The day is coming to an end here, I'll try to monitor this thread but in case you don't get an answer from me any more, you will definitely get one in the community forums or chat by tomorrow:
It is extremely important to be sensitive to extremism of any kind, condemn extremist practices, beliefs, and views and take a stance against extremist ideologies.
We do not share nor endorse extremist views nor "values", nor have anything to do with extremist groups whatsoever. We have not heard about them (Oath Keepers) before.
We'll discuss a name change internally & with the community.
ps: It also shares the name of the sword from Game of Thrones and is a wordplay on OAuth :)
edit:// Forgot to thank you for raising awareness on this.
Hi, thanks for your reply. I don't mean to insinuate in any way that you or your team support any particular ideology, I merely wanted to make you aware of an unfortunate namespace collision.
For what it's worth, I was unaware of the reference that was used as this project's namesake. That is ignorance on my part.
Furthermore I would like to apologize, as my comment seems to have inspired quite a bit of unproductive ideological bickering.
This is a really unfortunate tangent and not worthy of any time or trouble on your end IMHO. At the very most a footnote somewhere in the site to say that this project is not affiliated with any groups or organizations would be more than adequate.
Any individuals that try to imply that the naming of a proxy server product within a larger software ecosystem indicate an endorsement of the position of an organization with a similar name are displaying pathological behavior and should generally be disregarded.
It's unfortunate but I wouldn't just dismiss it as a tangent. The second result from googling "oathkeeper" is the hate group and it's pretty well known in the US at least.
I doubt anyone will think this product endorses the hate group but it could prove to be an unnecessary distraction.
I would encourage that you not bend to the will of those who would impose upon you what your brand might be or might be associated with. If you make a meaningful product in your space and the origins of the name are easily explained through 1: your aforementioned wordplay and 2: the GoT reference (likely more common), then I think you should fight to keep a name you love and find meaning in.
As one of your potential customers / users, I would not base any judgement of your company or product based on some a shared name with a small fringe organization that some people find unsavory which uses a pretty common term or combination of terms.
If you make a meaningful product in your space and the origins of the name are easily explained through 1: your aforementioned wordplay and 2: the GoT reference (likely more common), then I think you should fight to keep a name you love and find meaning in.
Just to clarify, are you speaking for the team to condemn extremism in general, or the specific belief in upholding the U.S. Constitution within the U.S., or something else?
Maybe I should pay attention to the discussion with the community when that occurs, but I'm interested in which "values" you take issue with. Care to share here?
"Upholding the Constitution", among the far right, is dogwhistle for supporting white supremacy or other regressive policies. There's even a fringe political party called the Constitution Party that draws its planks not from the Constitution, the Federalist papers, or other constitutional scholarship -- but the King James Version of the Bible.
Upholding the Constitution can be a dogwhistle for various malign ideas. But there are also people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law. There are people who see executive orders (whether by Bush, Obama, or Trump) as not the way the country is supposed to be governed, and worry about the constitutional legitimacy of those orders. Probably the majority of the people who worry about such things are conservatives; my feel is that the majority (at a minumum) are not concerned about such issues as a cover for white supremacy.
Note well: I take no position on whether Oath Keepers is using "upholding the Constitution" as a cover for white supremacy.
>But there are also people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law.
And those people are incorrect. It's incorrect to believe that all modern Constitutional law and Supreme Court decisions are the result of judges and lawmakers simply making up whatever interpretation they like without any basis in, study of, or respect for the Constitution.
The alternative would be to pretend to know in all cases what an eighteenth century philosopher would decide about an issue of law in the context of modern society.
If you'll re-read my post a bit more carefully, you'll see that the word "all" is nowhere in it. Nobody (that I know) believes that " all modern Constitutional law and Supreme Court decisions are the result of judges and lawmakers simply making up whatever interpretation they like without any basis in, study of, or respect for the Constitution." I suppose that bit of hyperbole might serve to make my original statement seem less reasonable; if you did it deliberately, you're putting words in my mouth to try to discredit me, which is pretty scummy.
> The alternative would be to pretend to know in all cases what an eighteenth century philosopher would decide about an issue of law in the context of modern society.
No, the alternative would be to know what they said the rules are.
(Now, I will admit that deciding how the rules they agreed on apply in a specific situation can be very complicated. But I trust "let's look at the rules and see how they apply" more than I trust "interpreting the Constitution in accordance with its original meaning or intent is sometimes unacceptable as a policy matter, and thus that an evolving interpretation is necessary"[1]. The former view makes the Constitution the final law; the latter makes policy the master over the Constitution.)
[1] From the Wikipedia article on "Living Constitution". The quote was marked "citation needed". If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
>No, the alternative would be to know what they said the rules are.
Problem is, parts of the text are maddeningly vague, and they didn't exactly agree in their politics, so a single, simple, objective and provably correct interpretation of those rules is not always possible.
>If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
I do think that's an accurate statement. I disagree with 'people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law.'
One can disagree with the doctrine of a 'living Constitution' but there is more nuance and thought put behind the rationale than some conservatives want to admit. Both sides believe, in good faith, that what they're doing is upholding the Constitution.
>The former view makes the Constitution the final law; the latter makes policy the master over the Constitution.)
I prefer to see it as the former making the Founding Fathers the master over the Constitution, the latter making the people the master over it. The Constitution is a legal document, not the word of God, and nothing in the Constitution explicitly requires that it be interpreted according to strict originalist intent, so interpreting it either way is equally valid, and equally a matter of politics.
Well, the former makes the people of the Founding Fathers' generation the master over the Constitution (they ratified it). The latter makes the people of this generation the masters over it.
> Problem is, parts of the text are maddeningly vague, and they didn't exactly agree in their politics, so a single, simple, objective and provably correct interpretation of those rules is not always possible.
True.
>>If you don't think it's an accurate statement of how some judges view the Constitution, make your case.
I do think that's an accurate statement. I disagree with 'people who see, for example, the "living Constitution" jurisprudence as not actually upholding the Constitution, but rather just saying what you want and calling it the law.'
The original statement was "interpreting the Constitution in accordance with its original meaning or intent is sometimes unacceptable as a policy matter, and thus that an evolving interpretation is necessary". Deciding that "the original meaning is unacceptable" is exactly "deciding what you want and calling it the law". It's deciding, on the basis of what you think policy should be, what the Constitution should have said.
Let me put it this way: Trump may, before he's done, nominate three Supreme Court justices. Do you want those justices to decide based on what they think is "acceptable as a policy matter"? Or do you want them to be bound by what the text says?
> One can disagree with the doctrine of a 'living Constitution' but there is more nuance and thought put behind the rationale than some conservatives want to admit.
I will admit that - for at least some of those who hold that position. Others... their behavior seems to indicate that they want to rule over the Constitution, not to faithfully interpret it.
> so interpreting it either way is equally valid
Is it? We don't accept that reasoning with contracts, why should we with the Constitution?
(That is, if you have a contract, and you try to interpret the terms in ways that are outside the bounds of the words of the contract, a court isn't going to care how much you see the contract as a living document. They also aren't going to care how much you care about original intent. They're going to care about the words on the paper. I've seen it happen in court, with one side arguing creative meaning plus intent, and the other destroying them with the actual words.)
Nice discussion. I'll leave you the last word; I'm out for the next two days.
>Let me put it this way: Trump may, before he's done, nominate three Supreme Court justices. Do you want those justices to decide based on what they think is "acceptable as a policy matter"? Or do you want them to be bound by what the text says?
If I support decisions by previous courts, such as Roe V. Wade and Obergefell v. Hodges, then the intellectually honest position would be to concede that whomever Trump nominates has the right to do the same. I may not like it, but I do believe that is the Court's prerogative.
I don't think it's harmful to consider updated interpretations of the Constitution per se, although particular decisions can do harm even when they correctly reflect the attitudes of the time (as with Plessy V. Ferguson and segregation.) But then, obviously wrong interpretations can also be reversed. I think that we're a stronger democracy for being able to ask these questions, and consider the Constitution as evolving philosophy as much as a legal document, than if we were prevented from doing so.
>Is it? We don't accept that reasoning with contracts, why should we with the Constitution?
Well... the Constitution isn't a contract. If it were, it would be far more precise and verbose in its language, and you wouldn't have entire bodies of scholarship around the meaning of a comma.
But here we are in 2018, in the age of the internet, global surveillance, 3d printed guns, genome sequencing and a thousand other things the Founders would probably never have conceived of. If we remain bound only by the original intent of the original definition of the words of the Constitution when interpreting challenges and questions of Constitutional law, then I'm afraid the result is going to be that Constitution becoming less and less relevant to modern society.
> The Oath Keepers are more extreme than nearly all other
> white people. Just a fact. Read up on them and I think
? you will agree.
Are they more extreme than nearly all other non-white people as well? Or just more extreme than white people? ;-)
For non-americans, the idea of a group of people who do not instantly submit to individual figures in authority, but instead, resist those in authority if they believe that those in authority are infringing on rights that are protected by the constitution, may seem really bizarre.
To condemn an organization because their raison d'etre is such resistance, would be normal in other countries, but it's a little frightening how a quick google search shows that condemnation here in America (assuming the people who wrote those pages were American).
I know a lot of HN readers are not American, so just wanted to clarify that we do have a slightly less submissive culture over here.
For non-americans, the idea of a group of people who do not instantly submit to individual figures in authority, but instead, resist those in authority if they believe that those in authority are infringing on rights that are protected by the constitution, may seem really bizarre.
Oath Keepers is a non-partisan association of current and formerly serving military, police, and first responders, who pledge to fulfill the oath all military and police take to “defend the Constitution against all enemies, foreign and domestic.” That oath, mandated by Article VI of the Constitution itself, is to the Constitution, not to the politicians, and Oath Keepers declare that they will not obey unconstitutional orders, such as orders to disarm the American people, to conduct warrantless searches, or to detain Americans as “enemy combatants” in violation of their ancient right to jury trial. See the Oath Keepers Declaration of Orders We Will Not Obey for details.
Oath Keepers is a far-right militia group with a history of racism and conspiracy-theorism (e.g. birtherism, sovereign citizenry) which regularly advocates and defends violent means of asserting these ideas. Pretty words from their mouths don't change that.
I read the southern poverty law center's summary of why they dislike the oath keepers. The cases they touch upon in very one-sided ways, the Bundy ranch, the Malheur Standoff, the Oregon miners, are all cases well known to me, where the oath keepers acted commendably. I invite you to read about those events in more detail, from other sources.
I am hardly the peanut gallery here. An accusation was flung at an honorable organization from out of the blue, and I responded to that accusation. Since this is your first appearance in the thread, I would suggest you are the peanut gallery here.
I will post a motherjones (not exactly conservative friendly site) that, while not complementary, at least highlights that oath keepers is composed of individuals of diverse backgrounds and beliefs, and that they do strive to weed out bad actors when they are identified, just like any other group would do. I found the reporting to be relatively unscathing, considering it's source, and I learned from it myself.
https://www.motherjones.com/politics/2010/02/oath-keepers/
The idea of the ory ecosystem ( https://github.com/ory / https://www.ory.am ) is to build a reliable, cloud native suite of tools which allow you to solve simple and complex IAM (identity and access management) use cases. Each service works standalone, but you can obviously combine them all.
The Oathkeeper proxy is one piece of the puzzle which basically takes incoming HTTP requests, evaluates them on a set of rules (e.g. authentication of credentials used, checking if the user has the right permissions, transforming the session data to a e.g. JWT) and either grants or denies access.
Other services include, for example, ORY Hydra ( https://github.com/ory/hydra ) which is an OAuth2 & OpenID Connect (certification pending) server that you can put "on top" of your existing user management.
While most developers opt to build these systems (permissions, user management) themselves, it is our vision to build a reliable, broadly adopted set of OSS tools that get you started quickly and that scale well as the requirements of your organization change.
Everything we do is build on top of open standards, we do not want to reinvent the wheel (unless nothing exists wrt to open standards). So everything in this ecosystem integrates well with existing systems.
If you have any questions, feel free to ask.
ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Where is the ORY Security Console hidden? I can't see it on GitHub and all links lead to a running instance of it?
Is this how you're hoping to monetise all your hard work? I don't begrudge that at all :-) It's just a little unclear?
If there's going to be a security console, I wouldn't want it hosted by anyone else. Especially if I'm the type of person to deploy all the other components I'll undoubtedly want to deploy the console myself.
I really like this suite of projects, it splits the problem nicely into flexible building blocks.
How do you envision integration of existing external OAuth2 or OpenID Connect servers, such as Google, GitHub, etc., or an OAuth2-compliant directory of a B2B customer?
We're currently starting to work on ORY Hive (project name wip) which is going to be a fully functional identity management service (user registration, login, social sign in, password reset, MFA, ...) sort of along the lines of Auth0 or AWS Cognito, but as an OSS solution.
As part of that service, we will add connectivity adapters for generic OAuth2/OIDC providers as well as (probably) LDAP/AD and SAML integration.
We're still in prototyping phase (building a good API here is really tricky because no open standards exist to our knowledge for this) and it will take some time. But hopefully, it will be something many people can build on!
And thank you so much for the positive feedback :)
That sounds awesome! I'd really like to see organizational management, i.e., users in orgs. It is something most B2B SaaS apps have to do, and they tend to do it differently and often very poorly. Maybe it is out of the scope of ORY Hive, but I think it would be really useful. I'm thinking it would tie into an RBAC system to give users different permissions within orgs (member, admin, owner, etc.).
There are two main patterns for B2B apps:
- One org per user, like G Suite. A user is a member of a single org, to be a member of another org requires another user account. This creates a challenge when it is a system where someone might be a member of multiple orgs, because it requires logging in as multiple users and having cookies that can handle that.
- One user in many orgs, like GitHub. A users "owns" their user account, and is invited to one or more orgs. This makes working in multiple orgs easier, but can create challenges for companies that want to enforce things within their org, like SSO or 2FA. It also creates issues with routing of notifications (you want work notifications going to work email), and identity of users within a company (an org admin may have trouble identifying users if they aren't tied to company emails).
An ecosystem like ORY obviously can't alleviate all the issues, but maybe it can help with some of them, like org membership and org friendly cookies.
Good use cases, we in fact are looking at multi-tenancy or "realms" but have not progressed very far here as it can get quite complicated. One major issue with true multi-tenancy is obviously data isolation, so usually you don't want data to "bleed" from tenant a to tenant b (think G Suite) whereas in other systems it's not truly a tenant but more of a business entity that shares users.
I think in the end it boils down to what we can solve in a generic manner and what we can let developers solve for themselves. The distinction between the two use cases is definitely something we'll take a closer look at and include in our design decisions, so this won't be an afterthought but something built into the architecture!
This is a cool project, I'll definitely keep an eye on it. I've long wished that something framework & language agnostic like this existed.
One suggestion for the docs, especially since the tagline is that this is a cloud-native solution, would be examples of how to run it in common cloud setups. For instance I'm looking at the deployment page and it mentions that in the gateway configuration you'll want to run it behind a load balancer but in front of the API router. But if you're using an ELB, which as far as I'm aware is still part of basically the default way to run web apps on AWS, the load balancer and router are combined and there's no way to hook something like this in. So it would be cool to see some examples involving specific tools like ELBs, maybe a note on other ways to run it if using Kubernetes, etc.
We're a very small team, so it might take a while for us to tackle this (especially because we mostly use k8s with oathkeeper proxy as a sidecar), but that does make this not lesser of an issue!
This solution seems comparable to running Envoy Proxy as a reverse / frontend proxy with a JWT filter. Would you say that's a fair comparison? What would you say are the benefits of using this over such an Envoy setup with Envoy becoming so popular?
Super excited to see more players move in this space btw!
Nice, I have heard about Ambassador before but did not have the time to look into it in detail. It is just amazing how much OSS is being created around the k8s/container ecosystem and I truly believe that it will greatly improve our lives as developers in the future.
I've added this to our internal list and we will check it out and see if any synergies are possible with our products. Our vision is that these services work so well and easy with the rest of the ecosystem, that you can get started with a new project in a day or two and have everything set up - from users, to permissions, to routing (e.g. via ambassador), to testing (there's still ton of space for this), and so on.
I think the journey of software development beyond 2020 will be very exciting!
ps: Sorry for slow responses, HN has a very high post wait time once you hit the limit. And thank you for the positive vibes :)
I was just speaking with Datawire/Ambassador CEO in their slack about Oathkeeper... you should reach out and speak with them. Interesting synergies IMO.
I have not used envoy extensively yet, but there are obviously many more options such as Apache2 + mod_oidc, Kong + oauth2 plugin, and so on.
The main differentiator is that Oathkeeper is capable of performing more sophisticated permission checks (think RBAC / AWS IAM Policies) and is specifically geared towards solving authentication and authorization in front of "your" service.
Most other implementations I saw (and I think this also goes a bit for envoy) is that they solve access control as one of the things in the feature set, while also focusing strongly on routing, load balancing, and other typical API gateway issues.
We're explicitly not trying to build another API gateway but instead something that you deploy alongside your existing API gateway (or maybe as a sidecar) with the sole purpose of checking answering: "is the request that's coming through really allowed to perform that action?".
Hope this clarifies it, if not I'm more than happy to go into more detail :)
really great. please comment on the intersection with auth0. clearly there is some overlap, it would be great to have a concise explanation.
> we do not want to reinvent the wheel
IMHO, were I you I would not shy away from that. Existing wheels are oval in shape. Of course where you have to interoperate, you are limited.
> ps: New account because I lost my password and didn't set up a backup email. Stupid me.
Well you just lost me. You are developing IAM components and you can't get basic password management correct? email has nothing to do with it, we are well past the point where password managers are de rigueur, certainly for anyone involved with security matters.
> Well you just lost me. You are developing IAM components and you can't get basic password management correct? email has nothing to do with it, we are well past the point where password managers are de rigueur, certainly for anyone involved with security matters.
The password in my password manager is not correct. No idea how that happened, maybe it was overwritten by accident or I copied the wrong one during account creation. Since I had to reset my FF profile it was no longer stored in the FF password manager, so I had to recover it from KeePass, which well - didn't work out so well. Since I do use a password manager, it's impossible to recover it as I have no idea what the password is.
Getting the wrong password in your password manager happens occasionally. Usually from password resets that somehow don't make it into your password manager. The fact that HN allows accounts without email addresses is the real problem. Also, maybe he just doesn't value his HN account all that much.
Go is a language that's easy to use, but a challenge for beginners to use well, especially if you try to force [insert another language] constructs into it.
I see programmers that are new to Go often struggle with trying to apply their object-oriented mindset into a language that's not object-oriented and run into trouble, complain about the language, and call it rubbish. Or, focus on the lack of generics and other part of the language they don't like (e.g. slice manipulation).
Go is certainly far from perfect but after spending the better part of 7 years with it, it's usually the first tool I reach for.
"Go is a language that's easy to use, but a challenge for beginners to use well, especially if you try to force [insert another language] constructs into it."
Strongly agreed. There's a lot of languages out there with very rich feature sets, and the way you get jobs done is to go find the right feature you need for your current problem. With Go, you need to learn the language and extract every last drop out of every language feature. This is exacerbated by the fact that the feature set isn't what people expect, e.g., object composition is not what they are used to, and while interfaces are simple there's still some art to using them properly.
Despite the vast, vast distance between Go and Haskell on the general-purpose programming language landscape, I found my experiences in Haskell to be quite useful in Go, because while they were specifically inapplicable to an imperative language, the general practice I got from Haskell of taking a bizarre set of programming tools and learning how to make sensible programs out of them even so was quite useful.
(It isn't necessarily the first language I reach for for personal tasks, but it is a superb professional programming language, offering a nearly-unique blend of the ability to get the job done you usually need to do for a wide variety of standard programming tasks (but not all!) while resulting in source code that is still comprehensible to almost every programmer. It isn't my favorite overall, but it's the best professional choice of language I have in my belt, which is often precisely because it does not permit me to indulge in flights of clever fancy that solves a problem in 25 impenetrable-to-the-next-guy lines of code. I know a lot of people may not love to hear that, but it's a factor you really have to consider when you are being paid to solve problems.)
It's kinda hilarious to see that as more and more successful projects and companies use Go in their stacks, the number of comments like these increases in HN.
Stack adoption is orthogonal to maturity or ease of use. Recent experiences have indicated to me that the main factor in which stack a company uses is basically the whim of whatever developer was tasked with the initial project creation.
Nobody's going to tell him no and there's not going to be significant discussion about the merits and even if there was, there's no best practices to lean on to make the decision rely on anything other than pure emotion.
Stack adoption makes people have to actually use them, which then gives them something to complain about (whereas before they could just ignore something not to their taste).
In my opinion, don't use Go at all if you can avoid it - it may be acceptable for a tiny CLI project but anything of significant complexity needs a language that can scale.
I'd hardly call Kubernetes, Docker daemon and tooling, etcd, CockroachDB, geth, and nsq tiny CLI projects.
If anyone has any reservations about learning Go, don't judge the language based on a list of flaws written by some programmers who used it for a few months, became frustrated, and wrote a blog post.
The type of codebase scaling Google does is very different from other companies.
They have huge numbers of junior developers right out of university (those that Rob Pike, one of the main authors of Go, likes to claim aren't good enough to learn advanced concepts) and their coding style is not focused on correctness and simple implementations - do something, do a lot of it, write a lot of tests.
For companies that aren't the size of Google, that don't work the same way (monorepos etc.), and that simply don't have the same set of resources available it will often end up being much easier to use a language that either prevents flaws (via a strong type system, like in Haskell or Rust, which Go does not have) or gracefully handles flaws (via an error handling strategy, like in Erlang or Elixir, which Go does not have).
Go is statically typed (this means that the compiler performs its checks at compile time and hard-fails the compilation process in the presence of type errors), but there is no single definition of what "strong" means.
Programming language theory is a field that is in development and notions of "strong" type systems that were valid in the 80s (in which Go certainly would have been considered strongly typed) are no longer relevant. The list you linked seems to cite the Go website itself as the source, by the way.
At the very least a modern language that wants to claim to have a strong type system should provide user-defined sum types, exhaustiveness checking and parametric polymorphism. Go has none of those.
When it comes to error handling, Go's "concept" of it is that "there may be a thing that can be turned into a string, in which case there was probably an error, but it's up to the developer to check - we won't help you". You may as well just use C then.
There is nothing to short-circuit failed computations, check whether errors have in fact been handled, restart / terminate computations gracefully and so on. It's all manual labour that the developers need to remember and boilerplate over and over again.
I would recommend you to spend some time with the languages that are "above Blub"[1] (ctrl+f "the blub paradox") - good candidates for learning some modern PLT concepts are Haskell[2], Rust[3] and Erlang[4]. Even if you don't end up using those languages in your professional life, knowing the concepts they introduce will improve your code in "Blub-languages" (Go, Java, etc.), too.
Some of the stuff that makes it work is unfortunately apparent later than the warts. Try to think of it as a domain-specific language for implementing simple http endpoints. ¯\_(ツ)_/¯
- Forums: https://community.ory.am/
- Chat: https://discord.gg/PAMQWkr
Thank you all for the awesome discussions!