Secure Keto using Oathkeeper


I would like to setup ORY stack (Kratos, Keto, Oathkeeper).
As of current I have Kratos going through Oathkeeper and Keto being alone on the side.

I suppose simply adding - KETO_URL=http://keto:4466/ in Oathkeeper environment and creating access rule won’t make it.
Would you be able to help securing access to Keto with Oathkeeper?


Depends on what you’re looking for exactly :slight_smile:

Hi @hackerman thanks for the response.

I was thinking about securing it in pretty much the same manner as Kratos in the quickstart guide. If there is no RS256 token present for your machine you can’t access Keto endpoints.

From our private conversation:

To give you some background me and my team are creating a gamemode for GTA V. We decided to create an API so we could reuse it if current gamemode doesn’t work out and we would like to try different games.
An API is built in Go utilizing gRPC.
As we found the ORY project it became clear there is no point reinventing the wheel hence we would like to try to utilize Kratos for user management and Keto for roles.
The setup we are after is Oathkeeper being the gateway to access Kratos and Keto.
Currently we have Kratos hooked up to Oathkeeper as in the quickstart guide. We quite like that way of restricting access via JWKS token.
I think if we had a simple example of restricting access to Keto endpoints using Oathkeeper we would manage to take it forward into some advanced implementation.
If it’s possible to set it up pretty much the same way it is right now with Kratos it would be awesome.

In that case you set up ORY Oathkeeper as a proxy in front of ORY Keto and configure the JWT Authenticator, as explained: