Keycloak VS Ory Kratos

For Authentication and Authorization, I use FreeIPA for LDAP and Keycloak for OAuth2/OpenID Connect. The FreeIPA client automatically pulls my public SSH key into whichever server I sign in to, so I never need to enter my password from my primary PC.

In the end, I developed a stack that I liked and re-used across multiple projects, which consisted (mostly) of Postgres, Hasura, Nest.js, Keycloak, and Next.js or Expo. More recently I've started moving away from Keycloak towards Ory Kratos/Oathkeeper. In certain cases, I also deployed AppSmith and Metabase and I considered tools like Meilisearch in a couple instances.

It depends on what context you're operating in. The reality is that most people don't fully understand authentication / authorization properly so they often mess up. When you have a small team of engineers that are spread very thin, it might be better to delegate this responsibility. If you have the time and resources to study the topic in depth and implement it properly then it's fine. It's just not that interesting of an area since the space for innovation and creativity is limited, and since the major problems have already been reliably solved by others at best you end up with an equivalent outcome and at worst you end up with security issues.

If you're operating within an enterprise context, Keycloak [0] is pretty massive but provides comprehensive coverage for all authN and authZ needs, and it's open source.

Back when I first started studying this topic I found that reading through a lot of NIST guidelines was helpful. I'd recommend at least browsing through SP 800-63-3 [1], SP 800-63A, SP 800-63B, SP 800-63C to get a good idea of the domain. Admittedly, this might be a lot of overkill for your application and needs.

[0] https://www.keycloak.org/

About Desktop OAuth protocol, you could try doing something as a "localhost" server... like Keycloak's (an IAM provider) folk did here: https://github.com/keycloak/keycloak/tree/main/adapters/oidc/installed

An open source solution pre-built from professionals like Ory Kratos or Keycloak saves you a lot of time and pain.

https://github.com/ory/kratos

One might say you wouldn't be surprised. Security practices at start ups have never been good (no regulation, focus on sales) but to see this lack of security awareness in a company protecting PII is shocking. But what do VCs know ...

As always when something like this happens, here are some good open source alternatives with appropriate security policies and bug bounties in place:

* https://github.com/keycloak/keycloak

* https://github.com/ory/kratos

* https://github.com/GluuFederation (potentially dated for some use cases)

Kratos is the full solution, if you're interested in that.

Show HN: Open-Source Identity Server Written in Go\ (19 comments)

Congratulations on Kratos coming out of Beta.

We evaluated Ory a few months ago. My understanding:

1. Ory Kratos provides session-based authentication and user management.

2. Ory Hydra is a self-managed server that secures access to your applications and APIs with OAuth 2.0 and OpenID Connect.

Basically we want to replace AWS Cognito (which is pretty much abandonware) to secure our API so we needed both applications. Unfortunately we had to put our efforts on hold:

1. Bugs around traits meant we had issues around password change, password recovery and email change/reverifications for our use-case

2. Lack of documentation prevented us making progress on 2FA/WebAuthn

3. Bearer token/Oauth consent flow wasn't available without a lot of work because Kratos and Hydra are not "integrated" [1]. Someone shows how they rolled their own integration [2].

I'd love for someone to advise that we were wrong or misunderstood things or that things have moved on since then!

[1] https://github.com/ory/kratos/issues/273

Yes! OVH (the cloud provider) is working on a large PR: https://github.com/ory/kratos/pull/2148