Chat | Forums | Newsletter

Guide | API Docs | Code Docs

Support this project!

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. The BeyondCorp Model is designed by Google and secures applications in Zero-Trust networks.

An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable of authenticating and optionally authorizing access requests. The Access Control Decision API can be deployed alongside an existing API Gateway or reverse proxy. ORY Oathkeeper's Access Control Decision API works with:

• Ambassador via auth service.
• Envoy via the External Authorization HTTP Filter
• AWS API Gateway via Custom Authorizers
• Nginx via Authentication Based on Subrequest Result

among others.

This service is stable, but under active development and may introduce breaking changes in future releases. Any breaking change will have extensive documentation and upgrade instructions.

• Installation
• Ecosystem
  • ORY Security Console: Administrative User Interface
  • ORY Hydra: OAuth2 & OpenID Connect Server
  • ORY Keto: Access Control Policies as a Server
  • Examples
• Security
  • Disclosing vulnerabilities
• Telemetry
• Documentation
  • Guide
  • HTTP API documentation
  • Upgrading and Changelog
  • Command line documentation
  • Develop
• Backers
• Sponsors

Installation

Head over to the ORY Developer Documentation to learn how to install ORY Oathkeeper on Linux, macOS, Windows, and Docker and how to build ORY Oathkeeper from source.

Ecosystem

ORY Security Console: Administrative User Interface

The ORY Security Console is a visual admin interface for managing ORY Hydra, ORY Oathkeeper, and ORY Keto.

ORY Hydra: OAuth2 & OpenID Connect Server

ORY Hydra ORY Hydra is a hardened OAuth2 and OpenID Connect server optimized for low-latency, high throughput, and low resource consumption. ORY Hydra is not an identity provider (user sign up, user log in, password reset flow), but connects to your existing identity provider through a consent app.

ORY Keto: Access Control Policies as a Server

ORY Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.

Examples

The ory/examples repository contains numerous examples of setting up this project individually and together with other services from the ORY Ecosystem.

Security

Disclosing vulnerabilities

If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub and send us an email to hi@ory.am instead.

Telemetry

Our services collect summarized, anonymized data which can optionally be turned off. Click here to learn more.

Documentation

Guide

The Guide is available here.

HTTP API documentation

The HTTP API is documented here.

Upgrading and Changelog

New releases might introduce breaking changes. To help you identify and incorporate those changes, we document these changes in UPGRADE.md and CHANGELOG.md.

Command line documentation

Run oathkeeper -h or oathkeeper help.

Develop

Developing with ORY Oathkeeper is as easy as:

$ cd ~
$ go get -d -u github.com/ory/oathkeeper
$ cd $GOPATH/src/github.com/ory/oathkeeper
$ export GO111MODULE=on
$ go test ./...

Backers

Thank you to all our backers! 🙏 [Become a backer]

We would also like to thank (past & current) supporters (in alphabetical order) on Patreon: Alexander Alimovs, Billy, Chancy Kennedy, Drozzy, Edwin Trejos, Howard Edidin, Ken Adler Oz Haven, Stefan Hans, TheCrealm

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

A special thanks goes out to Wayne Robinson for supporting this ecosystem with $200 every month since Oktober 2016 on Patreon.