Latest Project

Aerrus Platform SSO

A reusable identity and access layer for first-party Aerrus apps. The system centralizes login at auth.aerrus.com while allowing apps like Aerrus and Byaivy to keep their own local sessions.

Stack

Next.js React TypeScript Express Ory Hydra Ory Kratos Ory Keto PostgreSQL Docker Compose Nginx Helm Kubernetes GitLab CI

What it is

SSO that keeps app boundaries clean.

The sibling Aerrus source shows a split deployment: an auth stack with Ory Hydra, Kratos, Keto, and shared Postgres, plus the app stack with the frontend, backend, orchestrator, app Postgres, and operational services.

The important product detail is the session model. Hydra issues tokens from the auth origin, the consuming app exchanges the code server-side, and that app then owns its session cookie. Keto bindings keep authorization tied to the requesting domain instead of trusting caller-supplied context.

One auth boundary

Hydra handles OAuth2/OIDC, Kratos owns identity flows, and Keto keeps authorization decisions domain-aware.

Cross-domain app sessions

Each consuming app completes the authorization-code flow, then stores its own local session on its own domain.

Managed client onboarding

The IAM surface can create domain bindings, provision Hydra clients, and reveal the generated client secret during setup.