tags : Security, Authentication
Two parts
- Authentication (are you actually the person you say you are)
- Authorization (are you allowed to do what you are trying to do.)
SSO
Covering all bases for SSO
To cover all your bases, you need 2 identity providers. Any modern identity provider worth itself will also be able to sync back to an LDAP server to keep the two consistent.
- An LDAP server that’s preferably not exposed to the web
- An SSO identity provider that is exposed to the web.
Products
There are opensource and prioperty Products
| Name | Remark | Released |
|---|---|---|
| Keycloak | 2014 | |
| Authentik | ||
| Authelia | ||
| Ory | 2016 | |
| Okta | ||
| AWS Cognito | ||
| Auth0 | ||
| Clerk | ||
| Firebase Auth | ||
| Supabase Auth | ||
| Supertokens | 2019 |
Keycloak
- Open-source identity and access management by RedHat
- Managing users, roles, and permissions, as well as for implementing multi-factor authentication and social login.
- Supports authentication mechanisms such as OpenID Connect, OAuth 2.0, and SAML
- You also need to use their template and plugin system (so Java for Keycloak)
- Can’t use a different OAuth2 provider because well - you use Keycloak
- Needs to be selfhosted
- Keycloak with PostgreSQL on Kubernetes | Hacker News
Auth0
- Dedicated to providing its solution in the SaaS model.
- Owned by Okta now
Okta
- Identity SaaS product
Ory
- Has both selfhosted and SaaS based(Ory Network)
- Not super mature
Ory Kratos
- Released 2018
- Headless
- User registration, login, password reset, social sign in(Client side OAuth2), profile management, 2FA, and more
Ory Hydra
- OAuth/OIDC provider
- Have multiple apps that need a common sign-in method (SSO)
- 3rd parties to access your users data safely etc.
Oathkeeper
- 2017
- Access control for API endpoints
Keto
- Authorization, define advanced permission rules (“Access Control Policies”)
- Permission management, roles, who is allowed to do what
Supertokens
- Ory has criticized these guys of using incorrect terms and specs etc.
Authentik
- Authentik is a full LDAP container reimplementation with many bell and whistles.
Authelia
- Authelia needs a LDAP or file backend with user credentials