I'm sensing a shift in the auth space. This is my very rough impression:
~20 years ago everyone rolled their own auth.
~15 years ago libraries like Passport started cropping up and gaining in popularity. I would guess this is when people started preaching "don't roll your own auth".
~10 years ago OAuth2/OpenID Connect became popular for UX reasons but only for centralized social login providers
~5 years ago Auth0/Okta was all the rage, though this is likely an HN ecochamber and maybe limited to enterprise.
The last few years it seems like self hosting is getting more popular, perhaps due to increased quality in open source offerings (Zitadel, Ory stack, many others[0]).
And very recently[1] there's been some excellent resources like OP focused more on teaching you how to roll your own again, incorporating the security lessons of the past couple decades.
Interesting. I'm in the space (I work for FusionAuth) and I've seen the following trends:
- tons and tons of startups entering the space since the Auth0 acquisition by Okta in 2021. Probably due to a combination of: stickiness, standards, the fact the market was defined by Auth0 (so you don't have to define it or explain it), and the critical nature of it.
- providers focusing on time to market and ignoring OAuth/OIDC (or delaying delivery of standards based functionality): clerk, stytch
- providers focusing on certain use cases: workos (enterprise SSO), propelauth (b2b), clerk (react components to begin with, though they've expanded)
- self-hosting solutions with a more modern feel than Shibboleth and Keycloak (Duende Identity Server, FusionAuth, Zitadel, Ory)
- OSS providers monetizing by offering to operate their system, sometimes making it hard to find the download button so you can run it yourself
- hyper scaler solutions that are usually the default for folks building there, until limits are reached. These solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
It could be the folks I talk to, but most of them aren't interested in implementing auth themselves. They see it as undifferentiated functionality, like a database or message queue, and only worth implementing in certain specific circumstances. However, they're also worried about lock in. And they are thinking about the speed to market vs external dependency of SaaS offerings for critical application components.
However, choices really depends on team size and skillset. Startups are best served by using a SaaS offering or library framework that will give basic functionality and get out of the way so you can get to PMF and/or build features you can charge for. Bigger teams need more flexibility and have the ops skills to run auth themselves and remove the third party dependency.
Anyone who wants one can have their own Orcid Id in two minutes flat (and they're the only major SSO implementation i know that actually let's you keep your email private, other than Apple, i guess).
They support Oauth/OIDC, and you can even allow people to sign in to your own (non-commercial) service with their orcid via OIDC - it's no harder to setup the integration than Google or Facebook.
For me the key element of a wiki is that anyone can modify it and the changes show up instantly without pre-emptive gatekeeping. In this case it looks like contributing requires getting a PR approved by the maintainer on GitHub.
If GitHub were just the UI for submitting changes I think that could actually be quite effective as a lightweight wiki solution, so long as people's changes are deployed right away and don't require a maintainer to merge them. But it's likely very difficult to do that in a secure way with a standard static site generator.
That is as may be (though I'm not sure it's quite as dire as all that), but I'd argue that if it isn't true that anyone can edit and see their changes instantly then it isn't really a wiki.
That doesn't mean wikis can't have bans, require captchas, or lock pages that are frequently abused to tenured registered users, but the tooling needs to support instant updates and freedom to edit needs to be the default. Otherwise you're looking at a static site or a CMS, not a wiki.
Yes, I agree with your point that a realtime edit/publish cycle is a key part of the “wiki” aspect, instead of needing to do a build. I hadn’t considered that part of it.
The most popular wiki sites just means that the community has to police the problem. Someone has to police the problem or else, even without spammers, you have people fighting grammar and typography wars over the math subreddits. You wake up one day and realize someone added their favorite kind of commas to every sentence across every major math article.
Having no kind of gatekeeping or moderation whatsoever before changes are published seems like a fantasy of another age. Nowadays, the wiki would be co-opted by some type of spam or malicious activity basically instantly.
It wasn't a fantasy, but it does belong to another age. The Internet was small back then and a much higher trust society. Today it's a war zone and everything must be locked down.
I didn't suggest no gatekeeping or moderation whatsoever. I explicitly qualified 'gatekeeping' with the word 'pre-emptive'.
A wiki allows anyone to edit by default and their changes are deployed without verification by another user. Moderation takes the form of locking specific pages on a case-by-case basis to users with tenure (who can still edit instantly) and rolling back misguided changes.
There's nothing wrong with having a site that isn't a wiki, but this is just a static site maintained by one person, so calling it a wiki is odd.
Create a new site that is of some public good like this site. This site will probably gain domain and page authority much quicker than their main site and will attract more visitors and the key is that their page is linked through this auth.wiki site so their page (logto) will get the SEO benefit as well.
But personally I don't think this is an SEO play, more like a brand awareness thing. Some engineer at logto probably got pissed off with the state of auth documentation, went to his boss and proposed creating a simple static site with the "business case" being brand awareness and SEO.
Yes, this project began as an internal initiative motivated by the current state of auth documentation — fragmented and inconsistent in quality. The goal was to create a centralized, high-quality website that is independent of Logto’s product content, providing value to the wider community.
While it's hypocritical to deny the potential benefits for SEO and brand awareness, the main goal remains (and will continue to be): to provide valuable and independent knowledge for everyone developing or interested in auth and identity.
Thanks, I hate auth even more now. One reason OpenAI and Anthropic ran laps around the big three is how easy it is to get started with their API endpoints; you get a static token, and off you go. Same reason Cloudflare and Fly.io are an absolute delight compared to AWS, GCP, or Azure.
Sure, it’s a security risk, but this security circle jerking is exactly what I dislike about modern tech. IAM, OAuth, WebAuth—get lost. I just wanna try something out.
Yes a moderated wiki would be ideal. Isn't there readily available moderated wiki software (possibly even git-backed)? That seems more wiki (quick) than opening PRs.
The [Edit on Github] button didn't go anywhere for me and I don't see how to create a new 'card'/entry. There seems to be (IMO) too much friction for this to be well-maintained.
This is probably just a typo, but I love the unintentional pun. A wiki was called that because it allowed quick edits by its users. Crontributing to this site takes much more time...
The site only gives entry-level information. I do not know why it exists when you could all that get info using wikipedia/chatgpt etc. It even does not mention XACML in the ABAC section.
~20 years ago everyone rolled their own auth.
~15 years ago libraries like Passport started cropping up and gaining in popularity. I would guess this is when people started preaching "don't roll your own auth".
~10 years ago OAuth2/OpenID Connect became popular for UX reasons but only for centralized social login providers
~5 years ago Auth0/Okta was all the rage, though this is likely an HN ecochamber and maybe limited to enterprise.
The last few years it seems like self hosting is getting more popular, perhaps due to increased quality in open source offerings (Zitadel, Ory stack, many others[0]).
And very recently[1] there's been some excellent resources like OP focused more on teaching you how to roll your own again, incorporating the security lessons of the past couple decades.
[0]: https://github.com/lastlogin-net/obligator?tab=readme-ov-fil...
[1]: https://thecopenhagenbook.com/