ORY Oathkeeper is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. The BeyondCorp
Model is designed by Google and secures applications in Zero-Trust networks.
An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable
of authenticating and optionally authorizing access requests.
While the full feature set of the BeyondCorp Whitepaper is not yet implemented, the goal of this project is to achieve this in the future.
ORY Oathkeeper is a reverse proxy which evaluates incoming HTTP requests based on a set of rules that are defined
by administartive users. ORY Oathkeeper is thus capable of:
- Identifying the user and providing the user session to API backends (authentication).
- Restricting access to certain resources based on a set of rules (authorization).
- Transforms access credentials (e.g. OAuth2 Access Tokens, SAML Assertions, ...) to a format (e.g. JSON Web Token, Plaintext, Basic Authorization, ...) consumable by your API services.
This service is stable, but under active development and may introduce breaking changes in future releases. Any breaking change will have extensive documentation and upgrade instructions.
Installation
There are various ways of installing ORY Oathkeeper on your system.
Download binaries
The client and server binaries are downloadable at releases.
There is currently no installer available. You have to add the ORY Oathkeeper binary to the PATH environment variable yourself or put
the binary in a location that is already in your path (/usr/bin
, ...).
If you do not understand what that all of this means, ask in our chat channel. We are happy to help.
Using Docker
Starting the host is easiest with docker. The host process handles HTTP requests and is backed by a database.
Read how to install docker on Linux, OSX or
Windows. ORY Oathkeeper is available on Docker Hub.
You can use ORY Oathkeeper without a database, but be aware that restarting, scaling
or stopping the container will lose all data:
$ docker run -e "DATABASE_URL=memory" -d --name my-oathkeeper -p 4455:4455 -p 4456:4456 oryd/oathkeeper serve api
ec91228cb105db315553499c81918258f52cee9636ea2a4821bdb8226872f54b
Building from source
If you wish to compile ORY Oathkeeper yourself, you need to install and set up Go 1.10+ and add $GOPATH/bin
to your $PATH
as well as golang/dep.
The following commands will check out the latest release tag of ORY Oathkeeper and compile it and set up flags so that oathkeeper version
works as expected. Please note that this will only work with a linux shell like bash or sh.
go get -d -u github.com/ory/oathkeeper
cd $(go env GOPATH)/src/github.com/ory/oathkeeper
OATHKEEPER_LATEST=$(git describe --abbrev=0 --tags)
git checkout $OATHKEEPER_LATEST
dep ensure -vendor-only
go install \
-ldflags "-X github.com/ory/oathkeeper/cmd.Version=$OATHKEEPER_LATEST -X github.com/ory/oathkeeper/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/oathkeeper/cmd.GitHash=`git rev-parse HEAD`" \
github.com/ory/oathkeeper
git checkout master
oathkeeper help
Ecosystem
ORY Security Console: Administrative User Interface
The ORY Security Console is a visual admin interface for managing ORY Hydra,
ORY Oathkeeper, and ORY Keto.
ORY Hydra: OAuth2 & OpenID Connect Server
ORY Hydra ORY Hydra is a hardened OAuth2 and OpenID Connect server optimized
for low-latency, high throughput, and low resource consumption. ORY Hydra is not an identity provider
(user sign up, user log in, password reset flow), but connects to your existing identity provider through a consent app.
ORY Keto: Access Control Policies as a Server
ORY Keto is a policy decision point. It uses a set of access control policies, similar
to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to
perform a certain action on a resource.
Examples
The ory/examples repository contains numerous examples of setting up this project
individually and together with other services from the ORY Ecosystem.
Security
Disclosing vulnerabilities
If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub
and send us an email to hi@ory.am instead.
Telemetry
Our services collect summarized, anonymized data which can optionally be turned off. Click
here to learn more.
Documentation
Guide
The Guide is available here.
HTTP API documentation
The HTTP API is documented here.
Upgrading and Changelog
New releases might introduce breaking changes. To help you identify and incorporate those changes, we document these
changes in UPGRADE.md and CHANGELOG.md.
Command line documentation
Run oathkeeper -h
or oathkeeper help
.
Develop
Developing with ORY Oathkeeper is as easy as:
go get -d -u github.com/ory/oathkeeper
cd $GOPATH/src/github.com/ory/oathkeeper
dep ensure
go test ./...
Then run it with in-memory database:
DATABASE_URL=memory go run main.go serve all
Backers
Thank you to all our backers! 🙏 [Become a backer]
We would also like to thank (past & current) supporters (in alphabetical order) on Patreon: Alexander Alimovs, Chancy Kennedy, Drozzy, Oz Haven, TheCrealm
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
A special thanks goes out to Wayne Robinson for supporting this ecosystem with $200 every month since Oktober 2016 on Patreon.