Kratos and Oathkeeper
Kratos is our user management system of choice and Oathkeeper is the identity and access proxy.
Most of the needed config is already under docker/kratos. The only two things that need to be changed are the config for Kratos that might contain your email server password, and the JWKS Oathkeeper uses to sign its JWT tokens.
Make sure to create your owndocker/kratos/config/kratos.yml by copying the kratos.yml.sample in the same directory. Also, make sure to never add that file to source control because it will most probably contain your email password in plain text!
Store your kratos.yml file somewhere safe as it will be reused on all other servers in your portal cluster.

New Cluster Set Up

If you are setting up a new cluster then you will need to generate a new set of keys.
To override the JWKS you will need to directly edit docker/kratos/oathkeeper/id_token.jwks.json and replace it with your generated key set. If you don't know how to generate a key set you can use this code:
1
package main
2
3
import (
4
"encoding/json"
5
"log"
6
"os"
7
8
"github.com/ory/hydra/jwk"
9
)
10
11
func main() {
12
gen := jwk.RS256Generator{
13
KeyLength: 2048,
14
}
15
jwks, err := gen.Generate("", "sig")
16
if err != nil {
17
log.Fatal(err)
18
}
19
jsonbuf, err := json.MarshalIndent(jwks, "", " ")
20
if err != nil {
21
log.Fatal("failed to generate JSON: %s", err)
22
}
23
os.Stdout.Write(jsonbuf)
24
}
Copied!
While you can directly put the output of this program into the file mentioned above, you can also remove the public key from the set and change the kid of the private key to not include the prefix private:.
Make sure to save the id_token.jwks.json file somewhere safe like LastPass. This file will be reused on all other servers in your portal cluster.

Adding to a Cluster

If you are adding a new node to an existing cluster then you will be using the keys generated when the cluster was initialized. Copy the common id_token.jwks.json file to skynet-webportal/docker/kratos/oathkeeper/id_token.jwks.json
Last modified 1mo ago