19 comments

[ 2.9 ms ] story [ 46.0 ms ] thread
I used Ory Kratos in a Go application a couple years ago by installing it as a dependency. It worked pretty well but in hindsight I would have hosted it as a separate application because it was a pain to bring along all of its dependencies.

One of my biggest complaints was that one of the Account Recovery flows was just an emailed 6-digit code. So a 1 in 1 million chance that somebody without access to any of your stuff could hack you by just hitting reset and guessing "123456". It's actually surprising how many other Account Recovery flows across the web I have noticed recently that do the same thing. Not sure if Ory has added the option for more entropy in this code as of today's release though it's been a while since I've used it.

Otherwise it was a great project to work with that has tons of knobs to customize. I commend the authors, aeneasr especially. It must be a ton of work to keep up with all of the auth standards and offer this in an Apache2 licensed package all while building a business around it as well!

I've used [Keycloak](https://www.keycloak.org/) in the past for "open-source Auth0" -- though I'm not sure it has ever described itself that way.

Keycloak ended up being quite extensible and powerful, but the UI and data model both sometimes made things more difficult than they had to be... this could be an interesting project to look at.

One bonus (for us) for Keycloak was that it was JVM-based, meaning it was easier to integrate our existing JVM libraries. Though its use of Hibernate was frustrating at times, heh

(comment deleted)
Kratos is awesome, especially alongside Hydra, OathKeeper, and Keto. Super powerful combo, if not a little intimidating at first. There’s a LOT of configuration involved, but that’s to be expected if you want to host your own Auth0 replacement.

Their dynamic forms stuff is really cool too, always liked how they chose to go about that. Only complaint I really ever had is that while their docs were overall serviceable, I remember some areas were pretty lacking and I had to dig really far to find answers to some fairly common issues.

This looks like great stuff.

In the TypeScript ecosystem, I'd probably take a look at Better Auth though, as the developer experience is really great!

Storing auth data in MySQL or Postgres is insane and defeats the purpose of trying to be secure.

Note to self: if I ever need a retirement project, open sourcing a properly architected auth solution would be it.

Both have options for column/field level encryption

Besides that, you can encrypt in the app regardless of the data storage

Do I need to use the other services from the Ory stack to have this be complete? I tried reading the Ory docs a couple of times when I needed an auth solution but it was indecipherable to me as someone not living in the auth world
I tried to use Ory for my company and cannot recommend it. Zitadel has been far better
I had to work with this at my old job(forked, messy-patched and outdated version). Honestly, I wasn't a big fan, mostly because of the horrible patches to make it do things it was never meant to do but also to some degree because of how unnecessarily over-complicated it was.
I've tried Keycloak and quite a few other IAM solutions, and finally settled on Kanidm. Not because it was written in Rust but because the project was easy to learn and understand and it wasn't that hard to hook things up to it. It has it's quirks, but it's been phenomenal so far. The fact that it's super lightweight from my experience is also a big bonus.
We are using ory kratos in production.

- It works and does the job. I appreciate that we got this piece of tech for free when we needed with quickly.

- The doc is clearly written in a way to steer you toward their cloud (fair enough everybody needs to eat). Setting things up is not straight forward even after years of using it.

- Backend driven UI is just weird.

- The founder used to be very opinionated on some things but let bigger issues "rot", better now that they have grown as a business.

- The fact that they wont do SAML in kratos cause its part of their cloud thing and they bought another business speaks volume to me. OSS for ory is a growth strategy, their enterprise version cloud is also not the same as the OSS one.

For OAuth2 we considered Hydra but decided to build it ourselves since we want to host on prem and want to reduce moving parts. We will also likely end up replacing kratos eventually.

TLDR it is a good tech to consider instead of building it yourself. It makes sense for B2C freemium products since all other providers charge per seat. But its not the easiest to setup.

> Passkeys, Social Sign In, OIDC, Magic Link, Multi-Factor Auth, SMS, SAML, TOTP, and more.

Sounds great! But buried further in the page,

> Additional enterprise features that are not available in the open source version such as SCIM, SAML, organization login ("SSO"), CAPTCHAs and more

We self hosted Kratos only as our IdP: three million total users, about 200k login/logout/session/jwt queries a day, using only four 1C 2G k8s pods with one extra for courier, a standard proxied 4c8g Postgres, everything works fine. Really easy to maintain with simple configuration and fully featured API.

But their documentation is really bad, especially in OSS suites. I generally use Claude Code to read their code, find the matching implementation, and try to figure out how to properly configure.

Anyway, if you need self host your IdP, just go for it, you cannot go wrong.

It might be poor taste to hijack another product's post but I would check out Authentik before commiting to any idP.

It recently started to have enterprise only features lately but its licence ensures they are added to the open source product after a set time period. Super nice developer too.

What is the simplest IdP that is not Dex?