Ask HN: What do you use for user management/IAM in your SaaS app?
1. True multitenancy - Concept of users/organisations 2. SAML/OIDC/Active Directory connect 3. Multi-factor authentication 4. RBAC/ABAC access control model 5. Session management 6. Social sign-on 7. Low management overhead 8. Modern UI/UX
I want to optimise for the lowest total cost of ownership over 3+ years, and aim for 10-50k users. The market is filled with IAM products, some of them are:
1. Keycloak (OpenSource) 2. Supertokens (OpenSource with paid plans) 3. Supabase (OpenSource with paid plans) 4. Authelia (OpenSource with paid plans) 5. Authentik (OpenSource with paid plans) 6. Logto (OpenSource with paid plans) 7. Clerk (Paid) 8. Zitadel (OpenSource with paid plans) 9. FusionAuth (OpenSource with paid plans) 10. Stytch (Paid) 11. WorkOS (Paid) 12. Ory Kratos (OpenSource with paid plans)
Every time I ask Gemini/Claude/ChatGPT/... to do a deep-research and give me one recommendation for a tool from here, I get a different answer, with different rationale. I have also read so many articles for both very high praise and very staunch criticisms of all of these tools. With so many options around, which one do you choose, why, and how is that decision coming along so far? Thank you.
3 comments
[ 1.8 ms ] story [ 15.7 ms ] threadI’ve worked with Supabase, Clerk, Keycloak, and Kratos on different projects. None of the open-source options truly deliver on “low management overhead”. You’ll always have to deal with updates, patches, and some manual babysitting.
If you refuse to compromise on your feature list, your realistic options shrink fast. In that case, Zitadel is a solid choice, but be ready for higher costs from day one. My advice is to trim the must-have list, go with a managed service, get real users, and revisit the decision when scale actually becomes a problem.
> True multitenancy Many of the paid options you mentioned (workos, clerk, etc same goes for auth0) aren't actually multitenant, they've tacked on a concept of organizations to a user first data model. This presents some limitations as a result of users as the first class entity versus organizations, for example, membership across multiple organizations with different auth requirements (ie I can log into my personal with sign in with email/google but to log into a company account I need 2fa or SSO), multiple SSO connections per organization or a single SSO connection across multiple organizations (both common in enterprises where there's lots of M&A).
Happy to go into more detail on any of this or answer any specific questions you have!
My project is built in Elixir, so I implemented the flows where my application has no login screen UI. I just push all unauthenticated users straight to WorkOS. WorkOS and their AuthKit (hosted login page) handles the heavy lifting (User/Pass, Passkey, MFA, SSO, etc) and sends them back to my application with a JWT. I check if the user exists, and if not, just-in-time provisioning kicks in on my side and we're done. Tenant identified, and tenant user authenticated all wrapped up in a single JWT.
Why WorkOS?
Simple... I don't want to be responsible for any authentication headaches. I don't want to self-host or duct tape a bunch of different components together. I'd rather put as much of that control in the client's hands (or WorkOS's if they don't have their own IAM). Plus, I like what WorkOS offers. Documentation is solid, though I still need to figure out their Fine Grained Authorization (FGA) product, formerly known as Warrant. In the end, nothing lives on my side except workos_tenant_id, workos_user_id, and my application data. The tenant has full control over their IAM, all the features of WorkOS via their own admin panel and ultimately who can access my SaaS application.
How's it going so far?
I have exactly zero customers except my development tenant. Everything works as expected so far. Maybe I'll have a different story when I get a customer willing to foot the bill for all the WorkOS bells and whistles in production. But implementation has been smooth, and AuthKit works great for dev/testing as a hosted login page, one-click testing SSO flows, etc.
If I had to re-implement, would I still choose WorkOS?
I probably would've done the same deep research you're doing, hoping to find that needle in a haystack. As a bootstrap developer, I'd try to avoid the paid options and figure out the open source/roll-your-own route. But if I had a plan to afford the paid ones, I'd probably evaluate WorkOS against other paid options properly.