I’m trying to set up a full stack of Hydra, Oathkeeper, and Keto and im having trouble with permissions and authorization. Im having trouble figuring out how to setup permissions for a large number of users and match them to Keto’s policies and the access tokens from Hydra(I know scopes != permissions, they’re just what a user delegates a client to be able to do on their behalf).
I have this set up on a kubernetes cluster behind ambassador using Hydra as my auth server and Oathleeper/Keto as the decision point of my stack, but I’m having trouble figuring out how to handle permissions for users. As I have mentioned on other posts, I have multiple websites with multiple pre-existing user databases. These sites have free users and subscription users, with both types of users having access to a personal library of purchases they’ve made. I would like to be able to use the Ory stack to determine if a user is allowed to access a subscription page and access their personal library without being able to access other user’s libraries. Also this would need to take the different sites into account so that a subscriber of one site couldn’t access another site’s subscription pages.
The problem I run into, is that I can’t figure out how to translate this into Keto’s policies and match them with scopes on the access tokens. I can get part way there using roles in Keto, but doing that seems like I would need to add a role to every user in every database in Keto, and each site has between hundreds and thousands(some tens of thousands) of users.
I don’t expect you to solve this entire thing for me, but i was hoping you might be able to point me in the right direction for a solution or possibly give some advice as I’ve been trying to work this out for a bit without much success.
Thank you for your time.