Best approach for Ory Kratos and Keto in a microservice architecture

[noctera]

Hi,
I was checking the docs about Kratos and Keto the last days, trying to experiment with the Ory stack next to Keycloak. As the documentation about the combination of both is a little bit sparse, I will try my luck and ask you guys who might be a bit more experienced.

I was planning to build a microservice architecture that include Flask microservices and a Nextjs frontend which will access them (Later there might be a mobile app). Everything should only be accessible when a user is logged in. In addition to that there should be roles like "user" or "admin" that will restrict specific routes to users that have them only. The frontend should have access to that roles too, and conditionally render components based on those roles.

My current implementation in Keycloak is, that the frontend signs in, gets a JWT that includes the roles assigned to a user via Keycloak. This JWT gets checked via a middleware in the Flask services, and the roles are parsed and checked against the current route. The same is done in the frontend. The microservices itself have routes, on which they call each other, that should only be accessible from the microservices itself, not the logged in user

Now to the Ory part. As I have seen in some examples, you can use Ory Kratos and Keto. When it comes to the auth and permission check in the Flask microservices, the /whoami route is used and with a direct call to keto you can check the permission.
But this approach is more complex for the frontend. As I have seen in another post, you might need to parse every permission for a user via a request to keto to achieve this.
Another question about this approach is, if this won't be too many requests, if I query Kratos and Keto each time I make a request via the middleware. A JWT approach is less much resource intensive

So Ory Oathkeeper would be an option too, which works as a reverse proxy before those services doing permissions for routes in its middleware. But with this approach, I can't do the conditional rendering in the Frontend.

As you can see, I am a little bit confused what is the right setup/approach when using Ory for a microservice architecture.
Could you help me out with this, sharing your ideas, please :)

Greetings
Julian

[vinckr]

hey @noctera

Your use case is quite complex and involves several components of the Ory stack. Let's try to break it down:

1. Ory Kratos is an identity management server that can handle user login, registration, and verification flows. It provides a /sessions/whoami API that can be used to check if a request contains a session or not, which can be useful for your Flask microservices to authenticate requests [source].
2. Ory Keto is an access control server that can be used to perform permission checks. You can call the check method of the OryPermissions client to check if a certain action is allowed for a user [source].
3. As you mentioned, this approach might result in many requests if you query Kratos and Keto each time you make a request via the middleware. This is where Ory Oathkeeper can come in. Ory Oathkeeper is an Identity and Access Proxy that can authorize incoming HTTP requests. It can act as a reverse proxy in front of your upstream API or web server, rejecting unauthorized requests and forwarding authorized ones to your server [source]. By the way you can also use Ory Network where Ory handles this problem for you, for example with global edge session caching.
4. In terms of your frontend, you can use Ory Oathkeeper to proxy requests to Ory Kratos' Public API so that all requests come from the same hostname. This can help avoid common cross-domain issues with cookies [source].
5. For your requirement of conditional rendering in the frontend based on user roles, you might need to make additional requests to Keto to fetch the permissions for a user. However, this could be optimized by caching the permissions in the frontend and updating them only when necessary.

A JWT approach is less much resource intensive

That is true, but you also always get the latest data from the authentication/authorization(Kratos/Keto) server. So when the user logs out or a permission changes this is instantly reflected. It does depend on the use case what you want, did you have a specific case in mind where you wanted to use Ory?

I hope this gives you a starting point for your implementation.