point' for me is that they are not opensource and cannot be hosted by myself.
I like being able to have control over things I invest my time in.
There are some opensource solutions that are trying to solve this issue; one of them is Keycloak.
Keycloak solves this problem well but introduces some other problems: It is very complex and custom styling is everything but easy if you want to use something like Next.js to fully integrate the Login/Registration into your webapp.
But Keycloak isn't the only player in the field.
After some searching I found Ory.
They provide several isolated applications for different auth concerns:
- Ory Kratos for Identity Management
- Ory Keto for Permissions & Access Control based on Zanzibar: Google’s Consistent, Global Authorization System
- Ory Hydra for providing OAuth2 and OpenID Connect functionality
You can use everything together in their cloud variant 'Ory Network' or host it yourself. It is even possible to use only some applications, as any can be used without the others.
The functionality needed for 90% of all applications can be covered by Kratos and Keto; yes even Social sign-in, Multi-factor Authentication and Passwordless via WebAuthn.
What sets Ory's products apart from other opensource solutions is that their mantra is 'Bring your own UI'.
The (self-hosted) applications itself only provide an API (REST and partially gRPC).
You can use one of the (example-) UI's developed by Ory, but the normal way is to use your own UI.
More areas where Ory is different can be found in the docs or Ory.
The project I'm currently working on uses Next.js; and it's directly supported by Ory. It works flawless so far.
If you decide to use Kratos it can seem odd at first, but the design-decisions make sense if you think about them.
Kratos will provide an abstract representation of what elements are needed e.g. on the login-page / registration / user-settings.
With this abstract representation it is possible to render HTML-Elements or an App-UI dynamically.
The benefit of this technique: Adding e.g. a new Social-login is as easy as adding it in the Kratos config. Your UI will update automatically - without any code change or deployment.
You can use Kratos to store much more than just email and password.
With custom Identity Schemas you can define which fields are needed or possible for an Identity (= User).
There can even be different types of Identities, therefore requiring different information, at the same time.
For handling permissions and access-control Ory Keto can be used.
It is based on Zanzibar: Google’s Consistent, Global Authorization System and uses a graph to evaluate permissions.
Through this method it is very flexible in the permissions are organized.
Allowed access is represented as an existing path between two nodes in the graph.
Hierarchical structures can easily be realized and changed at any time.
With the right concept it is even possible to redo your entire permission-structure without the need to deploy your application again.
Maybe it's worth trying out Ory for your next project, you probably will like it ;)
Top comments (0)