Honestly, I'm not intimately familiar with Zitadel's solution. At a quick glance, it seems quite powerful! But it does seem like our product is more opinionated -- and is more narrowly focused on serving B2B applications.
I suspect that if you have the appetite and experience to build something unusual or otherwise complex, Zitadel will be a great fit. Perhaps they are like Keycloak in this respect. On the other hand, we try very hard to steer developers into a 'pit of success' by abstracting away a lot of details that most people don't need to worry about.
But I'll admit that comparison may be inaccurate; I probably will have to look in more detail. (The comparison will certainly seem wrong months / years into the future as our companies evolve!).
We're huge fans of Better Auth -- it's a really great offering. They might have their own take on how we differ, but here's my best attempt at a quick comparison.
We take pretty different approaches to roughly the same family of problems.
Better Auth is focused on being a great library for TypeScript. If you write Typescript and want to build your own auth, they're a great bet.
We're more of an API-first service that's agnostic to the language or framework that you use. We have a pretty opinionated product that is meant to handle auth for you -- it's not really an auth library per se.
Not to be harsh but the website not loading earlier clearly doesn't set a good first impression.
Application error: a client-side exception has occurred while loading tesseral.com (see the browser console for more information).
My belief is that the only two things you need to know to understand Auth are Identity and your Authorization model. Everything else is just a consequence of those two things.
Consumer and B2B auth are different mostly because they have different identity and authorization models, neither of which are really that complicated to identify:
1. Consumers theoretically control their own identity but in practice almost all delegate it to gmail, facebook, microsoft, etc. Businesses have actual control over their employee's identities because they own domains and emails get routed to wherever they point their domain at.
2. Consumer authorization models by default give the user access to all of their data and none of anybody else's data, unless explicitly configured otherwise. Business authorization models work exactly the same way for admins (meaning, control of the business' source of identity gives them access to ~all of the business' data). It's kind of insane to give everybody access to everybody's data so businesses create ontologies of roles/groups/scopes so that each employee only gets just as much admin powers as they require.
Why does it work that way? Well, when you control your own identity like consumers and admins, you want to just get things done without permission and auth getting in the way. When you control other people's identity you aren't personally subject to the difficulties that arise from locking things down, but you are responsible for their identity and what that identity can do, so you do what you can to limit access.
It all kinda reduces down to the problem that the Internet didn't come with a good system for managing identity, so we all use accounts based on email, which is based on domains, which route traffic using DNS, which basically sends all the account recovery/verification/communication record for every employee of a company to one spot. There is an inherent escalation of privilege vulnerability there, and there's no good fix, so we resign ourselves to a security model that says 1. centralize all information in one place 2. do whatever possible to hide, compartmentalize, and limit access to that information. It feels insane because it is insane.
Being responsible for only your own identity, actions, access, and data: makes sense. Being responsible for everybody else's actions, access, and data (because your job is managing the thing that centralized it all in one place): nightmare fuel.
Except you got people from the parent company wanting access to certain stuff, and then there's the third-party auditor that needs access and so on.
So no, B2B isn't exactly the same necessarily.
From the authorization system, why would it care who they work for, as opposed to the permissions assigned to them?
Might require different authentication providers.
> From the authorization system, why would it care who they work for, as opposed to the permissions assigned to them?
Take the case of the accountant in the parent company. Either you create a user for that accountant in each of the child companies and manage access individually for each company, or you have a single user which has access to different child companies through separate permissions or something like that.
If you do it the first way, it's more like a regular B2C case, but not exactly because you still gotta do things like automatically disable those child-users when the accountant quits the parent company.
We've hit these scenarios as customer requirements in our B2B product, YMMV.
Two, I appear as RBAC but implement ABAC under the hood. Technically the App is ABAC, but to the initial users, all they see are Roles. They cannot configure their resources. Later on, I can build interfaces for ABAC to manage their own Resources and Roles.
Bonus third, all Resources resolve to URL routes GET or POST. The application firewall prevents calls to URLs that they do not have resource permission. The server strips links and buttons from the HTML that they do not have permission to (or decorates them with a style). Thus there is no "if has resource show" code all polluting my UI.
It seems like if its not written in Javascript people have aversion to it and this "keep everything typescript" really makes no sense to me especially when you deal with the missio n critical nature of backends.
nijave•3h ago
SahAssar•3h ago
SAML is older than OpenID Connect by ~13 years.
jpc0•2h ago
SAML is approximately OIDC + SCIM + Legacy Cruft
OkayPhysicist•1h ago
jpc0•1h ago
Removing the user from your application immediately and not when their session eventually expires.
Doing those things in batch.
Querying that data at will to produce reports.
Updating a users group membership when needed and immediately and not when you decide to do so.
And then you only need an opaque userid from me and not a fat OIDC token that knows everything about my internal structure.
deathanatos•1h ago
jpc0•1h ago
I believe I added sufficient context for why I added SCIM into the mix.