I stopped using Postman years ago because it got too bloated an "enterprisy".
Also the fact that it syncs all my stuff to the cloud across many consulting clients is a no go. Passwords and other stuff means it is a target for hackers.
Postman is a great product don't get me wrong but my specific use case are around HTTP testing and I want to check everything into version control
Personally, I don't like the use of indexing to determine the JSON structure (like this `<input name="foo[0][1]">`). I think it's way more powerful to derive the JSON structure from the DOM tree. That's why I wrote some code to do exactly that: https://gist.github.com/mjepronk/5b33eaa90ecf11a5c2c47935a2c...
The use of `<fieldset>` and `<section>` may not be the best choice. You could use `data-` attributes on arbitrary tags for instance.
I like the book Domain Driven Design by Eric Evans.
Also, pure functional programming and immutability have greatly influenced my design even in languages other than Haskell (my main language is Python).
Eric Evans also stresses the importance of immutability of what he calls Value Objects.
I think the Evan's book about DDD is the worst by far. The one from Vaughn Vernon is better imho (more practical without losing the theoretical aspect).
It's a DNS resolver, not an authoritative DNS server. So it's similiar to Google's 8.8.8.8, Cloudflare's DNS resolver, or the DNS resolver that is provided to you by your ISP.
Or like the Unbound recursive resolver that I run here. Unless there are moves to mandate the use of the EU resolver network, then there's nothing to freak out about.
Thank you for working on this interesting open source product.
I have some questions:
- Is it possible to have multiple organizations in one single instance? Can I have some superusers that have access to all organizations?
- Can I delegate authentication for a subset of users (in my case this will always be an entire organization) to another authentication provider (say Microsoft ADFS)?
- Do you support SAML 2.0 clients?
- Do you have a REST API which can be used to create / deactivate users?
Thank you for these questions! First of all I want to say that Ory Kratos is built for customer facing authentication first, so many of the enterprise requirements (e.g. LDAP integration) are still missing. Our vision is to build the de-facto open standard for auth, so enterprise IAM is on the roadmap. It just needs time & community feedback to get there :)
To answer your questions:
- Is it possible to have multiple organizations in one single instance? Can I have some superusers that have access to all organizations?
Depends how you interpret multiple organizations. If those are distinct users (meaning the same person has a profile in org A and org B and does not reuse them), so a true multi-tenant system, then this is not built in and we do not plan to add it.
Running Ory Kratos is very cheap in terms of resources (few MB of ram and no CPU on idle) so it's very affordable to spin up another instance. This doesn't work well for fully-automated deployments such as SaaS systems, but it does work if you are thinking about corporate systems.
You might also look for Ory Cloud, where you can deploy a new Ory Kratos instance with a simple API call.
- Can I delegate authentication for a subset of users (in my case this will always be an entire organization) to another authentication provider (say Microsoft ADFS)?
Yes! Right now we only support OpenID Connect and OAuth1/OAuth2 delegation but more to come.
- Do you support SAML 2.0 clients?
Not yet, but there's an active design document with discussions on different implementation scenarios.
- Do you have a REST API which can be used to create / deactivate users?
Creation - absolutely! Deactivation is not yet available as an API but identity state is already implemented, so adding it is really just a few lines of code.
There are also endpoints for revoking all active sessions which logs out users immediately of one to all systems.
The project for which I'm most interested in a solution like Ory Kratos is a multi-tenant SAAS, with a few hundred organizations. The organizations in general already have other systems that they use to keep track of employees, and so they want to be able to interface with our system to create and deactivate (or delete) users.
So it would suffice if we could host all organizations in one instance, and that we would still be able to directly expose Ory Kratos API's to our clients without them being able to see users in other organizations.
Funny story. We had a client doing a SAML integration using HTTP-redirect bindings. It worked when you turned off request signature verification (which is fine for testing, but is like using alg="none" for JWTs, a non-starter in production), but failed when that was turned on. We dug in with the client and another vendor, set up some test servers, and identified the bug[0]. Turns out that you can't canonicalize the signature's URL encoded form, because both uppercase and lowercase hex values are allowed, by the SAML spec.
Our open source SAML library[1] has been around for years and used by many clients in FusionAuth and our other projects. It'd never run into this particular edge case. It is a wild west out there in SAML land and it takes years to build a bulletproof implementation. Ory folks, if you can leverage an existing implementation rather than rolling your own, I'd highly advise that approach.
That is also to say nothing of the incoming privacy/cookie limitation changes that are coming in the next few years. This will unfortunately probably negatively affect SAML, which is not a specification that has evolved much. If this is of interest to you, I'd recommend the Federated Identity W3C community group[2].
That said, FusionAuth supports SAML in many forms[3]. SAML support varies across vendors and implementations, but other providers like Keycloak and IdentityServer do so as well.
You could have a look at EteBase [1], which was recently featured on HN. I haven't tried it myself, but I'm looking to build my applications in a similiar style.
Do you think it is harder to learn than Ocaml/ReasonML though?
I think there is a good free introductory book [1], a welcoming community [2], the language and ecosystem are quite stable nowadays and there's good tooling (now that there's the Spago package manager).
It's definitely harder. I have been doing O'caml for about 20 years now, and we have probably one of the largest Elm apps out there. I looked at Purescript, especially because it also compiles to other languages (C++, BEAM) but the learning curve is a bit steep.
ext install anweber.vscode-httpyac