Revert "AuthZed Integration Guide"

src/current/_includes/v26.1/sidebar-data/integrate.json

@@ -2,16 +2,21 @@
     "title": "Integrate",
     "is_top_level": true,
     "items": [
-      {
-        "title": "AuthZed",
-        "urls": [
-          "/${VERSION}/authzed-integration-guide.html"
-        ]
-      },
       {
         "title": "Ory",
-        "urls": [
-          "/${VERSION}/ory-integration-guide.html"
+        "items": [
+          {
+            "title": "Ory Overview",
+            "urls": [
+              "/${VERSION}/ory-overview.html"
+            ]
+          },
+          {
+            "title": "Integrate with Ory",
+            "urls": [
+              "/${VERSION}/ory-integration-guide.html"
+            ]
+          }
         ]
       }
     ]

src/current/v26.1/ory-integration-guide.md

@@ -5,19 +5,13 @@ toc: true
 docs_area: Integrate
 ---
 
-[Ory](https://www.ory.com/) is an open-source identity and access management (IAM) platform that provides modular components for authentication and authorization in distributed systems. Key components include:
+This tutorial demonstrates how to set up a CockroachDB environment that uses [Ory]({% link {{ page.version.version }}/ory-overview.md %}) for Identity and Access Management (IAM). This page describes the architecture of the integration, then walks through how to perform and test it. 
 
-- [Ory Hydra](https://www.ory.com/hydra) is a server implementation of the [OAuth 2.0 authorization framework](https://oauth.net/2/) and the [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-final.html). It tracks clients, consent requests, and tokens with strong consistency to prevent replay attacks and duplicate authorizations.
-- [Ory Kratos](https://www.ory.com/kratos) stores user identity records, recovery flows, sessions, and login attempts in transactional tables.
-- [Ory Keto](https://www.ory.com/keto) provides scalable, relationship-based access control (ReBAC).
-
-The following diagram shows the relationship between Ory Hydra, Kratos and Keto:
-
-<img src="{{ 'images/v26.1/integrate-ory-architecture-overview.png' | relative_url }}" alt="Ory Architecture Overview"  style="border:1px solid #eee;max-width:80%;margin:auto;display:block" />
+By the end of this tutorial, you will have a working environment where Ory’s services (Hydra, Kratos, and Keto) use a CockroachDB cluster for storage.
 
 ## Integration Architecture Overview
 
-This example environment integrates Ory Hydra, Ory Kratos, and Ory Keto.
+This example environment integrates [Ory Hydra]({% link {{ page.version.version }}/ory-overview.md %}#ory-hydra), [Ory Kratos]({% link {{ page.version.version }}/ory-overview.md %}#ory-kratos), and [Ory Keto]({% link {{ page.version.version }}/ory-overview.md %}#ory-keto).
 
 In a CockroachDB/Ory integration, each of these components relies on CockroachDB to store their state in a consistent and durable way, enabling them to function correctly even in the presence of partial outages or regional network partitions. Each Ory component is deployed as a stateless service, with its only persistence requirement being a backing SQL database.
 
@@ -45,10 +39,12 @@ In this example environment, both Ory and CockroachDB are deployed within the `u
 
 ## Set up a joint CockroachDB/Ory environment
 
-This tutorial walks you through the manual setup of a joint CockroachDB/Ory environment. By the end of this tutorial, you will have a working environment where Ory’s services (Hydra, Kratos, and Keto) use a CockroachDB cluster for storage.
+This tutorial walks you through the manual setup of a joint CockroachDB/Ory environment. 
 
 ### Before you begin
 
+Before starting this tutorial, read the [Ory overview]({% link {{ page.version.version }}/ory-overview.md %}). 
+
 To complete this tutorial, you will need:
 
 - An [AWS account](https://aws.amazon.com/resources/create-account/) with permissions to create EKS clusters and EC2 resources.
@@ -89,9 +85,9 @@ CockroachDB Cloud is a fully-managed service run by Cockroach Labs, which simpli
 
 Before integrating Ory components with CockroachDB, you will need to set up separate databases for each service. Each Ory service manages its own schema and migrations:
 
-- Ory Hydra manages OAuth2 clients, consent sessions, access/refresh tokens
-- Ory Kratos handles identity, credentials, sessions, verification tokens
-- Ory Keto stores relation tuples (RBAC/ABAC data) for permissions
+- [Ory Hydra]({% link {{ page.version.version }}/ory-overview.md %}#ory-hydra) manages OAuth2 clients, consent sessions, access/refresh tokens
+- [Ory Kratos]({% link {{ page.version.version }}/ory-overview.md %}#ory-kratos) handles identity, credentials, sessions, verification tokens
+- [Ory Keto]({% link {{ page.version.version }}/ory-overview.md %}#ory-keto) stores relation tuples (RBAC/ABAC data) for permissions
 
 Keeping these in separate databases simplifies maintenance and ensures isolation between identity, OAuth2, and authorization data.
 
@@ -909,6 +905,7 @@ The tests above confirm that each Ory component in this deployment is properly c
 
 ## See also
 
+- [Ory Overview]({% link {{ page.version.version }}/ory-overview.md %})
 - [Deploy a Local Cluster from Binary (Secure)]({% link {{ page.version.version }}/secure-a-cluster.md %})
 - [Deploy CockroachDB on AWS EC2]({% link {{ page.version.version }}/deploy-cockroachdb-on-aws.md %})
 - [cockroach sql]({% link {{ page.version.version }}/cockroach-sql.md %})

src/current/v26.1/ory-overview.md

@@ -0,0 +1,96 @@
+---
+title: Ory Overview
+summary: Learn about Ory and its component services - Hydra, Kratos, and Keto
+toc: true
+docs_area: Integrate
+---
+
+[Ory](https://www.ory.com/) is an open-source identity and access management (IAM) platform that provides modular components for authentication and authorization in distributed systems. Key components include:
+
+- [Ory Hydra](https://www.ory.com/hydra) for OAuth2 and OIDC flows.
+- [Ory Kratos](https://www.ory.com/kratos) for identity management (including users, groups, and organizations).
+- [Ory Keto](https://www.ory.com/keto) for fine-grained authorization and relationship-based access control (ReBAC,  inspired by Google Zanzibar).
+
+The following diagram shows the relationship between Ory Hydra, Kratos and Keto:
+
+<img src="{{ 'images/v26.1/integrate-ory-architecture-overview.png' | relative_url }}" alt="Ory Architecture Overview"  style="border:1px solid #eee;max-width:80%;margin:auto;display:block" />
+
+## Ory components
+
+### Ory Hydra
+
+Ory Hydra is a server implementation of the [OAuth 2.0 authorization framework](https://oauth.net/2/) and the [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-final.html). It tracks clients, consent requests, and tokens with strong consistency to prevent replay attacks and duplicate authorizations.
+
+The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
+
+The following diagram shows the series of requests made between a user, an application client, and an underlying authorization server:
+
+<img src="{{ 'images/v26.1/integrate-ory-oauth2-flow.png' | relative_url }}" alt="OAuth2 Flow"  style="border:1px solid #eee;max-width:80%;margin:auto;display:block" />
+
+This sequence diagram illustrates the OAuth 2.0 authorization flow as a series of requests and responses, using Ory Hydra as the authorization server:
+
+<img src="{{ 'images/v26.1/integrate-ory-hydra-flow.png' | relative_url }}" alt="Interaction flow using Ory Hydra"  style="border:1px solid #eee;max-width:80%;margin:auto;display:block" />
+
+The diagram depicts the interactions between four key components:
+
+- **Client**: An application seeking access to protected resources.
+- **Resource Owner**: The user.
+- **Ory Hydra**: The authorization server.
+- **Resource Server**: The API or service that hosts protected resources.
+
+The flow begins when the Client initiates a request for authorization from the Resource Owner. This typically takes the form of a redirect to a login or consent screen provided by Ory Hydra. The Resource Owner reviews the request and, upon granting access, provides an authorization grant (often an authorization code) to the Client.
+
+The Client then uses this authorization grant to request an access token from Hydra. Along with the grant, the Client also authenticates itself (using credentials such as a Client ID and secret). Hydra validates the authorization grant and Client credentials. If everything checks out, it responds by issuing an access token to the Client.
+
+Armed with the access token, the Client then makes a request to the Resource Server, presenting the token as proof of authorization. The Resource Server validates the access token, often by introspecting it via Hydra or verifying its signature if it’s a [JSON Web Token (JWT)](https://www.jwt.io/introduction#what-is-json-web-token) and, if valid, serves the requested protected resource to the Client.
+
+This flow encapsulates the standard Authorization Code Grant pattern in OAuth 2.0, with Ory Hydra fulfilling the role of an authorization server that manages token issuance, validation, and policy enforcement.
+
+### Ory Kratos
+
+Ory Kratos stores user identity records, recovery flows, sessions, and login attempts in transactional tables.
+
+Each identity can be associated with one or more credentials, stored in the `identity_credentials` table. These credentials define how a user authenticates with the system, such as through a password, social login, or other mechanisms.
+
+Kratos enables users to sign up and manage their profiles without administrative help. It implements the following flows:
+
+- Registration
+- Login
+- Logout
+- User Settings
+- Account Recovery
+- Address Verification
+- User-Facing Error
+- 2FA / MFA
+
+The following diagram demonstrates how an API Client might interact with Ory Kratos:
+
+<img src="{{ 'images/v26.1/integrate-ory-kratos-registration.png' | relative_url }}" alt="Kratos Registration"  style="border:1px solid #eee;max-width:80%;margin:auto;display:block" />
+
+### Ory Keto
+
+Ory Keto provides scalable, relationship-based access control (ReBAC).
+
+In Keto, authorization is checked by evaluating whether a relation tuple exists (directly or through recursive expansion) that permits a given subject to perform a relation on an object in a namespace. This data model is designed for high scalability and flexibility, enabling complex access patterns like group membership, role inheritance, and hierarchical access rights.
+
+A permission model is a set of rules that define which relations are checked in the database during a permission check.
+
+Permission checks are answered based on:
+
+- The data available in CockroachDB, for example: "user Bob is the owner of document X".
+
+- Permission rules, for example: "All owners of a document can view it".
+
+When you ask Keto, "Is user Bob allowed to view document X?" the system checks whether Bob has view permission, and then checks whether Bob is the owner of document X. The permission model tells Ory Keto what to check in the database.
+
+The following diagram illustrates the object relationships that Ory Keto enables:
+
+<img src="{{ 'images/v26.1/integrate-ory-permission-graph.png' | relative_url }}" alt="Permission Graph"  style="border:1px solid #eee;max-width:80%;margin:auto;display:block" />
+
+## Integrate with Ory
+
+Ory services can use CockroachDB clusters as their persistent data store. Learn how to [create a joint CockroachDB/Ory environment]({% link {{ page.version.version }}/ory-integration-guide.md %}).
+
+## See also
+
+- [Integrate CockroachDB with Ory]({% link {{ page.version.version }}/ory-integration-guide.md %})