generated from coulomb/repo-seed
Backfill all 23 research source notes with terminology extracts, modeling assumptions, conflicts, canonical mappings, and references. Refresh terminology artifacts, refine the conceptual model with explicit scenario paths, reconcile canon surfaces and open questions, and mark the workplan finished.
138 lines
5.8 KiB
Markdown
138 lines
5.8 KiB
Markdown
# Ory Kratos and Keto
|
|
|
|
## Source Type
|
|
|
|
Product documentation and open-source implementation reference for Ory Kratos
|
|
(identity management) and Ory Keto (relationship-based authorization).
|
|
|
|
## Domain
|
|
|
|
Cloud-native identity management, self-service flows, and ReBAC authorization
|
|
separation.
|
|
|
|
## Why This Source Matters
|
|
|
|
Ory Kratos identity/user management and Ory Keto relationship-based
|
|
authorization separation.
|
|
|
|
Ory explicitly separates identity management (Kratos) from authorization
|
|
(Keto). This architectural split is a strong reference for identity-canon's
|
|
P6 principle (authorization projections separate from identity model).
|
|
|
|
## Key Concepts
|
|
|
|
- **Identity (Kratos)**: core identity record with traits (schema-defined
|
|
attributes), credentials, verifiable addresses, and recovery settings.
|
|
- **Traits**: JSON attributes on an identity (email, name, etc.) governed by
|
|
identity schema.
|
|
- **Credential**: password, OIDC link, TOTP, WebAuthn, or lookup secret
|
|
attached to an identity.
|
|
- **Identity schema**: JSON Schema defining allowed traits and validation.
|
|
- **Session**: authenticated session bound to an identity after credential
|
|
verification.
|
|
- **Recovery / Verification flow**: self-service processes for account
|
|
recovery and address verification.
|
|
- **Relation tuple (Keto)**: `namespace:object#relation@subject` assertion
|
|
for ReBAC checks.
|
|
- **Namespace (Keto)**: typed object class in the authorization model with
|
|
defined relations and permissions.
|
|
- **Subject (Keto)**: entity in a relation tuple; may reference a Kratos
|
|
identity or arbitrary identifier.
|
|
- **Permission check**: evaluate whether a subject has a relation to an
|
|
object in a namespace.
|
|
|
|
## Relevant Terminology
|
|
|
|
| Term | Source meaning |
|
|
| --- | --- |
|
|
| Identity | Kratos record with traits and credentials; not authorization entity. |
|
|
| Traits | Schema-validated attributes on an identity. |
|
|
| Credential | Authentication factor bound to identity. |
|
|
| Session | Active authenticated state for an identity. |
|
|
| Schema | JSON Schema defining identity trait structure per use case. |
|
|
| Relation tuple | Subject-relation-object fact in Keto. |
|
|
| Namespace | Authorization object type with relation definitions. |
|
|
| Subject | Authorization participant in a tuple. |
|
|
| Object | Resource or entity being authorized in a tuple. |
|
|
| Relation | Named edge type between subject and object. |
|
|
|
|
## Modeling Assumptions
|
|
|
|
- **Identity and authorization are separate services** with distinct storage
|
|
and APIs.
|
|
- **Identity means traits + credentials**, not permissions.
|
|
- **Traits are schema-driven**, allowing multiple identity schemas per
|
|
deployment (consumer vs. admin personas).
|
|
- **Sessions are ephemeral** authentication state, not identity records.
|
|
- **Authorization uses Zanzibar-style tuples** in Keto, not Kratos groups or
|
|
roles.
|
|
- **Subjects in Keto may not map 1:1** to Kratos identities; integration is
|
|
application-level.
|
|
- **No first-class organization or tenant** in Kratos core; multi-tenancy is
|
|
application concern.
|
|
|
|
## Identity-Canon Implications
|
|
|
|
- Kratos **Identity** maps to **Identity Record** with **Profile** (traits)
|
|
and **Credential** attachments.
|
|
- Kratos does not use "account" explicitly; Identity is closer to Account +
|
|
Profile combined.
|
|
- **Session** is ephemeral auth state, not a canonical entity; maps to
|
|
downstream session projection.
|
|
- **Identity schema** maps to schema governance for Profile/Identity Record
|
|
attributes in a Scope.
|
|
- Keto **relation tuple** maps to **Relationship Tuple** (authorization
|
|
projection) or typed **Relationship** with authz implication.
|
|
- Keto **namespace** maps to **Authorization Domain** Scope.
|
|
- Keto **subject** maps to **Authorization Principal** projection.
|
|
- Strong evidence for **P6**: identity store and authorization graph are
|
|
orthogonal.
|
|
- Supports S01 (single local identity), S10 (service identity via traits +
|
|
credentials), S11 (agent via separate Keto tuples).
|
|
|
|
## Terminology Conflicts
|
|
|
|
- **Identity**: Kratos Identity is a record with credentials; conflicts with
|
|
bare "identity" meaning personhood or issuer subject.
|
|
- **Subject**: Keto subject is authorization participant; OIDC subject is
|
|
issuer identifier; different layers.
|
|
- **Traits vs. Profile**: traits are stored attributes; profile is
|
|
presentation — often conflated in Kratos.
|
|
- **Namespace**: Keto namespace is authorization object type; DNS/LDAP
|
|
namespace is naming scope.
|
|
- **No user term**: Kratos avoids "user" in API, but docs sometimes use it
|
|
informally.
|
|
|
|
## Candidate Canonical Mappings
|
|
|
|
| Ory concept | Candidate canonical concept |
|
|
| --- | --- |
|
|
| Kratos Identity | Identity Record + Account facet |
|
|
| Traits | Profile attributes |
|
|
| Credential | Credential |
|
|
| Session | Ephemeral auth projection (non-canonical) |
|
|
| Identity schema | Profile/record schema in Scope |
|
|
| Keto relation tuple | Relationship Tuple (authorization projection) |
|
|
| Keto namespace | Authorization Domain Scope |
|
|
| Keto subject | Authorization Principal |
|
|
| Keto object | Authorization Resource |
|
|
| Keto relation | Relationship type (authz) |
|
|
| Verification flow | Evidence Source event |
|
|
|
|
## Open Questions
|
|
|
|
- Should Kratos Identity be split into Account + Profile in canon, or kept
|
|
as unified Identity Record?
|
|
- How should Keto subjects that reference non-Kratos identifiers (e.g.,
|
|
`group:engineering#member`) map to canonical Group + Membership?
|
|
- Does Kratos multi-schema support (consumer vs. admin) map to Persona or
|
|
separate Identity Records?
|
|
- Should session be documented as a projection type in canon or remain
|
|
explicitly out of scope?
|
|
|
|
## References
|
|
|
|
- Ory Kratos documentation — https://www.ory.sh/docs/kratos/
|
|
- Ory Keto documentation — https://www.ory.sh/docs/keto/
|
|
- Ory Kratos identity model — https://www.ory.sh/docs/kratos/manage-user-identities/identity-schema
|
|
- Ory Keto relation tuples — https://www.ory.sh/docs/keto/concepts/relation-tuples |