Closed ysaakpr closed 10 months ago
Thanks, this is indeed a use-case that is not yet well discussed. Some ideas I have around that:
In general there should not be much of a problem for front-ends to talk to Keto directly. In cases where 100s of checks are needed at the same time Keto might get into trouble a bit, but that is up for experimentation. Especially with aggressive caching (#312) this should still work out fairly well, as it can be assumed that the set of tuples required for a check will be in cache with a high probability.
We are in a similar situation. The way we have chosen to approach this is:
/data/objecty/attributeX
in the same way as an api endpoint./userinfo
endpoint of the OpenID specification, which is being called during login, and that endpoint returns the permissions of the user. So, depending on your needs, this can be the policies (features) and permissions the user have. Then, the front-end would keep these in local storage for a certain time period and use it to make the appropriate checks to decide on how to render the UI.Thanks for the insights @avamonitoring, this is also what I expected as a typical use case. Very helpful :+1:
Hello contributors!
I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.
Unfortunately, burnout has become a topic of concern amongst open-source projects.
It can lead to severe personal and health issues as well as opening catastrophic attack vectors.
The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.
If this issue was marked as stale erroneous you can exempt it by adding the backlog
label, assigning someone, or setting a milestone for it.
Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!
Thank you 🙏✌️
@zepatrik is there any way using stack of Oathkeeper + Kratos + Keto to implement "mix" of your ideas (#2 and #3) to create analog of Kratos's "to_session" based on Keto's "Query relation tuples" to retrieve list of permission only for SubjectId we got from Kratos session? This way once page opened request actual list of permissions, with filters by namespace, object for specific SubjectID. Then it will be possible to handle this array on UI side display the elements correctly without need to check every permission separately.
If you manage to assemble the list using queries only, sure. I guess you still have to write a bit of glue code to make the right queries. We are actually planning to add an API that is the reverse of the current expand, so it gives you all objects a specific user has a specific relation to. I cannot give out a concrete timelline, but we aim for the next few months.
tl;dr what you propose is a good workaround for now
Hello contributors!
I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.
Unfortunately, burnout has become a topic of concern amongst open-source projects.
It can lead to severe personal and health issues as well as opening catastrophic attack vectors.
The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.
If this issue was marked as stale erroneously you can exempt it by adding the backlog
label, assigning someone, or setting a milestone for it.
Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!
Thank you 🙏✌️
Keto is getting wider adoption in the recent on open source application stack. Wondering how would we achieve UI/ Browser APP/ Mobile app level UI permission control using Keto. As of today there no well defined way to use keto for frontend permission checks. Frontend UI permission handling usually be like
All of these kind of decisions need to be taken care and one UI page can have 10s or 100s of such UI decisions, depending on different user scenarios. Having Keto api wont help in these cases(will add so much latency), and would have to review how to allow such a system can take support from keto.