ORY Oathkeeper is an Identity & Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. The BeyondCorp Model is designed by Google and secures applications in Zero-Trust networks. An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable of authenticating and optionally authorizing access requests.
While the full feature set of the BeyondCorp Whitepaper is not yet implemented, the goal of this project is to achieve this in the future.
ORY Oathkeeper is a reverse proxy which evaluates incoming HTTP requests based on a set of rules that are defined by administrative users. ORY Oathkeeper is thus capable of:
- Identifying the user and providing the user session to API backends (authentication).
- Restricting access to certain resources based on a set of rules (authorization).
- Transforms access credentials (e.g. OAuth2 Access Tokens, SAML Assertions, ...) to a format (e.g. JSON Web Token, Plaintext, Basic Authorization, ...) consumable by your API services.
This service is stable, but under active development and may introduce breaking changes in future releases. Any breaking change will have extensive documentation and upgrade instructions.
Head over to the ORY Developer Documentation to learn how to install ORY Oathkeeper on Linux, macOS, Windows, and Docker and how to build ORY Oathkeeper from source.
The client and server binaries are downloadable at releases.
There is currently no installer available. You have to add the ORY Oathkeeper binary to the PATH environment variable yourself or put
the binary in a location that is already in your path (
If you do not understand what that all of this means, ask in our chat channel. We are happy to help.
Starting the host is easiest with docker. The host process handles HTTP requests and is backed by a database. Read how to install docker on Linux, OSX or Windows. ORY Oathkeeper is available on Docker Hub.
You can use ORY Oathkeeper without a database, but be aware that restarting, scaling or stopping the container will lose all data:
$ docker run -e "DATABASE_URL=memory" -d --name my-oathkeeper -p 4455:4455 -p 4456:4456 oryd/oathkeeper serve api ec91228cb105db315553499c81918258f52cee9636ea2a4821bdb8226872f54b
Building from source
If you wish to compile ORY Oathkeeper yourself, you need to install and set up Go 1.11+.
The following commands will check out the latest release tag of ORY Oathkeeper and compile it and set up flags so that
works as expected. Please note that this will only work with a linux shell like bash or sh.
go get -d -u github.com/ory/oathkeeper cd $(go env GOPATH)/src/github.com/ory/oathkeeper OATHKEEPER_LATEST=$(git describe --abbrev=0 --tags) git checkout $OATHKEEPER_LATEST GO111MODULE=on go install \ -ldflags "-X github.com/ory/oathkeeper/cmd.Version=$OATHKEEPER_LATEST -X github.com/ory/oathkeeper/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/oathkeeper/cmd.GitHash=`git rev-parse HEAD`" \ github.com/ory/oathkeeper git checkout master $GOPATH/bin/oathkeeper help
ORY Security Console: Administrative User Interface
The ORY Security Console is a visual admin interface for managing ORY Hydra, ORY Oathkeeper, and ORY Keto.
ORY Hydra: OAuth2 & OpenID Connect Server
ORY Hydra ORY Hydra is a hardened OAuth2 and OpenID Connect server optimized for low-latency, high throughput, and low resource consumption. ORY Hydra is not an identity provider (user sign up, user log in, password reset flow), but connects to your existing identity provider through a consent app.
ORY Keto: Access Control Policies as a Server
ORY Keto is a policy decision point. It uses a set of access control policies, similar to AWS IAM Policies, in order to determine whether a subject (user, application, service, car, ...) is authorized to perform a certain action on a resource.
The ory/examples repository contains numerous examples of setting up this project individually and together with other services from the ORY Ecosystem.
If you think you found a security vulnerability, please refrain from posting it publicly on the forums, the chat, or GitHub and send us an email to email@example.com instead.
Our services collect summarized, anonymized data which can optionally be turned off. Click here to learn more.
The Guide is available here.
HTTP API documentation
The HTTP API is documented here.
Upgrading and Changelog
Command line documentation
oathkeeper -h or
Developing with ORY Oathkeeper is as easy as:
go get -d -u github.com/ory/oathkeeper cd $GOPATH/src/github.com/ory/oathkeeper dep ensure go test ./...
Then run it with in-memory database:
DATABASE_URL=memory go run main.go serve all
Thank you to all our backers! 🙏 [Become a backer]
We would also like to thank (past & current) supporters (in alphabetical order) on Patreon: Alexander Alimovs, Billy, Chancy Kennedy, Drozzy, Edwin Trejos, Howard Edidin, Ken Adler Oz Haven, Stefan Hans, TheCrealm
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
A special thanks goes out to Wayne Robinson for supporting this ecosystem with $200 every month since Oktober 2016 on Patreon.
Package main ORY Oathkeeper
ORY Oathkeeper is a reverse proxy that checks the HTTP Authorization for validity against a set of rules. This service uses Hydra to validate access tokens and policies.
Schemes: http, https Host: BasePath: / Version: Latest Contact: ORY <firstname.lastname@example.org> https://www.ory.am Consumes: - application/json Produces: - application/json Extensions: --- x-request-id: string x-forwarded-proto: string ---
Package rule implements management capabilities for rules A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server.
|Package rule implements management capabilities for rules A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server.|