A Document Management System (DUMMY) with 3rd-party delegation built natively on the Ory Stack, Go, and Next.js.
The system implements a Zero-Trust edge proxy architecture to completely separate identity, authentication, authorization, and 3rd-party access delegation from the core backend logic. It enforces a highly granular permission model using Ory Keto.
- Ingress Layer (Nginx): Hardened gateway with HTTPS and dynamic DNS resolution for upstream container churn.
- Security Edge Proxy (Ory Oathkeeper): Identity-Aware Proxy (IAP) handling JWT transformation (Signed RS256) and session-to-token mutation.
- Identity Provider (Ory Kratos): Handles all user data, MFA, and lifecycle. Supported by a Courier worker for reliable asynchronous email delivery.
- Permissions Engine (Ory Keto): Enforces access control lists (ACL) using OPL via gRPC.
- Delegation (Ory Hydra): OAuth2 provider allowing 3rd-party clients to access DMS APIs.
- Enterprise Backend (Go 1.24): Modular Chi-based API with official Ory SDK integration, persistent PostgreSQL audit logging, and Unified Node Architecture.
- Frontend UI (Next.js): Modern control plane using Shadcn UI, SSG, and centralized API utilities.
- Database (PostgreSQL 16): Multi-schema design (
app,kratos,keto,hydra,enterprise) for total data isolation.
- Backend: Go 1.24, Chi Router, official Ory Kratos/Hydra/Keto SDKs.
- Frontend: Next.js 16, React 19, Tailwind CSS, SWR.
- Identity & Access: Ory Kratos (v1.1), Ory Keto, Ory Oathkeeper, Ory Hydra.
- Infrastructure: Docker & Docker Compose, Hardened Nginx.
- Database: PostgreSQL 16.
- Docker and Docker Compose installed.
- Go 1.24+ and Node.js 24+ (if running outside containers).
- Bun runtime (for testing toolkit).
- Make utility installed.
Add the following entries to your OS's host file:
127.0.0.1 auth.ory-vault.test
127.0.0.1 api.ory-vault.test
127.0.0.1 ext-api.ory-vault.test
127.0.0.1 app.ory-vault.test
127.0.0.1 mail.ory-vault.test
127.0.0.1 ory-vault.test
Import-Certificate -FilePath ".\step-ca-data\certs\root_ca.crt" -CertStoreLocation Cert:\CurrentUser\Rootmake build
make up
make migrate- DMS Frontend:
https://ory-vault.test - OAuth2 Management:
https://ory-vault.test/dashboard/apps - Internal API (UI):
https://api.ory-vault.test - External API (Apps):
https://ext-api.ory-vault.test - Auth/SSO Hub:
https://auth.ory-vault.test - Mailpit (SMTP UI):
https://mail.ory-vault.test
A simulation app for testing 3rd-party integration is available in the repository.
- Create a client at
https://ory-vault.test/dashboard/apps. - Configure
tools/oauth2-test-app/index.tswith your credentials. - Run:
bun run tools/oauth2-test-app/index.ts. - Open
http://localhost:4000.
.
├── dms-backend/
│ ├── cmd/server # Go Entry point
│ └── internal/
│ ├── api/ # Chi Router
│ ├── handler/ # Business Logic (OAuth2, Nodes, Admin)
│ ├── middleware/ # RBAC, JWT, Scope Guards
│ └── store/ # Modular Persistence (Unified Nodes)
├── dms-ui/ # Next.js Frontend
├── tools/ # Integration Test Toolkit (Bun.js)
└── contrib/config # Ory Stack Configs
This project is licensed under the MIT License.