[HN Gopher] Show HN: Open Source Authentication and Authorization ___________________________________________________________________ Show HN: Open Source Authentication and Authorization I'm Rishabh and the co-founder and CTO at https://supertokens.com (YC S20). We offer open-source user authentication and we just released our user roles product for companies implementing authorization. Our users are web developers, and a prominent and adjacent pain point for our users is authorization. Developers typically implement two independent solutions for authentication and authorization. Offering AuthN and AuthZ in a single solution is something we've been thinking about for the last few years. Quick primer, authentication is knowing who the user is, and authorization is knowing what the user has access to. A physical analogy: A person enters a building. Authentication means reading their ID card and knowing that the person's name is John. Authorization means knowing which floors, offices, and files John has access to. With increasing privacy and data complexity, companies like Netflix[1], Slack[2], and Airbnb[3] have built out their own complex authorization systems. To build our user roles product, we started with a first principles approach of covering authorization use cases using scripting languages such as XACML and OPA. But looking at existing solutions built by talented teams like Oso[4], Aserto[5], Cerbos[6], Strya[7], we realized that while these were powerful solutions, they were often overkill for most early to mid-stage companies (especially on the B2C side). We went back to the drawing board, reached out to our users and after dozens of conversations, we realized that most authorization needs require the ability to 1. Assign and manage roles and permissions 2. Store roles in the DB and session tokens to make it readable on the frontend and 3. Protect APIs and websites based on these roles and permissions. And so, we built user roles - a simple RBAC authorization service that focuses on the balance between simplicity and utility. It doesn't cover many complex cases and we're not looking to displace any of the authorization incumbents. But you can add AuthN and AuthZ using a single solution, quickly. In the near future, we'll be launching an admin GUI where you can manage your users and their roles with a few clicks. We'd love for you to try it out and hear what additional functionality you'd like to see. What are your favorite authentication providers and what do they get right? - [1]: https://conferences.oreilly.com/velocity/vl-ca-2018/cdn.orei... - [2]: https://slack.engineering/role-management-at-slack/ - [3]: https://medium.com/airbnb-engineering/himeji-a-scalable-cent... - [4]: https://www.osohq.com/ - [5]: https://www.aserto.com/ - [6]: https://cerbos.dev/ - [7]: https://www.styra.com/ Author : rishabhpoddar Score : 56 points Date : 2022-11-03 13:45 UTC (9 hours ago) | aidos wrote: | Implementing SuperTokens is on my roadmap. I've read through the | docs and been lurking on discord. The approach having your own | layer in front of theirs to augment everything sits really well | with me. | | I wish you guys all the luck, I think it's a really interesting | product. | ryhotsi wrote: | Congrats on the launch! | | At the same time I'm wondering if we truly need another RBAC | solution? I remember back in 2010 using libs like | https://github.com/ZF-Commons/zfc-rbac to do exactly this. But | the problem is, permissions are actually a representation of | business processes snd communication structures. They are rarely | user <-> role <-> permissions (I wish they were!). | | So I have to ask, with software coming out of things like | Zanzibar (imo also simple concepts but more powerful at scale) | and open source implementations around it (e.g. | https://github.com/ory/keto) - why did you decide to build the | same thing again, instead of collaborating with one of these | projects? The engineering task for sure is honorable, but would | the software world not benefit much more from a common solution | instead of doing the same thing all over again? | | In any case, it's great that you're publishing it as open source! | To have a bit of comparison - are there some resources on how | Supertokens compares with other open (or not) source solutions | like https://keycloak.org/ or https://github.com/ory ? | ignoramous wrote: | > _So I have to ask, with software coming out of things like | Zanzibar and open source implementations around it - why did | you decide to build the same thing again, instead of | collaborating with one of these projects?_ | | Supertokens is not a recent project. | | Previously: | | _Launch HN: Securely manage tokens_ (Aug 2020), | https://news.ycombinator.com/item?id=24306572 | | _Show HN: Stripe for Auth_ (Dec 2020), | https://news.ycombinator.com/item?id=25458033 | | _Auth0 alternative_ (Aug 2021), | https://news.ycombinator.com/item?id=26880554 | gneray wrote: | Looks like that account was created shortly after the post | was posted, so I think we can ignore | [deleted] | 0xbadcafebee wrote: | Stupid question: judging by your feature comparison, the only | thing you have over Keycloak is you provide managed instances. So | why not just be a Keycloak managed provider? They also seem to | have features you lack? | grepfru_it wrote: | Authelia is the giant open source elephant in this room | brightball wrote: | Looks like a really interesting platform with extremely | reasonably pricing. I might have to try it out soon. | | Question on your 2FA though. It says "Partial" and lists that you | don't have app access. What does that mean you do have though? | FIDO/webAuthn? | | If I was self-hosting the open source version at | auth.mydomain.com would I be able to export the data, load it | into your cloud offering and point the domain to your service for | a hiccup free transition for site users? What about the reverse? | | I like what I see so far though. Definitely a project to keep an | eye on. ___________________________________________________________________ (page generated 2022-11-03 23:00 UTC)