The Open Sentry Stack consist of:
- Identity Provider, IDP - Provides an API for identity authentication and resouce ownership verification
- Access & Authorization Provider, AAP - Provides an API for access and authorization control
- OAuth2 & OpenId Connect Provider, Ory Hydra - Provides session control and OAuth2 and OpenId flows
- Messaging System, NATS - Provides Pub/Sub for events
- Storage using graphs, Neo4J - Provides a different take on access control
- Reverse Proxy, Ory OAthKeeper - Provides uniform access to system components
- Docker - Provides containerization and process isolation
The idea of The Open Sentry Stack is to provide system developers with a tool to enforce logical functional security in their applications.
Think of the system as a trust sphere which spawn strings of trust to applications as long as the applications use AAP for judgement.
The systems operates on a set of ideas and concepts like:
- Deny by default - Assume code will fail and let the code structure falltrough to deny
- Absence of information means deny - If its not in the graph it means deny
- TLS by default - Assume untrusted networking, pay the price and encrypt by default even test environments (Beyond Corp)
- Dog food - Use exposed endpoints aswell as access models internally in the system aswell (Bootstrap with self)