API keys

[filterfish]

I've got an application that uses a browser plugin to send the current URI to a remote server, I've been using Kong's Key Authentication which has worked quite well but I want to move away from Kong. Kratos/Oathkeeper fit the rest of the application well but I don't know how to handle the browser plugin.

I guess there are two high level questions:

• Is an API key the best/only way to go?
• If not, what should I use and how would I implement it using the Ory suite?

[Benehiko]

Hi @filterfish

Thanks for reaching out :)

I can maybe help you better with a bit more knowledge on the use case.
What does the current "flow" look like in your application for the browser plugin to use the API keys? Is there user interaction, do you just want to provide it a token or does the plugin self-authenticate (machine account)?

[filterfish]

At the moment I just provide a token which the user enters into the plugin's config. There is no user interaction, it's sole purpose is to record the URI of every page the user visits.

That said I'm not wedded to that solution, if there is a better way of doing it I would quite happy with that!

[Benehiko]

Well this all depends on what you want the user to do or how the system works around users/bots etc. and/or what the browser plugin supports.

If the user gets their own API token which they then add to your plugin, then this is similar to a PAT (https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token).
This is currently not supported in Ory Kratos (#1106).

I personally haven't worked with browser plugins before, but I would assume they work like any other web based application. Which means you can have a sign-in flow inside the plugin, or redirect after a sign-in flow to the plugin.

If you require this specific user account be linked to the plugin, then you can use Ory Kratos flows and have the user just sign into their account. This will issue the plugin a session cookie. Kratos also supports adding OIDC providers such as Google/Github etc. If you want to use JWT instead of session cookies, then you need Ory Oathkeeper to translate the cookie to a JWT.

Good resources to start if you are considering Ory Kratos

• https://www.ory.sh/kratos/docs/
• https://www.ory.sh/kratos/docs/concepts/index#introducing-ory-kratos

The other alternative maybe, if this is seen more like an application requiring access to your APIs which self-authenticates (bot) then you can use Ory Hydra. But since this is in the browser you would require the authorise code + PKCE flow https://www.ory.sh/hydra/docs/guides/oauth2-public-spa-mobile

*Just note Ory Hydra is usually used for third parties to have access to your user's data and/or for third parties to authenticate through your service (sign in with X flows).

Good resources to start if you are considering Ory Hydra

• https://www.ory.sh/hydra/docs/#is-ory-hydra-the-right-fit-for-you
• https://www.ory.sh/hydra/docs/concepts/before-oauth2

[filterfish]

Thanks for the detailed response this is extremely helpful and will certainly provide enough information for me to work out what the best approach is (I'm reasonably confident in my abilities as a developer but I really struggle with this stuff!).

I suspect, based on your response, that OAuth2 is probably going to be the right approach.

Now I've got some good pointers I'm going to spend some time researching this and will probably have some (many, probably!) more questions; is it best to ask them in this thread of to create a new discussion?

[Benehiko]

I'm glad I could be of help :)
The best would be to make a new discussion when you have another question, this also helps others find the information more easily!

[filterfish]

Good one! And, once again, thanks for the help.