openpubkey
Ory Oathkeeper
openpubkey | Ory Oathkeeper | |
---|---|---|
2 | 4 | |
563 | 3,174 | |
3.9% | 0.7% | |
8.8 | 6.8 | |
3 days ago | 5 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
openpubkey
- OpenPubkey: Protocol for leveraging OpenID to bind identities to public keys
-
RFC 9420 – A Messaging Layer Security Overview
You could use OpenPubkey [0, 1] to bind your identity key to your say Google or Okta account. With an MFA Cosigner, a malicious Google wouldn't be able to impersonate you.
IF you really wanted to go full cipherpunk, you could use the stuff risc.zero [2] is building to could keep your identity secret via ZKPs over ID Token (JWT).
[0]: OpenPubkey: Augmenting OpenID Connect with User held Signing Keys, https://eprint.iacr.org/2023/296
[1]: https://github.com/openpubkey/openpubkey
[2]: "Under the hood is JWT and OIDC verification on top of the RISC Zero zkVM" https://www.risczero.com/news/bonsai-pay
Ory Oathkeeper
- Launch HN: PropelAuth (YC W22) – End-to-end auth service for B2B products
-
oathkeeper alternatives - emissary, envoy, and Nginx
4 projects | 18 Jan 2022
- Launch YC S21: Meet the Batch, Thread #4
-
The reason okta spent $6.5B Auth0
Hydra feels mature. I think it's their longest-developed product so far. Besides breaking changes during big upgrades(v0 -> v1beta -> v1), everything has been painless:
- It runs anywhere with or without containers
- API makes sense, good SDKs are available in all my used languages
- RAM usage is surprisingly low compared to usage and has been great for resource-constrained environments
- Stateless means horizontal scaling is as easy as `replicas++`
- Sub-millisecond response times for some calls, much faster than our previous setup
With Hydra, I know it's the client's fault when OAuth calls fail and not just a buggy server implementation. This is reinforced in dev mode with great errors like:
- The authorization code has already been used
- The request is missing the response_type parameter
- Parameter "nonce" must be set when using the implicit flow
- Redirect URL "https://example.com/callback" does not match
On the flipside, Oathkeeper is not a mature product and has not yet reached v1. There are breaking changes planned [1]. It lacks support for at least one popular usecase (mine) out of the box [2]. Rules can be hard to create and debug. I wouldn't recommend Oathkeeper in its current state unless you're ready to dive in and fix things yourself. Once configured it sticks with the Ory trend: fast, lean, and stable.
Depending on your usecase, Oathkeeper could be swapped out with any IAP like Pomerium or just with your reverse proxy's auth request support + some small custom shim.
I haven't tried Keto (access control) or Kratos (user management) yet. Kratos is on my todo list.
[1] https://github.com/ory/oathkeeper/issues/441