I'm sensing a shift in the auth space. This is my very rough impression:
~20 years ago everyone rolled their own auth.
~15 years ago libraries like Passport started cropping up and gaining in popularity. I would guess this is when people started preaching "don't roll your own auth".
~10 years ago OAuth2/OpenID Connect became popular for UX reasons but only for centralized social login providers
~5 years ago Auth0/Okta was all the rage, though this is likely an HN ecochamber and maybe limited to enterprise.
The last few years it seems like self hosting is getting more popular, perhaps due to increased quality in open source offerings (Zitadel, Ory stack, many others[0]).
And very recently[1] there's been some excellent resources like OP focused more on teaching you how to roll your own again, incorporating the security lessons of the past couple decades.
Interesting. I'm in the space (I work for FusionAuth) and I've seen the following trends:
- tons and tons of startups entering the space since the Auth0 acquisition by Okta in 2021. Probably due to a combination of: stickiness, standards, the fact the market was defined by Auth0 (so you don't have to define it or explain it), and the critical nature of it.
- providers focusing on time to market and ignoring OAuth/OIDC (or delaying delivery of standards based functionality): clerk, stytch
- providers focusing on certain use cases: workos (enterprise SSO), propelauth (b2b), clerk (react components to begin with, though they've expanded)
- self-hosting solutions with a more modern feel than Shibboleth and Keycloak (Duende Identity Server, FusionAuth, Zitadel, Ory)
- OSS providers monetizing by offering to operate their system, sometimes making it hard to find the download button so you can run it yourself
- hyper scaler solutions that are usually the default for folks building there, until limits are reached. These solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
It could be the folks I talk to, but most of them aren't interested in implementing auth themselves. They see it as undifferentiated functionality, like a database or message queue, and only worth implementing in certain specific circumstances. However, they're also worried about lock in. And they are thinking about the speed to market vs external dependency of SaaS offerings for critical application components.
However, choices really depends on team size and skillset. Startups are best served by using a SaaS offering or library framework that will give basic functionality and get out of the way so you can get to PMF and/or build features you can charge for. Bigger teams need more flexibility and have the ops skills to run auth themselves and remove the third party dependency.
Anyone who wants one can have their own Orcid Id in two minutes flat (and they're the only major SSO implementation i know that actually let's you keep your email private, other than Apple, i guess).
They support Oauth/OIDC, and you can even allow people to sign in to your own (non-commercial) service with their orcid via OIDC - it's no harder to setup the integration than Google or Facebook.
For me the key element of a wiki is that anyone can modify it and the changes show up instantly without pre-emptive gatekeeping. In this case it looks like contributing requires getting a PR approved by the maintainer on GitHub.
If GitHub were just the UI for submitting changes I think that could actually be quite effective as a lightweight wiki solution, so long as people's changes are deployed right away and don't require a maintainer to merge them. But it's likely very difficult to do that in a secure way with a standard static site generator.
Having no kind of gatekeeping or moderation whatsoever before changes are published seems like a fantasy of another age. Nowadays, the wiki would be co-opted by some type of spam or malicious activity basically instantly.
Create a new site that is of some public good like this site. This site will probably gain domain and page authority much quicker than their main site and will attract more visitors and the key is that their page is linked through this auth.wiki site so their page (logto) will get the SEO benefit as well.
But personally I don't think this is an SEO play, more like a brand awareness thing. Some engineer at logto probably got pissed off with the state of auth documentation, went to his boss and proposed creating a simple static site with the "business case" being brand awareness and SEO.
Thanks, I hate auth even more now. One reason OpenAI and Anthropic ran laps around the big three is how easy it is to get started with their API endpoints; you get a static token, and off you go. Same reason Cloudflare and Fly.io are an absolute delight compared to AWS, GCP, or Azure.
Sure, it’s a security risk, but this security circle jerking is exactly what I dislike about modern tech. IAM, OAuth, WebAuth—get lost. I just wanna try something out.
This is probably just a typo, but I love the unintentional pun. A wiki was called that because it allowed quick edits by its users. Crontributing to this site takes much more time...
The site only gives entry-level information. I do not know why it exists when you could all that get info using wikipedia/chatgpt etc. It even does not mention XACML in the ABAC section.
apitman|1 year ago
~20 years ago everyone rolled their own auth.
~15 years ago libraries like Passport started cropping up and gaining in popularity. I would guess this is when people started preaching "don't roll your own auth".
~10 years ago OAuth2/OpenID Connect became popular for UX reasons but only for centralized social login providers
~5 years ago Auth0/Okta was all the rage, though this is likely an HN ecochamber and maybe limited to enterprise.
The last few years it seems like self hosting is getting more popular, perhaps due to increased quality in open source offerings (Zitadel, Ory stack, many others[0]).
And very recently[1] there's been some excellent resources like OP focused more on teaching you how to roll your own again, incorporating the security lessons of the past couple decades.
[0]: https://github.com/lastlogin-net/obligator?tab=readme-ov-fil...
[1]: https://thecopenhagenbook.com/
mooreds|1 year ago
- tons and tons of startups entering the space since the Auth0 acquisition by Okta in 2021. Probably due to a combination of: stickiness, standards, the fact the market was defined by Auth0 (so you don't have to define it or explain it), and the critical nature of it.
- providers focusing on time to market and ignoring OAuth/OIDC (or delaying delivery of standards based functionality): clerk, stytch
- providers focusing on certain use cases: workos (enterprise SSO), propelauth (b2b), clerk (react components to begin with, though they've expanded)
- self-hosting solutions with a more modern feel than Shibboleth and Keycloak (Duende Identity Server, FusionAuth, Zitadel, Ory)
- OSS providers monetizing by offering to operate their system, sometimes making it hard to find the download button so you can run it yourself
- hyper scaler solutions that are usually the default for folks building there, until limits are reached. These solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
It could be the folks I talk to, but most of them aren't interested in implementing auth themselves. They see it as undifferentiated functionality, like a database or message queue, and only worth implementing in certain specific circumstances. However, they're also worried about lock in. And they are thinking about the speed to market vs external dependency of SaaS offerings for critical application components.
However, choices really depends on team size and skillset. Startups are best served by using a SaaS offering or library framework that will give basic functionality and get out of the way so you can get to PMF and/or build features you can charge for. Bigger teams need more flexibility and have the ops skills to run auth themselves and remove the third party dependency.
Shorn|1 year ago
For example: https://orcid.org/
Anyone who wants one can have their own Orcid Id in two minutes flat (and they're the only major SSO implementation i know that actually let's you keep your email private, other than Apple, i guess).
They support Oauth/OIDC, and you can even allow people to sign in to your own (non-commercial) service with their orcid via OIDC - it's no harder to setup the integration than Google or Facebook.
lolinder|1 year ago
If GitHub were just the UI for submitting changes I think that could actually be quite effective as a lightweight wiki solution, so long as people's changes are deployed right away and don't require a maintainer to merge them. But it's likely very difficult to do that in a secure way with a standard static site generator.
orev|1 year ago
frde_me|1 year ago
kybernetikos|1 year ago
unknown|1 year ago
[deleted]
Veuxdo|1 year ago
_fat_santa|1 year ago
Create a new site that is of some public good like this site. This site will probably gain domain and page authority much quicker than their main site and will attract more visitors and the key is that their page is linked through this auth.wiki site so their page (logto) will get the SEO benefit as well.
But personally I don't think this is an SEO play, more like a brand awareness thing. Some engineer at logto probably got pissed off with the state of auth documentation, went to his boss and proposed creating a simple static site with the "business case" being brand awareness and SEO.
rednafi|1 year ago
Sure, it’s a security risk, but this security circle jerking is exactly what I dislike about modern tech. IAM, OAuth, WebAuth—get lost. I just wanna try something out.
karmakaze|1 year ago
It would be great to actually make it a wiki (and have changes recorded in git).
From the Github readme:
> Crontributing
> Missing entry? Found a typo? Please don't hesitate to create an issue or submit a pull request.
> Edit on GitHub
> The content is located in src/articles. You can find the file and click the edit button (the pencil icon) in the top right corner to start editing.
FireInsight|1 year ago
lolinder|1 year ago
This is probably just a typo, but I love the unintentional pun. A wiki was called that because it allowed quick edits by its users. Crontributing to this site takes much more time...
splash123|1 year ago
maxloh|1 year ago
splash123|1 year ago
dbacar|1 year ago
splash123|1 year ago
guerrilla|1 year ago
unknown|1 year ago
[deleted]