Skip to content

Latest commit

 

History

History
207 lines (146 loc) · 10.1 KB

README.md

File metadata and controls

207 lines (146 loc) · 10.1 KB

ORY Oathkeeper - Cloud Native Identity & Access Proxy

ORY Oathkeeper is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. The BeyondCorp Model is designed by Google and secures applications in Zero-Trust networks. An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable of authenticating and optionally authorizing access requests.

While the full feature set of the BeyondCorp Whitepaper is not yet implemented, the goal of this project is to achieve this in the future.

ORY Oathkeeper is a reverse proxy which evaluates incoming HTTP requests based on a set of rules that are defined by administartive users. ORY Oathkeeper is thus capable of:

  • Identifying the user and providing the user session to API backends (authentication).
  • Restricting access to certain resources based on a set of rules (authorization).
  • Transforms access credentials (e.g. OAuth2 Access Tokens, SAML Assertions, ...) to a format (e.g. JSON Web Token, Plaintext, Basic Authorization, ...) consumable by your API services.

This service is stable, but under active development and may introduce breaking changes in future releases. Any breaking change will have extensive documentation and upgrade instructions.

CircleCI Coverage Status Go Report Card


Installation

There are various ways of installing ORY Oathkeeper on your system.

Download binaries

The client and server binaries are downloadable at releases. There is currently no installer available. You have to add the ORY Oathkeeper binary to the PATH environment variable yourself or put the binary in a location that is already in your path (/usr/bin, ...). If you do not understand what that all of this means, ask in our chat channel. We are happy to help.

Using Docker

Starting the host is easiest with docker. The host process handles HTTP requests and is backed by a database. Read how to install docker on Linux, OSX or Windows. ORY Oathkeeper is available on Docker Hub.

You can use ORY Oathkeeper without a database, but be aware that restarting, scaling or stopping the container will lose all data:

$ docker run -e "DATABASE_URL=memory" -d --name my-oathkeeper -p 4455:4455 -p 4456:4456 oryd/oathkeeper serve api
ec91228cb105db315553499c81918258f52cee9636ea2a4821bdb8226872f54b

Building from source

If you wish to compile ORY Oathkeeper yourself, you need to install and set up Go 1.10+ and add $GOPATH/bin to your $PATH as well as golang/dep.

The following commands will check out the latest release tag of ORY Oathkeeper and compile it and set up flags so that oathkeeper version works as expected. Please note that this will only work with a linux shell like bash or sh.

go get -d -u github.com/ory/oathkeeper
cd $(go env GOPATH)/src/github.com/ory/oathkeeper
OATHKEEPER_LATEST=$(git describe --abbrev=0 --tags)
git checkout $OATHKEEPER_LATEST
dep ensure -vendor-only
go install \
    -ldflags "-X github.com/ory/oathkeeper/cmd.Version=$OATHKEEPER_LATEST -X github.com/ory/oathkeeper/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/oathkeeper/cmd.GitHash=`git rev-parse HEAD`" \
    github.com/ory/oathkeeper
git checkout master
oathkeeper help

Ecosystem

ORY Security Console

ORY Security Console: Administrative User Interface

The ORY Security Console is a visual admin interface for managing ORY Hydra, ORY Oathkeeper, and ORY Keto.

ORY Hydra: OAuth2 & OpenID Connect Server

ORY Hydra ORY Hydra is a hardened OAuth2 and OpenID Connect server optimized for low-latency, high throughput, and low resource consumption. ORY Hydra is not an identity provider (user sign up, user log in, password reset flow), but connects to your existing identity provider through a consent app.

ORY Keto: Access Control Policies as a Server

ORY Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.

Examples

The ory/examples repository contains numerous examples of setting up this project individually and together with other services from the ORY Ecosystem.

Security

Disclosing vulnerabilities

If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub and send us an email to [email protected] instead.

Telemetry

Our services collect summarized, anonymized data which can optionally be turned off. Click here to learn more.

Documentation

Guide

The Guide is available here.

HTTP API documentation

The HTTP API is documented here.

Upgrading and Changelog

New releases might introduce breaking changes. To help you identify and incorporate those changes, we document these changes in UPGRADE.md and CHANGELOG.md.

Command line documentation

Run oathkeeper -h or oathkeeper help.

Develop

Developing with ORY Oathkeeper is as easy as:

go get -d -u github.com/ory/oathkeeper
cd $GOPATH/src/github.com/ory/oathkeeper
dep ensure
go test ./...

Then run it with in-memory database:

DATABASE_URL=memory go run main.go serve all

Backers

Thank you to all our backers! 🙏 [Become a backer]

We would also like to thank (past & current) supporters (in alphabetical order) on Patreon: Alexander Alimovs, Chancy Kennedy, Drozzy, Oz Haven, TheCrealm

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

A special thanks goes out to Wayne Robinson for supporting this ecosystem with $200 every month since Oktober 2016 on Patreon.