OpenID Alternatives

OpenID reviews and mentions

• OpenID Certified OIDC Relying Party Implementation for Apache HTTP Server 2.x
  1 project | news.ycombinator.com | 4 Dec 2024
• Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server
  4 projects | news.ycombinator.com | 14 Aug 2024

  > that's irrelevant to the core developers

  That's relevant to me! If I want Apache to act as an OpenID connect relying party, for example, I can just use mod_auth_openidc https://github.com/OpenIDC/mod_auth_openidc installing which is pretty much trivial and requires little work on my part:

    sudo apt install libapache2-mod-auth-openidc

• Ask HN: How to build site with payment, subscriptions, user login, registration
  8 projects | news.ycombinator.com | 7 Aug 2024

  > I think today it would not be unreasonable to take a "microservice" kind of approach where auth is handled by some self-contained system through an API but practically you might want to be able to join stuff against your user table.

  One option for writing less code yourself might be using something like Auth0 (cloud) or Keycloak (self-hosted) with some OpenID Connect library for your tech stack, or a Relying Party implementation altogether, like: https://github.com/OpenIDC/mod_auth_openidc

• Never Update Anything
  5 projects | news.ycombinator.com | 19 Jul 2024

  That's fair! Honestly, it's kind of cool to see how many different kinds of packages are available for Apache.

  A bit off topic, but I rather enjoyed the idea behind mod_auth_openidc, which ships an OpenID Connect Relying Party implementation, so some of the auth can be offloaded to Apache in combination with something like Keycloak and things in the protected services can be kept a bit simpler (e.g. just reading the headers provided by the module): https://github.com/OpenIDC/mod_auth_openidc

  Now, whether that's a good idea, that's debatable, but there are also plenty of other implementations of Relying Party out there as well: https://openid.net/developers/certified-openid-connect-imple...

  I am also on the fence about using mod_security with Apache, because I know for a fact that Cloudflare would be a better option for that, but at the same time self-hosting is nice and I don't have anything too precious on those servers that a sub-optimal WAF would cause me that many headaches. I guess it's cool that I can, even down to decent rulesets: https://owasp.org/www-project-modsecurity-core-rule-set/ though the OWASP Coraza project also seems nice: https://coraza.io/

• I Love Laravel (2022)
  3 projects | news.ycombinator.com | 21 May 2024

  In my eyes, that felt like something that should be separate from any given app or back end API, so in my case I use mod_auth_openidc: https://github.com/OpenIDC/mod_auth_openidc with Keycloak: https://www.keycloak.org/

  My back end/app just gets a few headers that say who an authenticated user is, if they are logged in. When I need to log in or create a user, I can just direct them to the Keycloak SSO portal, where they can also use social login.

  It's using OpenID Connect without the insanity of dealing with the low level logic.

• Keycloak SSO with Docker Compose and Nginx
  21 projects | news.ycombinator.com | 11 Feb 2024

  I did something similar, though picked Apache with mod_auth_openidc, which is a certified Relying Party implementation: https://github.com/OpenIDC/mod_auth_openidc

  In other words, I can protect arbitrary applications through my reverse proxy and require either certain claims/roles, or simplify auth to the point where my downstream app/API will just receive a bunch of headers like OIDC_CLAIM_sub, OIDC_CLAIM_name, OIDC_CLAIM_email through the internal network, not making me bother with configuring OIDC libraries for all of my APIs and configure them in each stack that I might use, but rather contain all of that complexity in the web server.

  Basically:

    user <==> Apache (with mod_auth_openidc) <==> API (with OIDC_ headers, if logged in)

• What Is OIDC?
  3 projects | news.ycombinator.com | 21 Dec 2023
• Easy to use OpenID Connect client and server library written for Go
  6 projects | news.ycombinator.com | 1 Dec 2023

  otherwise connections would randomly drop. I was looking for other ways to make development a bit easier and also settled on mod_auth_openidc, which is an Apache module that lets it act like a Relying Party and handle lots of the heavy lifting (protecting endpoints, refreshing tokens etc.) for me, and lets me work with just a few headers that are passed to the protected resources: https://github.com/OpenIDC/mod_auth_openidc

  It works, but I'm still not happy - I realize that there are many types of attacks that have historically been a problem and that certain OpenID Connect flows try to protect against, in addition to the fact that if I wrote my own security code it'd almost certainly be worse and have vulnerabilities (in the words of Eoin Woods: "Never invent security technology"), and it's a good thing to follow standards... but the whole thing is such a pain. Both OpenID Connect, Keycloak and configuring mod_auth_openidc.

  Right now I'm moving permissions/roles from Keycloak back into the app DB, with references to the Keycloak user IDs, because I don't want to have to work with the Keycloak REST API every time I want to change what a user can or cannot do in the system, in addition to permissions which might only apply conditionally (one user might be related to multiple organizations, having different permissions in the context of each).

  Regardless, it's nice that there are more pieces of software out there to choose from!

• Show HN: Obligator – An OpenID Connect server for self-hosters
  18 projects | news.ycombinator.com | 11 Oct 2023

  Personally I went with Keycloak, because it's fairly well documented and also has Docker images available: https://www.keycloak.org/getting-started/getting-started-doc... although the fact that they want you to create an "optimized" image yourself and have a long build/setup process on startup instead is slightly annoying: https://www.keycloak.org/server/containers

  Regardless, with something like mod_auth_openidc or another Relying Party implementation, all of the sudden authn/authz becomes easier to manage (you can literally get user information including roles in headers that are passed from your gateway/relying party to apps behind the reverse proxy), regardless of what you have actually running in your APIs: https://github.com/OpenIDC/mod_auth_openidc (there are other options, of course, but I went with that because I already use mod_md).

  It's actually cool that there are plentiful options in the space, since OIDC is pretty complex in of itself and attempts at creating something pleasant to actually use are always welcome, I've also heard good things about Authentik: https://goauthentik.io/

• Password protect a static HTML page
  20 projects | news.ycombinator.com | 18 Feb 2023

  > The user experience with basic auth is not so good.

  Apache actually also has an OpenID Connect module, which you can enable to have it work as a relying party: https://github.com/zmartzone/mod_auth_openidc

  Basically, the actual UI will be handled by another system that you might be using, for example, in my case that might be a self-hosted Keycloak instance: https://www.keycloak.org/

  I'd say that Keycloak is a pretty good solution in general, because it does some of the heavy lifting for you, maybe its shorter release cycle not being the best thing ever, though. I think IdentityServer also tried to fill this niche, but they went full on commercial recently, without OSS offerings.

• A note from our sponsor - Stream
  getstream.io | 15 Jul 2025

  Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure. Learn more →