Nowadays the engineering community has many products for authentication in their frameworks. Lots of them have built-in features for authentication and a lot of libraries available for social sign-in. We have the Django framework, Flask, and python-social-auth to build almost everything we need to authenticate users in the pythonic world.
In this article, I'll show you an example of how to add everything we need for the user's authentication without writing lots of lines of code. The code used in this blog post is available on GitHub. We'll use Flask, flask cookie-cutter, docker, docker-compose, Postgres, Ory Kratos and Ory Keto.
- Flask cookiecutter is a great tool to bootstrap our project structure. It's always a great idea to have ready-to-use linters, Dockerfile, and package management tools out of the box.
- Postgres as an RDBMS. We will have two Postgres services running in two containers in this example. I think that it's a great idea to keep it simple without using custom scripts to have multiple databases available in a single docker-compose service.
- Ory Kratos with UI to authenticate users.
- Ory Keto as an access control service.
Ory Kratos will be responsible for storing identity data such as email/login and password. Using the quickstart guide we need to copy the contents of contrib/quickstart/kratos/email-password to the root of your project and then add the following content to the docker-compose:
You can get familiar with the
concepts of Ory Keto
reading the quickstart guide. These
articles can give you a brief introduction to it. Since we need to manage access
to the home page, we need to create a folder
keto at the root of our project
and have a
keto/keto.yml file with the following content:
We need the following containers:
- postgresd-auth is the database for Ory Keto.
- keto-migrate that takes care of database migrations.
- keto-perms is a wrapper to work with permissions using a command-line interface.
- keto runs the server.
Ory Keto has configured a namespace
app to use in the Flask application.
Following the guide
Check whether a User has Access to Something
I decided to implement a simple permission policy for the demo project:
- Easy to use and maintain.
- Can easily be automated using CI/CD pipelines.
- Lack of UI can be dealbreaker for non-engineering staff
- This permission policy can violate GDPR, HIPAA or any other compliances due to personal data usage.
You can find the full code used for this blog post on GitHub.
- Consider having
authenticationpackages that use the Ory Kratos SDK and the Ory Keto SDK. Instead of just calling magic endpoints, your code will be more readable when using an SDK.
- Please pay attention to configure login session and cookies.
- Skip the set up with the Ory Network.