For a recent personal project, I wanted to deploy my own authentication infra from scratch instead of using cloud auth solutions. In search of a self deployable complete authentication solution which includes OAuth, I tried many things like Authelia, KeyCloak etc. But all of them had their fare shares of issues which were not upto my taste. For example, for Authelia I needed to add my own ldap server. KeyCloak although is quite powerful, but it was just not that lightweight and had lot of configuration to be done on the UI itself which was not upto my taste.
After some search and trying out various things, I stumbled upon Ory Stack. And oh man it was gorgeous!
A few things that I loved about Ory stack from the start:
- Completely open source with active development and huge community support. Check out their Github: Ory
- It is built by security developers.. from scratch.. in GoLang.
- It follows complete separation of concerns. More info: Introduction | Ory
- Separate modules for different services:
- Kratos for Identity Management
- Hydra for OAuth
- OathKeeper for Identity and Access Proxy
- Keto for access control
- API first approach – hence decoupled Backend and UI.
- Separate UI Modules. You can infact develop your own UI and integrate.
- Separate modules for different services:
- Kratos handles everything related to Identity Management i.e. registration of users, verification, recovery etc.
- Effortless Configuration – Can be done with a single YAML file.
- Container ready – Although I am not using it for now.
- Can be deployed on almost all architectures and uses very less resources – I am using a Raspberry Pi 5 to host everything for now 😛
- Excellent documentation.
So I decided to embark on this journey in which I learnt a lot. So let me share it with you all.
For starters, let me tell you my plan:
- Setting up your hosting hardware infrastructure and expose it to the internet (You can use any hardware here which basically can run Linux. I am using Raspberry Pi 5 as it was cheap and consumed less electricity (Electricity prices in UK! Damn!)).
- Install necessary tooling: MySQL for DB etc.
- Have a domain name, add it to CloudFlare and route traffic from there to my Raspberry Pi.
- Add subdomain for Authentication.
- Install nginx on my Raspberry Pi so that I can route traffic for different subdomains to different APIs.
- For example, my main website would be on domain abc.com and authentication part would be on auth.abc.com. But since I am pointing both my domains to same IP Address (Duh! Anyone generally will have 1 internet connection at home), we need some way to segregate traffic coming from root domain and subdomain(s) to respective services on our single server. Nginx acts as reverse proxy and helps to do that.
- Create and add SSL certs for TLS in nginx (https bro!)
- nginx pre-configuration for our auth subdomain with Ory Kratos
- Ory Kratos installation:
- Install and configure Ory Kratos
- Install and configure Ory Kratos UI [I am done till here right now…]
- Ory Hydra installation:
- Install and configure Ory Hydra for Oauth
- Install and configure Ory Hydra UI
- nginx configuration
- Connect my website to OAuth using Hydra and Kratos
- Containerize everything
- Deploy everything on a Cloud Platform for production
- Mobile app Auth
Feel free to skip to any sections you want.
Install Ubuntu and expose Raspberry Pi to internet – NeutronX Innovation Blog
Install nginx & route traffic for different subdomains – NeutronX Innovation Blog
Install Ory Kratos (API & UI) with email setup – NeutronX Innovation Blog