nova-id

Production IAM on the Ory Stack with Zero Trust architecture

Nova ID is a self-hosted identity and access management platform built on the full Ory Stack — Kratos (identity, sessions), Hydra (OAuth2/OIDC), Keto (RBAC), and Oathkeeper (gateway) — with three Vue 3 frontends. Every request goes through Oathkeeper; nothing internal is directly exposed.

Why I built it

I kept needing auth for side projects and re-implementing the same JWT-based half-solution every time. Once you go past hello-world, the gap between "I have JWT auth" and "I have production IAM" is enormous — sessions, refresh tokens, OAuth2, RBAC, audit, multi-tenant invites, password reset flows, MFA. I wanted to learn the Ory Stack properly by integrating all four pieces into a working Zero Trust system, with frontends that show how to consume it correctly.

What it does

• Zero Trust architecture — every request flows through Oathkeeper for authentication, authorization, and header injection. Internal services are never exposed.
• Kratos for identity, registration, login, sessions, password reset, email verification.
• Hydra for OAuth2 and OIDC token issuance.
• Keto for RBAC with platform_admin and platform_user namespaces.
• Oathkeeper as the single gateway — auth, authz, header injection.
• Three Vue 3 frontends — Auth UI (login/registration), Admin dashboard (user management), and a test app showing how a downstream consumer authenticates.
• One-command setup — docker compose up -d && ./scripts/setup-all-permissions.sh.
• Architecture docs with Mermaid diagrams covering the request flow end-to-end.

Stack

Ory Kratos, Ory Hydra, Ory Keto, Ory Oathkeeper, Vue 3, Vite, Docker Compose.

Status

Active. MIT.