If somebody would write an Auth0 replacement over the weekend, that would be great.
Coincidentally I was looking for a self-hosted auth solution today and I can say there isn't anything that's close to as easy to use as just paying for Auth0.
Some decent one's I found where keyclock, glewlwyd and ory, but they where too heavy or complex. I ended up going for caddy-auth-portal, which doesn't even do user management yet.
We're using Ory Hydra and a modified version of Ory Oathkeeper in production, but our usecase might be a bit different (we already had a user database and auth system). Compared to implementing them from scratch, setup was simple and the end product is fantastic.
We're looking at migrating to Ory Kratos eventually. It seems to offer the things we would've wanted from Auth0, but selfhosted. Granted, you're right - I'm sure it's much more complex to selfhost Kratos than to pay for Auth0.
Not that hard, when you run their quickstart (one docker-compose command) you get a self service node.js based app which uses Kratos client to offer authentication, registration, email reset, user data management, authentication with third parties. All of this backed up on a postgres / mysql / sqlite db and running on a (go) binary.
MFA is in progress, other than that, I think it's a solid offering (and I'm using it for a product).
Integrating with oathkeeper (tokens) or keto (permission control) is quite simple as well.
That's good to hear. I was skeptical to go that route since I would have needed to install 3 services instead of just a caddy plugin and I wasn't sure where I would find a UI. But maybe in the future it'll be a good option.
Hydra feels mature. I think it's their longest-developed product so far. Besides breaking changes during big upgrades(v0 -> v1beta -> v1), everything has been painless:
- It runs anywhere with or without containers
- API makes sense, good SDKs are available in all my used languages
- RAM usage is surprisingly low compared to usage and has been great for resource-constrained environments
- Stateless means horizontal scaling is as easy as `replicas++`
- Sub-millisecond response times for some calls, much faster than our previous setup
With Hydra, I know it's the client's fault when OAuth calls fail and not just a buggy server implementation. This is reinforced in dev mode with great errors like:
- The authorization code has already been used
- The request is missing the response_type parameter
- Parameter "nonce" must be set when using the implicit flow
On the flipside, Oathkeeper is not a mature product and has not yet reached v1. There are breaking changes planned [1]. It lacks support for at least one popular usecase (mine) out of the box [2]. Rules can be hard to create and debug. I wouldn't recommend Oathkeeper in its current state unless you're ready to dive in and fix things yourself. Once configured it sticks with the Ory trend: fast, lean, and stable.
Depending on your usecase, Oathkeeper could be swapped out with any IAP like Pomerium or just with your reverse proxy's auth request support + some small custom shim.
I haven't tried Keto (access control) or Kratos (user management) yet. Kratos is on my todo list.
We are using Ory Hydra now (but not any of the other components like Kratos, Oathkeeper, etc) and no real complaints so far. It is important to understand though the Hydra is just a component and not an out-of-the-box solution. You still have to implement your own user interface is you plan on doing OIDC login (and not just client_credentials for service authentication). Basically Hydra just takes a self-hosted login/registration/etc UI which you build yourself and wraps it in an OIDC provider. Which is great if you need to build an OIDC provider and want tight control over the user experience and user management (our use case) but don't want to implement all the fussy details of the OAuth2 protocol.
As indicated by another commenter I found the product messaging/pricing really confusing. There's "Cloud", "Editions", "Reactor" with little way to see how the relate and it's not immediately obvious there is a self hosted version. This turned me off as I just saw $75/month for a development/test version (which isn't really the case).
After diving in deeper the pricing calculator really cleared things up, but I think the menu structure and front page messaging could be vastly improved to help guide the user.
If you want us to host the basic community edition for you, you can purchase a single tenant instance managed by us: https://fusionauth.io/pricing/cloud/
If you want premium features (LDAP connectivity, breached password detection, and others), you can buy a paid edition; some of these include support: https://fusionauth.io/pricing/editions/
If you want us to host for you and you need the premium edition, you can buy both a license.
Additionally, for some uses (if you resell FusionAuth to your customers, for instance) you will need to talk to us: https://fusionauth.io/license-faq/
Wow, writing that makes it clear to me how unclear that is. I'll see if we can't simplify or make this clearer.
I might consider something closed source but I find your offering quite confusing. Is the download a standalone auth server? I notice it isn't mentioned on the pricing page so I don't really get it. It would also depend what the minimum RAM requirements are.
Not OP but I wouldn't consider using this because it doesn't say what you said "Free to download and run." The language on the site makes it look like a free trial of some sort.
Granted its not as mature but its open source, easy to implement (decouples features based on your use case), really customizable frontend UI and great support (ping me anytime!)
Keycloak has been solid for us. The last major version upgrade wasn't super smooth, but I'm glad it exists so I don't have to think about auth any more.
Honestly, properly configuring, maintaining and scaling Keycloak is an absolute pain in my experience. Keyclaok does not come close to the ease of use of Okta and Auth0 imho
Can you please elaborate on the issues you are seeing?
I just got started, but so far my experience setting Keycloak up has been the best I've experienced for an open source project in a while. I was up and running within a few hours-
Got a simple JS app working, and was able to secure all my existing services by integrating with my ingress controller.
Recently moved away from Keycloak (which I think overall is a great piece of software but was just a PITA for our use case) and my observations:
* Zero-downtime deployments don't really work. They kinda-sorta do but it was too clunky for us to do it effectively during periods when we had significant traffic. Not generally an issue if you are just using out-of-the-box components but if you are deploying custom components (Storage providers, authenticators, etc) then it doesn't work that well.
* It uses an in-memory distributed cache for authentication sessions so if your instance goes down (or you need to shut it down for a major version upgrade) then everyone is logged out. It also seems to have a lot of trouble scaling out to more than ~8 nodes. At the minimum you have to do a lot of tuning of infinispan parameters to get it to work at scale.
* Configuration is kind of a pain because it has to be done through the UI. There is a REST API but it is really hard to work with if you want to do something like deploy a change to an authentication flow configuration. So forget about managing your configs in source control (and prepare for the inevitable issues that happen when configs aren't properly updated with deployment because someone fat-fingers something in the configuration UI).
* There is a LOT of stuff that is hard-coded in the core Keycloak engine that makes customization impossible short of modifying the actual Keycloak source itself and running your own build (not recommended!).
* One small thing that nonetheless drove me crazy is the Keycloak injects a JS snippet into rendered templates to munge the browser history and has no way for you to insert a nonce in the script tag, so setting up CSP headers was way harder than it should have been.
All that said, it was more that Keycloak was not the right tool for our use case (an always-on user-facing identity provider) but if you just need a basic login/registration screen and are fine using Keycloak's built-in components (with maybe just some thumbing) then it works great.
