Show HN: Open-source Auth0 alternative Ory Kratos v0.13 released – nearing v1.0 (opens in new tab)

(github.com)

88 pointsquartzbox2y ago50 comments

50 comments

2mol2y ago

A while ago my team needed exactly this kind of auth solution, so the eng team reached out to Ory to clarify some technical questions that weren't covered by the docs. We were super enthusiastic about Ory. It looked solid, was open-source, and ticked all the right boxes.

We got an immediate response by a very motivated sales person who insisted to be connected with management and refused to put us in touch with anybody technical. It was a pretty off-putting experience, because it basically presumed that our eng team wasn't the decision maker (it was). I know a lot of companies throw their sales people at you, wanting to get in touch with somebody higher in the org chart, but it's still a pretty insulting experience for a tech-driven organization.

Needless to say we went with something else (not Auth0 either) and have been very happy.

aeneas_ory2y ago

Hey, Founder here. Sorry to hear that. The sales process should be a net benefit for anyone involved. I’m really keen on fixing this (and had my fair share of bad sales calls too). Would you mind sending me a quick email to aeneas@ory.sh - I just want to figure out what needs to change for the org to become better. Appreciate it! I won’t sell you anything, promised ;)

davidspiess2y ago

Can't share that experience. We are in the process of migrating from Azure B2C to ORY Network and had also some initial doubts if their products are a good fit for our enterprise company. Our company is three hours away from their office in munich, but they were willing to send us an experienced engineer to answer all of our questions. This was very much appreciated and helped us a lot. They also offer the possibility to purchase dedicated slack channel support.

cco2y ago

> ...basically presumed that our eng team wasn't the decision maker (it was).

I work at an auth company as well, Stytch, and this is something that we treat as obvious but we've seen a lot of reports like yours. Auth is such critical infrastructure, it is always going to come down to the technical team in the end.

kazanz2y ago

What did you go with?

lykahb2y ago

Their Slack workspace is quite helpful

edude032y ago

Congrats to the Ory team. We've been using it successfully at my company (self hosted) for the past ~2 years and it's been fantastic.

aeneas_ory2y ago

Founder / core maintainer here - thank you, this means a lot :)

nprateem2y ago

A great example of a website that completely fails to clearly explain how it's different from the competition.

snowstormsun2y ago

I think their Github "About" text is quite clear imho. An open source identity service that can be an alternative to similar commercial ones like Okta, Auth0.

8organicbits2y ago

Linked from the home page:

https://www.ory.sh/comparisons/

nullfield2y ago

If this was all the way transparent about Keycloak they’d make it clear that Keycloak is the upstream for Red Hat SSO, which has support options from Red Hat/IBM and so on. It’s a little bit different model from theirs, but no less valid.

mariusor2y ago

Which requires viewers be authenticated to show anything. Bleh.

2 more replies

aeneas_ory2y ago

I agree that we can do better here. Do you have a comparison in mind that you really liked?

cyanf2y ago

The frontpage should make it clear which open source project corresponds to which Ory Network product.

I was confused about that for a while.

Ex:

Permissions & Access Control -> Keto.

You could take some cues from Grafana here.

Similarly to Ory, their product is backed by OSS.

Their frontpage’s navigation bar makes it clear which is backed by which.

nprateem2y ago

I understood its something to do with auth but even the comparison pages didn't clarify in meaningful ways how it's different. I don't see how this could help me get more users - that's my job not yours.

I was also confused what a network has to do with auth. Is this some kind of distributed auth product? Who knows.

Also, I don't think anyone looking at a saas auth product would consider rolling their own. Presumably they're on your site because they aren't interested in that.

So I just didn't know what your value proposition is.

illiarian2y ago

Funny how you claim to support GDPR but your own site displays a non-compliant cookie banner.

1 more reply

mihaitodor2y ago

Cool to see Kratos mentioned here! A friend spent a bit of time coming up with a miniature OAuth provider implemented in Benthos (https://www.benthos.dev/) and Bloblang (https://www.benthos.dev/docs/guides/bloblang/about/). It is designed to serve a single OAuth client app and will generate JWT access tokens with limited lifetime: https://gist.github.com/disintegrator/0bd39879c437c4b3abb277...

nickreese2y ago

I want to love ory but honestly I have no idea how to integrate it like I can with supertokens. Literally looking to move from supertokens and have spent 4 hours trying to grok how to make the change. The docs are OK but how the products interconnect is super opaque.

advaitruia2y ago

Why are you looking to move from SuperTokens? -cofounder here

aeneas_ory2y ago

Hey there - a good place to get guidance is our large Slack community - slack.ory.sh - I’m also there and happy to help!

aeneas_ory2y ago

Founder / project creator here. Ory Kratos has been in development since 2018 and is approaching version 1.0! If you have any questions about the project, tech, flows, or Ory as a whole I’m here to help :)

sureglymop2y ago

Is this an alternative to Keycloak? One thing Keycloak supports is the ability to create multiple realms in order to use one instance for different groups of users and applications. Does Kratos support something like that?

sn0wf1re2y ago

Isn't that aspect of Keycloak a carryover from the days when one VM held one instance of an application? These days containers are cheap and you can just spin up each "realm" in another container.

1 more reply

meepmorp2y ago

Their recommendation for multitennancy is to create a db schema per realm and spin up separate instances

mihaitodor2y ago

Just curious, when will it get LDAP/AD Connectivity? I saw here https://www.ory.sh/comparisons/ory-vs-keycloak/ that it doesn't have this feature

LE: I guess it's being tracked in this GitHub issue: https://github.com/ory/kratos/issues/274

8organicbits2y ago

What's left before you'll be ready to release 1.0 and how will the project change once you've reached that milestone?

quartzboxOP2y ago

Check out the milestone on github: https://github.com/ory/kratos/milestone/15

not sure if that is everything.

zinclozenge2y ago

Are there any plans to support multi-tenancy? I understand that the current recommendation is to run multiple separate deployments, but will it be supported for a single deployment?

aeneas_ory2y ago

This will most likely stay a closed source feature for a while. Reason being that it makes an ElasticSearch situation more unlikely to happen

breadchris2y ago

I can’t believe that people use closed source auth solutions. As a security engineer, I am so thankful that Ory exists. If you can’t run your auth stack locally, your engineers will find work arounds for the inevitable pain/frustration due to some undocumented behavior that they can’t self service a root cause understanding.

alphabetatheta2y ago

Why are people still using Ory Kratos? It's still incredibly confusing documentation. Large fan of projects like: https://supertokens.com/ that focus on making authentication workflow implementation really easy.

cyanf2y ago

Ory’s killer feature is that it’s billed by DAUs not MAUs.

It makes cost much lower and more consistent.

cco2y ago

> It makes cost much lower and more consistent.

I would have thought the opposite given that they'd be charging per user per day as opposed to an all you can eat in a given month for a single user.

cyanf2y ago

Fortunately, it's billed as average DAUs. So a user logging in once a day over 30 days would count as 1 DAU.

1 more reply

j / k navigate · click thread line to collapse

50 comments

2mol2y ago

Needless to say we went with something else (not Auth0 either) and have been very happy.

aeneas_ory2y ago

davidspiess2y ago

cco2y ago

> ...basically presumed that our eng team wasn't the decision maker (it was).

kazanz2y ago

What did you go with?

lykahb2y ago

Their Slack workspace is quite helpful

edude032y ago

Congrats to the Ory team. We've been using it successfully at my company (self hosted) for the past ~2 years and it's been fantastic.

aeneas_ory2y ago

Founder / core maintainer here - thank you, this means a lot :)

nprateem2y ago

A great example of a website that completely fails to clearly explain how it's different from the competition.

snowstormsun2y ago

I think their Github "About" text is quite clear imho. An open source identity service that can be an alternative to similar commercial ones like Okta, Auth0.

8organicbits2y ago

Linked from the home page:

https://www.ory.sh/comparisons/

nullfield2y ago

mariusor2y ago

Which requires viewers be authenticated to show anything. Bleh.

2 more replies

aeneas_ory2y ago

I agree that we can do better here. Do you have a comparison in mind that you really liked?

cyanf2y ago

The frontpage should make it clear which open source project corresponds to which Ory Network product.

I was confused about that for a while.

Ex:

Permissions & Access Control -> Keto.

You could take some cues from Grafana here.

Similarly to Ory, their product is backed by OSS.

Their frontpage’s navigation bar makes it clear which is backed by which.

nprateem2y ago

I was also confused what a network has to do with auth. Is this some kind of distributed auth product? Who knows.

Also, I don't think anyone looking at a saas auth product would consider rolling their own. Presumably they're on your site because they aren't interested in that.

So I just didn't know what your value proposition is.

illiarian2y ago

Funny how you claim to support GDPR but your own site displays a non-compliant cookie banner.

1 more reply

mihaitodor2y ago

nickreese2y ago

advaitruia2y ago

Why are you looking to move from SuperTokens? -cofounder here

aeneas_ory2y ago

Hey there - a good place to get guidance is our large Slack community - slack.ory.sh - I’m also there and happy to help!

aeneas_ory2y ago

sureglymop2y ago

sn0wf1re2y ago

Isn't that aspect of Keycloak a carryover from the days when one VM held one instance of an application? These days containers are cheap and you can just spin up each "realm" in another container.

1 more reply

meepmorp2y ago

Their recommendation for multitennancy is to create a db schema per realm and spin up separate instances

mihaitodor2y ago

Just curious, when will it get LDAP/AD Connectivity? I saw here https://www.ory.sh/comparisons/ory-vs-keycloak/ that it doesn't have this feature

LE: I guess it's being tracked in this GitHub issue: https://github.com/ory/kratos/issues/274

8organicbits2y ago

What's left before you'll be ready to release 1.0 and how will the project change once you've reached that milestone?

quartzboxOP2y ago

Check out the milestone on github: https://github.com/ory/kratos/milestone/15

not sure if that is everything.

zinclozenge2y ago

Are there any plans to support multi-tenancy? I understand that the current recommendation is to run multiple separate deployments, but will it be supported for a single deployment?

aeneas_ory2y ago

This will most likely stay a closed source feature for a while. Reason being that it makes an ElasticSearch situation more unlikely to happen

breadchris2y ago

alphabetatheta2y ago

cyanf2y ago

Ory’s killer feature is that it’s billed by DAUs not MAUs.

It makes cost much lower and more consistent.

cco2y ago

> It makes cost much lower and more consistent.

I would have thought the opposite given that they'd be charging per user per day as opposed to an all you can eat in a given month for a single user.

cyanf2y ago

Fortunately, it's billed as average DAUs. So a user logging in once a day over 30 days would count as 1 DAU.

1 more reply

j / k navigate · click thread line to collapse