Show HN: Open Source Authentication and Authorization
Our users are web developers, and a prominent and adjacent pain point for our users is authorization. Developers typically implement two independent solutions for authentication and authorization. Offering AuthN and AuthZ in a single solution is something we’ve been thinking about for the last few years.
Quick primer, authentication is knowing who the user is, and authorization is knowing what the user has access to. A physical analogy: A person enters a building. Authentication means reading their ID card and knowing that the person’s name is John. Authorization means knowing which floors, offices, and files John has access to.
With increasing privacy and data complexity, companies like Netflix[1], Slack[2], and Airbnb[3] have built out their own complex authorization systems.
To build our user roles product, we started with a first principles approach of covering authorization use cases using scripting languages such as XACML and OPA. But looking at existing solutions built by talented teams like Oso[4], Aserto[5], Cerbos[6], Strya[7], we realized that while these were powerful solutions, they were often overkill for most early to mid-stage companies (especially on the B2C side).
We went back to the drawing board, reached out to our users and after dozens of conversations, we realized that most authorization needs require the ability to
1. Assign and manage roles and permissions
2. Store roles in the DB and session tokens to make it readable on the frontend and
3. Protect APIs and websites based on these roles and permissions.
And so, we built user roles – a simple RBAC authorization service that focuses on the balance between simplicity and utility. It doesn’t cover many complex cases and we’re not looking to displace any of the authorization incumbents. But you can add AuthN and AuthZ using a single solution, quickly.
In the near future, we’ll be launching an admin GUI where you can manage your users and their roles with a few clicks.
We’d love for you to try it out and hear what additional functionality you’d like to see. What are your favorite authentication providers and what do they get right?
- [1]: https://conferences.oreilly.com/velocity/vl-ca-2018/cdn.orei...
- [2]: https://slack.engineering/role-management-at-slack/
- [3]: https://medium.com/airbnb-engineering/himeji-a-scalable-cent...
- [4]: https://www.osohq.com/
- [5]: https://www.aserto.com/
- [6]: https://cerbos.dev/
- [7]: https://www.styra.com/
35 comments
[ 2.3 ms ] story [ 87.0 ms ] thread[0] https://goauthentik.io/
- Our architecture is different: We provide a frontend SDK with react components that are embedded in your own website - giving you more control and a better dev experience. The frontend doesn't talk to SuperTokens directly, but instead proxies requests via your backend API layer (using our backend SDK). This makes it much easier for you to customise the backend auth logic (you can reuse your API code and also are not forced to use Java), and also enables us to handle your app's session management out of the box.
- For use cases that don't need OAuth (for example if you have a single website), we don't require you to use the protocol. This makes it simpler to setup auth, especially for people not familiar with OAuth and its various flows already.
- There are other feature differences - some features that we have that they don't and vice versa. But this is just a function of time investment on either side.
Supertokens is not a recent project.
Previously:
Launch HN: Securely manage tokens (Aug 2020), https://news.ycombinator.com/item?id=24306572
Show HN: Stripe for Auth (Dec 2020), https://news.ycombinator.com/item?id=25458033
Auth0 alternative (Aug 2021), https://news.ycombinator.com/item?id=26880554
UMA2 is available in Keycloak. Known as Authorization Services. I have written about it in the past: https://gruchalski.com/posts/2020-09-05-introduction-to-keyc....
Thats true.
For us this was about coupling authorization with an authentication system so that developers could have both with a single product.
Question on your 2FA though. It says "Partial" and lists that you don't have app access. What does that mean you do have though? FIDO/webAuthn?
If I was self-hosting the open source version at auth.mydomain.com would I be able to export the data, load it into your cloud offering and point the domain to your service for a hiccup free transition for site users? What about the reverse?
I like what I see so far though. Definitely a project to keep an eye on.
> If I was self-hosting the open source version at auth.mydomain.com would I be able to export the data, load it into your cloud offering and point the domain to your service for a hiccup free transition for site users? What about the reverse?
Yes you can - both ways.
I wish you guys all the luck, I think it’s a really interesting product.
They would rather not deal with identity and authentication — usernames and passwords — at all. These are already quite nicely handled to various degrees by Cogntio, Auth0, Azure Active Directory, and others.
To address minimalist authorization needs, the portfolio of companies I worked with collaborated to create The Usher[1]. The Usher is an open source authorization server in NodeJS. Worth a peek if you, too, want to focus on authorization separate from authentication.
Disclosure: I am a contributor to The Usher.
[1] https://github.com/DMGT-TECH/the-usher-server
One thing I noticed is that the link to themes (which I was hoping to see a demo at) is broken: https://supertokens.com/docs/emailpassword/common-customizat... under pricing
I've gotten quite used to Firebase + Firebase authentication for some side-projects. Now I'm interested in some other cloud hosting providers (Supabase + Render) and one of the key things making me want to keep using Firebase is that I'd have to learn a new auth system.
SLA Guarantees is spelt wrong: https://supertokens.com/pricing
Yes, we do have outside contributions.
Over the long term, revenue will be from 1. hosting (as you mentioned), 2. Enterprises that pay for closed source features (regardless of whether they host with us or on their own infra)
https://free-for.dev/#/?id=authentication-authorization-and-...
...any advice on a cheap + easy self-hosted solution?
[0] https://supertokens.com/pricing
Support on their discord community is also great.