Our great sponsors
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
-
-
casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
keycloak-clojure
A Clojure library helping the integration of Keycloak with a Clojure Application + a sample SPA Client and API Server demonstrating the Keycloak integration
-
private_server
This is the configuration for my private server, with the intention of never having to use manual SSH.
-
-
casdoor
Discontinued An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA and RADIUS [Moved to: https://github.com/casdoor/casdoor]
-
lua-resty-openidc
OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty
-
keycloak-config-cli
Import YAML/JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
When I was building a website and companion app, I researched a lot of the open-source options for auth. My primary requirement was ease of setup and operation. I didn't want to mess around with JVM dependencies and 100% didn't want to start messing around with k8s for such a small project.
I was also very intimidated by the ORY stack. I didn't know how all the pieces fit together. And to self-host you pretty much need to run and orchestrate it on k8s. I'm not an auth expert, I just want a login thingy for my website/app.
I'm not affiliated with it in any way, but I really liked what ZITADEL[1] is doing, in case anyone else is researching their options. It has a very simple interface to get started with, but also a ton of features. It being written in Go is a huge benefit since that makes it much easier for me to throw it up on my vps and calling it a day.
1. https://zitadel.com/
Sure, you can treat the access token as an opaque token... but at the end of the day it could be a lot smaller.
Discussed here https://github.com/keycloak/keycloak/discussions/9713 and https://stackoverflow.com/questions/75082532/keycloak-suppor...
We also experience a few front-end issues, like when a token expires, the browser tab goes back to the login page. If you leave the tab a while then press login, the token it is using will have expired. Rather than automatically retrieving a new token and posting the login again, the user gets an error message and has to authenticate again.
If you have two tabs in that state, you log one back in, switch to the other tab, if you refresh that tab, all is well, login proceeds automatically. If you press "login" instead, you get an error page telling you "already logged in" rather than just redirecting you back to the app... it also loses the redirect url so you have to press "back" instead.
Will see if we can fix these when we have time, it would be nice to contribute back.
We used keycloak for openid identity provider as well. It is fine to setup keycloak once. But it is painful share the setup with other engineers.
For local development, we end up using dex (https://dexidp.io). When we need support group/role, we use dex and glauth(https://glauth.github.io). Both dex and glauth can be configured with yaml files. We just created a few yaml files and a docker compose file, every engineer can be brought up the whole environment in a few seconds.
Also https://www.authelia.com and https://github.com/goauthentik/authentik look pretty promising, if you need more advanced features from them.
We used keycloak for openid identity provider as well. It is fine to setup keycloak once. But it is painful share the setup with other engineers.
For local development, we end up using dex (https://dexidp.io). When we need support group/role, we use dex and glauth(https://glauth.github.io). Both dex and glauth can be configured with yaml files. We just created a few yaml files and a docker compose file, every engineer can be brought up the whole environment in a few seconds.
Also https://www.authelia.com and https://github.com/goauthentik/authentik look pretty promising, if you need more advanced features from them.
Looking at your username, it would be nice to mention that you are one of the main developers behind the tool instead of making it sound like you are unrelated: https://github.com/casbin/casbin/graphs/contributors https://github.com/casdoor/casdoor/graphs/contributors
I tried Keycloak for my homelab, but I found the ressource usage especially on startup to be too high (3 GB memory or something) and since I wanted minimal sever footprint I went with lldap[1] as the user store and authelia[2] to do forward auth using traefik.
Pretty happy with this setup, though it has less features than Keycloak, it's easier to administrate from code.
[1] https://github.com/lldap/lldap
We used keycloak for openid identity provider as well. It is fine to setup keycloak once. But it is painful share the setup with other engineers.
For local development, we end up using dex (https://dexidp.io). When we need support group/role, we use dex and glauth(https://glauth.github.io). Both dex and glauth can be configured with yaml files. We just created a few yaml files and a docker compose file, every engineer can be brought up the whole environment in a few seconds.
Also https://www.authelia.com and https://github.com/goauthentik/authentik look pretty promising, if you need more advanced features from them.
The Terraform provider[1] unfortunately is 3rd party and as such doesn't bring and guarantees of correctness other than that of the maintainer. It would be nice to see Keycloak provide an official solution for configuration management other than the K8s operator which is missing a lot of features.
[1] https://github.com/mrparkers/terraform-provider-keycloak
I use Keycloak a lot for authentication and authorisation and I like its flexibility and richness of features.
Running it in production is a no-brainer, the only problem we got was some bad behaviours of some clients that issue a token for every API call as it can put some stress on Keycloak, has to implements some rate limiting in front ok Keycloak to avoid that.
I try to ease its usage with Clojure with https://github.com/jgrodziski/keycloak-clojure
Also just for learning.
2. You can see the services here[1], since my entire setup is provisioned from GitHub with Terraform and Ansible.
3. I have about 5 users.
4. I would say simplify so far, but it depends on what kind of complexity you care about, and which services you want to integrate.
[1] https://github.com/RedlineTriad/private_server/tree/master/s...
> With both Apache and Nginx you can let the web server do all the OpenID Connect work for you for paths you specify.
Seems like at least the official nginx solution for this requires their paid subscription: https://github.com/nginxinc/nginx-openid-connect
Got any tips for how to do it with their open-source solution?
Looking at your username, it would be nice to mention that you are one of the main developers behind the tool instead of making it sound like you are unrelated: https://github.com/casbin/casbin/graphs/contributors https://github.com/casdoor/casdoor/graphs/contributors
There's an nginx Lua build that can do it on nginx through a Lua module: https://github.com/zmartzone/lua-resty-openidc
Apache is a lot easier to configure, though.
> But it is painful share the setup with other engineers.
We used keycloak-config-cli [1] it compares a config file stripped of IDs to your Keycloak installation and makes the relevant updates through the REST API.
[1] https://github.com/adorsys/keycloak-config-cli