Authorization and Policies


I’m trying to set up a full stack of Hydra, Oathkeeper, and Keto and im having trouble with permissions and authorization. Im having trouble figuring out how to setup permissions for a large number of users and match them to Keto’s policies and the access tokens from Hydra(I know scopes != permissions, they’re just what a user delegates a client to be able to do on their behalf).

I have this set up on a kubernetes cluster behind ambassador using Hydra as my auth server and Oathleeper/Keto as the decision point of my stack, but I’m having trouble figuring out how to handle permissions for users. As I have mentioned on other posts, I have multiple websites with multiple pre-existing user databases. These sites have free users and subscription users, with both types of users having access to a personal library of purchases they’ve made. I would like to be able to use the Ory stack to determine if a user is allowed to access a subscription page and access their personal library without being able to access other user’s libraries. Also this would need to take the different sites into account so that a subscriber of one site couldn’t access another site’s subscription pages.

The problem I run into, is that I can’t figure out how to translate this into Keto’s policies and match them with scopes on the access tokens. I can get part way there using roles in Keto, but doing that seems like I would need to add a role to every user in every database in Keto, and each site has between hundreds and thousands(some tens of thousands) of users.

I don’t expect you to solve this entire thing for me, but i was hoping you might be able to point me in the right direction for a solution or possibly give some advice as I’ve been trying to work this out for a bit without much success.

Thank you for your time.

Sorry for the late reply (notifications are broken for me at the moment, have to figure out why). Keto is, unfortunately, at a very early stage right now. Maybe it would be better do design your system with a policy service that you prototype yourself and once you have a design in place, you can try to translate it to Keto (if possible). Hope this helps at least a little bit!

No worries, I appreciate the response, and it is helpful :slight_smile:

Ah, ok. I didn’t realize it was still so early in development yet.

So, as I said, I’m using Oathkeeper as well. If I were to write my own policy service, would I be able to have Oathkeeper connect to it using the keto_engine_acp_ory authorizer(as it looks like this is the only authorizer that isnt explicit approve/deny) by setting the base_url config value of keto_engine_acp_ory to my service and returning a 200 if approved and what, 403?, for deny?

Yes, 403 for deny :slight_smile:

We wanted to add a general purpose handler for calling authorization servers that are not keto for some time now, but didn’t have the capacities to do so. It’s definitely on the list and if you are open to contributing to Oathkeeper, we would definitely look forward to that! If you decide to tackle this, let me know on GitHub so we can discuss architecture before starting the work :slight_smile:

Thank you Aeneasr, that is very helpful!

I’m not against contributing to Oathkeeper, but i don’t have any experience with go(which i believe Oathkeeper is made in?).