[HN Gopher] Zitadel: The best of Auth0 and Keycloak combined
___________________________________________________________________
Zitadel: The best of Auth0 and Keycloak combined
Author : mffap
Score : 85 points
Date : 2022-05-17 09:42 UTC (13 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| jzelinskie wrote:
| The usage of CockroachDB in newer security products is
| refreshing. I wonder if users could run one share a CRDB cluster
| between Zitadel and SpiceDB[0] to have a full, modern AuthN+AuthZ
| stack with few dependencies.
|
| [0]: https://github.com/authzed/spicedb
| ffo wrote:
| I would love to chat with you guys.
|
| Hit me up with a mail florian(at)zitadel.com
| tucnak wrote:
| I had to set up a OIDC server so our website could act as the
| OIDC provider, and I got really surprised how hard that is to do
| if you really need the most basic setup. In fact it seems that
| everybody would just keep a Keycloak or whatever-- in their
| cluster and would keep it up-to-date with whatever user schema
| they would have in their app. This felt like too much work for me
| (I didn't want to maintain a whole extra service to just be able
| and provide a couple Oauth scopes from our API back-end.) so
| instead I went on and implemented the server directly in our app
| using https://github.com/zitadel/oidc. In fact this was the only
| fully-functioning OIDC implementation in Go that I could just
| plug in and make it work. So big props up to the Zitadel guys,
| the only worry would be from my side that the server
| implementation could be more generic and could rely on a set of
| interfaces that the users would be able to implement easily,
| without having to import a bunch of code from 'examples/server'
| like we have to do at the moment?
| mooreds wrote:
| Hmmm. Did you look at any of the libraries mentioned here:
| https://oauth.net/code/go/
|
| I'm not in the golang world, so curious how useful that list
| is.
| livio-a wrote:
| Thanks for the great feedback. I can see copy/paste issue of
| the server example. We'll definitely improve this in the future
| so you won't have to implement a lot of logic in the storage
| implementation.
| IceDane wrote:
| This seems very clean and handily beats keycloak there, at least.
|
| I am building an application that will be deployed into a closed
| network, and it has some requirements regarding auth and authz
| that would be time-consuming(not to mention error prone) to
| implement. I also foresee there being a good chance of the
| customer wanting to integrate it with their existing stuff, so
| instead of having a custom user management system as part of the
| application, I ended up using keycloak.
|
| So far, the experience has been .. okay. The beginning was kind
| of rough, and just recently there were some big changes, and some
| of the documentation is still out of date, and even more of the
| documentation is sort of .. meh. However, once I really started
| grokking both keycloak and the related authz concepts, it's been
| pretty smooth sailing since. There are some rough edges, like the
| nodejs admin client being somewhat janky(possibly auto-
| generated), but otherwise I would definitely use keycloak in
| other projects.
|
| Zitadel seems like a very attractive alternative, and the
| documentation is stellar compared to keycloak's(at a glance at
| least, kudos for quickstart guides), but I'd still be sort of
| worried about the age and maturity of the project. Selling my
| customer on keycloak is relatively easy because it's not super
| young and being managed and actively developed by the folks at
| redhat. Selling them on zitadel would probably be harder.
|
| Either way, best of luck. When there's a javascript client I
| might take this for a spin for a side project just to see how it
| compares to keycloak.
| mffap wrote:
| Appreciate the feedback and insights - thank you. Happy to keep
| you posted on the javascript client, this is for sure one on
| our list. Regarding user base, sure Keycloak is very mature and
| broadly used. We started our SaaS now over 1.5 years ago and
| continuously build on the feedback and the operational
| learnings.
| ajacksified wrote:
| FYI your docs are broken - I can't scroll down on anything (such
| as https://docs.zitadel.ch/docs/guides/authentication/login-
| use...)
|
| Chrome 101.0.4951.64 / MacOS 12.4
|
| Very curious though as I've been doing a lot of OIDC work at
| Inrupt.
| mffap wrote:
| Thanks, good to know! Do you have chrome://flags/#enable-
| experimental-web-platform-features enabled by any chance? Seems
| to be an Docusaurus issue, we'll make an update.
| inportb wrote:
| This is interesting, but... how does one deploy this in a
| container without k8s (using Docker)?
|
| Keycloak is big and complicated, but at least it's easy to hide
| all the complexity behind Docker. Other than configuring the
| database, one could treat it as an opaque blob.
|
| Authentik is big and complicated and modular, so the complexity
| is apparent in the `docker-compose.yml`.
| mffap wrote:
| We're currently working on v2 with the goal to reduce that
| complexity. Goal is to make it easier to run a single binary,
| like you mentioned using Docker. Documentation for this is
| currently WIP - should be out end of May.
| mooreds wrote:
| Interesting pricing model: https://zitadel.com/pricing/v2
|
| Price per request isn't as common of an identity pricing model as
| MAU is.
|
| (Only applies if you host with them, of course. If you self-host,
| I believe it is free.)
| mffap wrote:
| Yes. Self-hosted is free with an option for commercial support.
| The software we use in our SaaS is identical to what's on our
| repo.
| elric wrote:
| That could probably be made clearer on the website. The
| pricing page currently says "Contact Us" under Selfhosted.
| bovermyer wrote:
| This is interesting, I'll have to check it out. I'm particularly
| curious about how it compares to Okta.
| mffap wrote:
| Great. Would love to hear more about your impression and the
| comparison to Okta. Okta is for sure very mature. Some users
| who switched liked the fact that you can run ZTIADEL on any
| infrastructure (self-hosting) as well as the self-service in
| B2B scenarios (which is ticket-ops when doing it with Okta,
| apparently). Hope this helps.
| notlukesky wrote:
| What do you exactly mean by the best of Auth0 and Keycloak
| combined?
| mffap wrote:
| Firstly let me say that we like both Auth0 and Keycloak - as
| others have commented the solutions are widely used and have
| both unique advantages.
|
| We built an open source alternative to Auth0 which fully
| supports self-hosting (today on K8s, soon as all-in-one binary
| on multiple platforms). Regarding Keycloak, it is a great
| project with high maturity and a lot of features, but lacks in
| support for B2B, cloud-native and manufacturer support. We
| wrote a blog comparing Auth0 and Keycloak in more detail, when
| you might want to consider ZITADEL as alternative. Hope that
| helps.
| mooreds wrote:
| @mffap, are these the blog posts you are referencing?
|
| https://zitadel.com/blog/zitadel-vs-keycloak
|
| https://zitadel.com/blog/zitadel-vs-auth0
| mffap wrote:
| yes, that's it
| arinlen wrote:
| > _Regarding Keycloak, it is a great project with high
| maturity and a lot of features, but lacks in support for B2B,
| cloud-native and manufacturer support._
|
| Is this really true though? Last time I checked Keycloak was
| a RedHat project, meets the definition of cloud-native, and
| RedHat does provide RedHat Single Sign-On, a Keycloak-based
| service that is as B2B as it gets.
|
| Also, further down the discussion you commented that the
| project doesn't even provide a Docker image, and instead you
| mention an ongoing rewrite that might provide a stand-alone
| binary.
|
| https://news.ycombinator.com/item?id=31409609
|
| How does that miss allow the project to even be considered
| cloud-ready, let alone could native?
| ffo wrote:
| Currently we provide a container image as well as K8s
| support.
|
| The v2 will allow us to extend our support to a plain
| binary as well as serverless containers (Knative et. al)
|
| Keycloak is a great tool but definitely not has B2B
| features like user management for each business customer,
| self service and delegated access management as well as
| self service federation.
|
| If you feel that I am mistaken, feel free to point out the
| docs to that ;-)
| piaste wrote:
| > Keycloak is a great tool but definitely not has B2B
| features like user management for each business customer,
| self service and delegated access management as well as
| self service federation.
|
| (See also: https://zitadel.com/blog/zitadel-vs-keycloak)
|
| I might be misreading your post and/or the linked blog
| post, but I got the impression that both assume that
| different business customers will share the same KC realm
| and will only be divided by groups/roles/etc. Is that
| correct?
|
| We use Keycloak in a multi-tenant scenario, so each new
| business customer spawns its own realm, meaning it can
| have a fully independent configuration (SSO, OAuth2
| integration, 2FA, roles, etc.). While we provide a
| simplified UI in our product, a sufficiently technical
| customer _can_ in principle be granted a realm-level
| administrator user to manage their own configuration.
| ffo wrote:
| From the IAM perspective (If the service is an IAM) I
| agree. But as SaaS provider I don't want to use multiple
| realms because in that case my client would need to
| understand multiple issuers.
|
| Also Keycloak has a cutoff of around 400 ish realms last
| time I checked ;-)
| X-Istence wrote:
| Do you have a source for the cut-off at around 400
| realms?
| ffo wrote:
| Only my own experience and secondary sources
| https://keycloak.discourse.group/t/maximum-limit-of-
| realms/8...
| https://stackoverflow.com/questions/54465114/when-realm-
| coun...
| mooreds wrote:
| Here's more about realms and keycloak from a different HN
| comment thread I participated in:
| https://news.ycombinator.com/item?id=31266603
|
| I don't know abraae, but they seemed familiar with
| Keycloak.
| sneak wrote:
| > _ZITADEL components send errors and usage data to CAOS Ltd., so
| that we are able to identify code improvement potential. If you
| don 't want to send this data or don't have an internet
| connection, pass the global flag --disable-analytics when using
| zitadelctl. For disabling ingestion for already-running
| components, execute the takeoff command again with the --disable-
| analytics flag._
|
| So, on by default spyware. How could anyone trust this in their
| infra when they are so shameless about exfiltrating data without
| consent?
| ffo wrote:
| I think we state transparently enough that we only report usage
| data and not your data within ZITADEL and you are free to
| disable it any time.
|
| If you don't agree with this I recommend not using ZITADEL
| sneak wrote:
| Obviously that was my point. Usage data is still the user's
| data and you are not entitled to it without the user's
| consent.
|
| The fact that you disclose your unethical behavior does not
| make it ethical.
|
| A better thing to do would be to patch out the feature that
| abuses the user's data. The trend of open source spyware
| needs to stop.
| denysvitali wrote:
| Whilst I'm not a fan of tools phoning back home, I have to
| admit that I'm starting to see this more and more.
|
| Flutter (Google) does it: https://docs.flutter.dev/get-
| started/install/windows
|
| > The flutter tool uses Google Analytics to report feature
| usage statistics and send crash reports. This data is used
| to help improve Flutter tools over time.
|
| >
|
| > Flutter tool analytics are not sent on the very first
| run. To disable reporting, run flutter config --no-
| analytics. To display the current setting, use flutter
| config. If you opt out of analytics, an opt-out event is
| sent, and then no further information is sent by the
| Flutter tool.
| ffo wrote:
| I stand by my point that we openly disclose this and if you
| don't want to share data either disable it or don't use it.
| topspin wrote:
| Regarding B2B: You know what B2B frequently calls for? SCIM.
|
| Not provided in Zitadel. Keycloak either. WSO2 IS has it. I hate
| WSO2 with a passion but it does SCIM.
|
| A non-Java on-premises IS is certainly welcome. Haul in SCIM and
| I'll take a swing at it.
| mooreds wrote:
| We recently finished shipping a SCIM server implementation. It
| was a big lift (it's quite protean).
|
| If anyone else wants to look at software supporting SCIM, this
| list seems like a place to start:
| http://www.simplecloud.info/#Implementations2 It lists both
| SCIM servers (which can be the source of truth for a set of
| users and groups) and SCIM clients (which can received CRUD
| requests from a SCIM server).
|
| (I submitted our company to the list but I think they got
| caught up in the GitHub/Heroku situation, since changes in the
| GH repo don't seem to be going live:
| https://github.com/erdtman/simplecloud.info )
| ffo wrote:
| Thanks for the input.
|
| We definitely have SCIM2.0 on the radar. If someone feels
| intrigued we would happily accept a PR
| andy_ppp wrote:
| This looks great if you need it to scale but I would like a self
| contained version that works in a couple of docker containers and
| doesn't need a cockroach db cluster in addition to a normal
| database. Anyway know of anything!?
| manishsharan wrote:
| Looks like you need KeyCloak.
| psankar wrote:
| Look at ory.sh tools
| ffo wrote:
| We know them ;-)
| mooreds wrote:
| Disclosure: I work for FusionAuth.
|
| Depends on what you are looking for.
|
| If you want a standalone auth server, you can use FusionAuth in
| docker/docker-compose:
| https://fusionauth.io/docs/v1/tech/installation-guide/docker
|
| You can also package up a library; most major languages have
| one or more OAuth/OIDC libraries:
| https://github.com/doorkeeper-gem/doorkeeper for Ruby,
| https://spring.io/projects/spring-security for Spring/Java,
| https://oauth2.thephpleague.com/ for PHP,
| https://pypi.org/project/oauthlib/ for Python.
|
| https://oauth.net/code/ has a further selection of libraries in
| a variety of languages.
| ofrzeta wrote:
| How does it compary to Ory or Gluu?
| next_xibalba wrote:
| Yeesh, that name! What the heck were they thinking? "Hey, what if
| we combined Zit and Citadel!"
|
| But seriously, now I want to know, what are the most unfortunate
| technology or startup names my fellow HN'ers have encountered?
| I'd bet a moderate sum there are some wild examples to be found
| in SV history.
| EarlKing wrote:
| Zitadel: Popping the competition! (Sponsored by Clearasil)
|
| Honestly, how does this name even remotely relate to what it
| does? Sometimes I really despise the trend towards "quirky"
| names in open source projects.
| piaste wrote:
| > what are the most unfortunate technology or startup names my
| fellow HN'ers have encountered?
|
| A few years back there was a Github OSS project by an Asian
| developer who couldn't speak English at all - I think it was a
| Ruby or Node utility library of some kind.
|
| I don't remember the exact details anymore, but he intended to
| call it something like 'childlike' or 'so simple a child can
| use it' - unfortunately the machine translator he used
| interpreted the input phrase in his language as 'one that likes
| children'.
|
| So he was very, very confused at the loud community reaction
| when he made a post announcing the 0.1 release of his new
| 'pedophile' library.
| config_yml wrote:
| Mongo DB takes the cake, which is a slur for someone with down
| syndrome in my part of the world.
| jsiepkes wrote:
| Well don't leave us hanging, in what language?
| im_dario wrote:
| Spanish, for instance.
| carapace wrote:
| English.
|
| It was named after "Mongo, an immensely strong, dim-witted,
| yet philosophical henchman" in the movie "Blazing Saddles"
| (which is hilarious but would probably get Mel Brooks
| burned at the stake if he tried to make it today.)
|
| https://en.wikipedia.org/wiki/Blazing_Saddles
|
| Anyway, "mongo" is short for "mongoloid" which was a
| derogatory word for folks with what we now call Down
| Syndrome, and also racist in re: Mongols. So yeah, not a
| great choice of name.
| E4YomzYIN5YEBKe wrote:
| I've heard of "mong" as short for "mongoloid" but I've
| never heard of "monogo" being used that way. Searching
| through Google books most of the results for mongo refer
| to the Mongo people of the Congo. The second most common
| source is the fictional planet Mongo from the Flash
| Gordon comics.
| carapace wrote:
| Maybe Google is being Politically Correct?
|
| https://www.urbandictionary.com/define.php?term=Mongo
| krautsourced wrote:
| German
| k_sze wrote:
| In Quebecois French as well, "mongol" can be a pejorative
| for someone with DS.
|
| (That's because "Mongolian idiocy" is the obsolete
| medical term for DS:
| https://en.wikipedia.org/wiki/Mongolian_idiocy)
___________________________________________________________________
(page generated 2022-05-17 23:02 UTC)