Creating an Ory Kratos + Keto Auth Plugin (vault-auth-plugin-ory)

[taylow]

Hello! 👋

Decided to move this from Slack to add details and see if we can get more traction, as I could do with some feedback!

We have developed a HashiCorp Vault auth plugin that integrates with Ory Kratos and Keto.
It generates Vault auth tokens on successful Kratos + Keto auth, with attached Vault policies based on Keto relation tuples.

The code can be found here: https://github.com/comnoco/vault-plugin-auth-ory (still WIP, but almost complete!)

The tl;dr of how this works is:

• Client makes authorisation request to Vault
  • Pass in the Kratos session cookie string
  • Pass in Keto namespace, object, and relation
• Vault directs this request to the plugin, providing the plugin with the above fields
• The plugin makes a request to Kratos to validate the session cookie
• On success, the user ID is fetched from the session (to act as the subject in the Keto call)
• The plugin makes a request to Keto to Check the namespace, object, relation, and subject
• On success, a Vault token is created with a policy that conforms to the naming schema namespace_relation, along with alias metadata that contains the Keto relation to be used in the policy.
  • This allows you to create Vault policies that follow that name to provide access to a path in Vault
  • There's an example policy in the repo that allows access to secret/data/workspace/[object]
• Token can now be used to access a specific secret path based on Keto rules

There is a HashiCorp forum post open that delves into the details, and we’re looking for feedback on the approach.
If anyone is familiar with Vault and Ory, please feel free to chime in! 🙏

https://discuss.hashicorp.com/t/creating-an-ory-kratos-keto-auth-plugin-vault-auth-plugin-ory/46624

[vinckr]

Thanks for sharing Taylor!
Would love to collaborate on a post for our blog for it when complete :)