[HN Gopher] Show HN: Open Source Authentication and Authorization
___________________________________________________________________
Show HN: Open Source Authentication and Authorization
I'm Rishabh and the co-founder and CTO at https://supertokens.com
(YC S20). We offer open-source user authentication and we just
released our user roles product for companies implementing
authorization. Our users are web developers, and a prominent and
adjacent pain point for our users is authorization. Developers
typically implement two independent solutions for authentication
and authorization. Offering AuthN and AuthZ in a single solution is
something we've been thinking about for the last few years. Quick
primer, authentication is knowing who the user is, and
authorization is knowing what the user has access to. A physical
analogy: A person enters a building. Authentication means reading
their ID card and knowing that the person's name is John.
Authorization means knowing which floors, offices, and files John
has access to. With increasing privacy and data complexity,
companies like Netflix[1], Slack[2], and Airbnb[3] have built out
their own complex authorization systems. To build our user roles
product, we started with a first principles approach of covering
authorization use cases using scripting languages such as XACML and
OPA. But looking at existing solutions built by talented teams like
Oso[4], Aserto[5], Cerbos[6], Strya[7], we realized that while
these were powerful solutions, they were often overkill for most
early to mid-stage companies (especially on the B2C side). We went
back to the drawing board, reached out to our users and after
dozens of conversations, we realized that most authorization needs
require the ability to 1. Assign and manage roles and permissions
2. Store roles in the DB and session tokens to make it readable on
the frontend and 3. Protect APIs and websites based on these roles
and permissions. And so, we built user roles - a simple RBAC
authorization service that focuses on the balance between
simplicity and utility. It doesn't cover many complex cases and
we're not looking to displace any of the authorization incumbents.
But you can add AuthN and AuthZ using a single solution, quickly.
In the near future, we'll be launching an admin GUI where you can
manage your users and their roles with a few clicks. We'd love for
you to try it out and hear what additional functionality you'd like
to see. What are your favorite authentication providers and what do
they get right? - [1]:
https://conferences.oreilly.com/velocity/vl-ca-2018/cdn.orei... -
[2]: https://slack.engineering/role-management-at-slack/ - [3]:
https://medium.com/airbnb-engineering/himeji-a-scalable-cent... -
[4]: https://www.osohq.com/ - [5]: https://www.aserto.com/ - [6]:
https://cerbos.dev/ - [7]: https://www.styra.com/
Author : rishabhpoddar
Score : 56 points
Date : 2022-11-03 13:45 UTC (9 hours ago)
| aidos wrote:
| Implementing SuperTokens is on my roadmap. I've read through the
| docs and been lurking on discord. The approach having your own
| layer in front of theirs to augment everything sits really well
| with me.
|
| I wish you guys all the luck, I think it's a really interesting
| product.
| ryhotsi wrote:
| Congrats on the launch!
|
| At the same time I'm wondering if we truly need another RBAC
| solution? I remember back in 2010 using libs like
| https://github.com/ZF-Commons/zfc-rbac to do exactly this. But
| the problem is, permissions are actually a representation of
| business processes snd communication structures. They are rarely
| user <-> role <-> permissions (I wish they were!).
|
| So I have to ask, with software coming out of things like
| Zanzibar (imo also simple concepts but more powerful at scale)
| and open source implementations around it (e.g.
| https://github.com/ory/keto) - why did you decide to build the
| same thing again, instead of collaborating with one of these
| projects? The engineering task for sure is honorable, but would
| the software world not benefit much more from a common solution
| instead of doing the same thing all over again?
|
| In any case, it's great that you're publishing it as open source!
| To have a bit of comparison - are there some resources on how
| Supertokens compares with other open (or not) source solutions
| like https://keycloak.org/ or https://github.com/ory ?
| ignoramous wrote:
| > _So I have to ask, with software coming out of things like
| Zanzibar and open source implementations around it - why did
| you decide to build the same thing again, instead of
| collaborating with one of these projects?_
|
| Supertokens is not a recent project.
|
| Previously:
|
| _Launch HN: Securely manage tokens_ (Aug 2020),
| https://news.ycombinator.com/item?id=24306572
|
| _Show HN: Stripe for Auth_ (Dec 2020),
| https://news.ycombinator.com/item?id=25458033
|
| _Auth0 alternative_ (Aug 2021),
| https://news.ycombinator.com/item?id=26880554
| gneray wrote:
| Looks like that account was created shortly after the post
| was posted, so I think we can ignore
| [deleted]
| 0xbadcafebee wrote:
| Stupid question: judging by your feature comparison, the only
| thing you have over Keycloak is you provide managed instances. So
| why not just be a Keycloak managed provider? They also seem to
| have features you lack?
| grepfru_it wrote:
| Authelia is the giant open source elephant in this room
| brightball wrote:
| Looks like a really interesting platform with extremely
| reasonably pricing. I might have to try it out soon.
|
| Question on your 2FA though. It says "Partial" and lists that you
| don't have app access. What does that mean you do have though?
| FIDO/webAuthn?
|
| If I was self-hosting the open source version at
| auth.mydomain.com would I be able to export the data, load it
| into your cloud offering and point the domain to your service for
| a hiccup free transition for site users? What about the reverse?
|
| I like what I see so far though. Definitely a project to keep an
| eye on.
___________________________________________________________________
(page generated 2022-11-03 23:00 UTC)