Keycloak ended up being quite extensible and powerful, but the UI and data model both sometimes made things more difficult than they had to be... this could be an interesting project to look at.
One bonus (for us) for Keycloak was that it was JVM-based, meaning it was easier to integrate our existing JVM libraries. Though its use of Hibernate was frustrating at times, heh
Additional enterprise features that are not available in the open source version such as SCIM, SAML, organization login ("SSO"), CAPTCHAs and more
(i work for Ory as DevRel)
I'm pretty frightened of running Java services, not because of the JVM, but because every Java app I've had to operate is infinitely configurable via some poorly documented XML file, and trying to reverse engineer the XML file is often difficult because you have to route through a bunch of Spring Boot magic (preventing an easy grep for configuration options). And on top of that the defaults are rarely system defaults, so even figuring out _where_ the application expects to find its configuration file is nontrivial and logging by default is separated into some unknown number of log streams which each go to a completely different path on disk by default and each one has its own configuration option for telling it to log to stderr.
By contrast, Go services are pretty explicit about where they expect their configuration, they usually log to stderr by default, you can pretty much drop them into any Docker image and run them without issue (no need to custom tune the JVM or bundle up dependencies and ensure the right runtime version). I'm told that the Java world is changing, but in the mean time I will put up with _a lot_ in the way of missing features in order to avoid running a Java application.
Sorry for the rant. :)
Their dynamic forms stuff is really cool too, always liked how they chose to go about that. Only complaint I really ever had is that while their docs were overall serviceable, I remember some areas were pretty lacking and I had to dig really far to find answers to some fairly common issues.
In the TypeScript ecosystem, I'd probably take a look at Better Auth though, as the developer experience is really great!
Note to self: if I ever need a retirement project, open sourcing a properly architected auth solution would be it.
Would sqlite be a better option?
If you are "just" doing first-party login, session, and user mgmt then Ory Kratos is all you need. I would say in the majority of cases you would be fine with just Ory Kratos.
If you want 3rd party integrations, or become an IDP (think "login with $yourcorp"), or you migrate an existing system that relies on OAuth2 that you want to keep, or you have more complex auth flows where OAuth2 shines, then you want Ory Hydra.
If you want a "fine-grained" global, centralized authz system, complex and scalable authz as described by Google Zanzibar, then you want Ory Keto.
If you want to support SAML as well, you want Ory Polis.
If you want a "zero trust" setup, then you want Ory Oathkeeper.
That being said in almost all cases Kratos will be fine and you can pick and choose what you actually need.
tbh i don't know too much about it other than that they moved away from the apache2 license recently
(disclaimer: I'm working for Ory)
caleblloyd•1h ago
One of my biggest complaints was that one of the Account Recovery flows was just an emailed 6-digit code. So a 1 in 1 million chance that somebody without access to any of your stuff could hack you by just hitting reset and guessing "123456". It's actually surprising how many other Account Recovery flows across the web I have noticed recently that do the same thing. Not sure if Ory has added the option for more entropy in this code as of today's release though it's been a while since I've used it.
Otherwise it was a great project to work with that has tons of knobs to customize. I commend the authors, aeneasr especially. It must be a ton of work to keep up with all of the auth standards and offer this in an Apache2 licensed package all while building a business around it as well!
fady0•1h ago
jdmoreira•47m ago
caleblloyd•15m ago
They could script this to run over a long period of time targeting 1 account, or they could target many accounts at once, and would probably have success.