Auth Services Configuration
Configuration for Ory Kratos, Ory Hydra, OpenFGA, and Ory Oathkeeper.
Ory Kratos (Identity Management)
APPSERVER_KRATOS_PUBLIC_URL
- Public API endpoint for authentication flows
- Default:
http://localhost:4433 - Used by: Shell, end users
APPSERVER_KRATOS_ADMIN_URL
- Admin API endpoint for user management
- Default:
http://localhost:4434 - Used by: AppServer backend
APPSERVER_KRATOS_TIMEOUT
- API request timeout
- Default:
5s
APPSERVER_SESSION_COOKIE_NAME
- Session cookie name
- Default:
ory_kratos_session
TODO: Document Kratos configuration file location and key settings
Ory Hydra (OAuth2/OIDC)
APPSERVER_HYDRA_PUBLIC_URL
- Public OAuth2 endpoint
- Default:
http://localhost:4444 - Used by: OAuth clients
APPSERVER_HYDRA_ADMIN_URL
- Admin API endpoint
- Default:
http://localhost:4445 - Used by: AppServer backend
TODO: Document Hydra configuration and consent flows
OpenFGA (Authorization)
APPSERVER_OPENFGA_API_URL
- OpenFGA API endpoint
- Default:
http://localhost:8090
APPSERVER_OPENFGA_STORE_ID
- OpenFGA store identifier
- Required: Yes
APPSERVER_OPENFGA_MODEL_ID
- Authorization model ID
- Optional: Uses latest model if not specified
APPSERVER_OPENFGA_TIMEOUT
- API request timeout
- Default:
5s
TODO: Document OpenFGA model setup and tuples
Ory Oathkeeper (API Gateway)
APPSERVER_OATHKEEPER_PROXY_URL
- Reverse proxy endpoint
- Default:
http://localhost:4455
APPSERVER_OATHKEEPER_API_URL
- API endpoint for rule management
- Default:
http://localhost:4456
TODO: Document Oathkeeper rules configuration
App Authentication
APPSERVER_SIGNATURE_REPLAY_WINDOW
- Request signature replay protection window
- Default:
5m
APPSERVER_CLOCK_SKEW_TOLERANCE
- Clock skew tolerance for signature verification
- Default:
30s
APPSERVER_AUTH_ALLOW_BOOTSTRAP_REGISTRATION
- Allow apps to self-register without pre-issued certificates
- Default:
true(dev),false(prod) - ⚠️ Warning: Disable in production
Integration Overview
TODO: Add diagram showing how auth services integrate
Setup Guide
TODO: Document initial setup:
- Initialize OpenFGA store and model
- Configure Kratos identity schema
- Set up Hydra clients
- Configure Oathkeeper rules
- Test authentication flows