Our great sponsors
-
Ory Oathkeeper
A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
* documentation and developer experience
And that doesn't get into specific features that you might need. An example: if you want to modify a user object in the middle of a login flow, Auth0 has rules, we have Lambdas, Keycloak has plugins. How are you going to know what features you need without building out at least a sample app?
Oh, and pricing! Lots of the smaller operations (us included) have transparent pricing, but Okta/Auth0 don't.
I wrote out a list of 13 different use cases for FusionAuth ( https://github.com/fusionauth/fusionauth-issues/issues/1002 ) and I am still discovering new ways this coiuld be used. I'm sure that is the case with all these competitors.
It's the old elephant story: https://www.peacecorps.gov/educators/resources/story-blind-m...
Hydra feels mature. I think it's their longest-developed product so far. Besides breaking changes during big upgrades(v0 -> v1beta -> v1), everything has been painless:
- It runs anywhere with or without containers
- API makes sense, good SDKs are available in all my used languages
- RAM usage is surprisingly low compared to usage and has been great for resource-constrained environments
- Stateless means horizontal scaling is as easy as `replicas++`
- Sub-millisecond response times for some calls, much faster than our previous setup
With Hydra, I know it's the client's fault when OAuth calls fail and not just a buggy server implementation. This is reinforced in dev mode with great errors like:
- The authorization code has already been used
- The request is missing the response_type parameter
- Parameter "nonce" must be set when using the implicit flow
- Redirect URL "https://example.com/callback" does not match
On the flipside, Oathkeeper is not a mature product and has not yet reached v1. There are breaking changes planned [1]. It lacks support for at least one popular usecase (mine) out of the box [2]. Rules can be hard to create and debug. I wouldn't recommend Oathkeeper in its current state unless you're ready to dive in and fix things yourself. Once configured it sticks with the Ory trend: fast, lean, and stable.
Depending on your usecase, Oathkeeper could be swapped out with any IAP like Pomerium or just with your reverse proxy's auth request support + some small custom shim.
I haven't tried Keto (access control) or Kratos (user management) yet. Kratos is on my todo list.
[1] https://github.com/ory/oathkeeper/issues/441