I'm sensing a shift in the auth space. This is my very rough impression:
~20 years ago everyone rolled their own auth.
~15 years ago libraries like Passport started cropping up and gaining in popularity. I would guess this is when people started preaching "don't roll your own auth".
~10 years ago OAuth2/OpenID Connect became popular for UX reasons but only for centralized social login providers
~5 years ago Auth0/Okta was all the rage, though this is likely an HN ecochamber and maybe limited to enterprise.
The last few years it seems like self hosting is getting more popular, perhaps due to increased quality in open source offerings (Zitadel, Ory stack, many others[0]).
And very recently[1] there's been some excellent resources like OP focused more on teaching you how to roll your own again, incorporating the security lessons of the past couple decades.
Interesting. I'm in the space (I work for FusionAuth) and I've seen the following trends:
- tons and tons of startups entering the space since the Auth0 acquisition by Okta in 2021. Probably due to a combination of: stickiness, standards, the fact the market was defined by Auth0 (so you don't have to define it or explain it), and the critical nature of it.
- providers focusing on time to market and ignoring OAuth/OIDC (or delaying delivery of standards based functionality): clerk, stytch
- providers focusing on certain use cases: workos (enterprise SSO), propelauth (b2b), clerk (react components to begin with, though they've expanded)
- self-hosting solutions with a more modern feel than Shibboleth and Keycloak (Duende Identity Server, FusionAuth, Zitadel, Ory)
- OSS providers monetizing by offering to operate their system, sometimes making it hard to find the download button so you can run it yourself
- hyper scaler solutions that are usually the default for folks building there, until limits are reached. These solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
It could be the folks I talk to, but most of them aren't interested in implementing auth themselves. They see it as undifferentiated functionality, like a database or message queue, and only worth implementing in certain specific circumstances. However, they're also worried about lock in. And they are thinking about the speed to market vs external dependency of SaaS offerings for critical application components.
However, choices really depends on team size and skillset. Startups are best served by using a SaaS offering or library framework that will give basic functionality and get out of the way so you can get to PMF and/or build features you can charge for. Bigger teams need more flexibility and have the ops skills to run auth themselves and remove the third party dependency.
Anyone who wants one can have their own Orcid Id in two minutes flat (and they're the only major SSO implementation i know that actually let's you keep your email private, other than Apple, i guess).
They support Oauth/OIDC, and you can even allow people to sign in to your own (non-commercial) service with their orcid via OIDC - it's no harder to setup the integration than Google or Facebook.
~20 years ago everyone rolled their own auth.
~15 years ago libraries like Passport started cropping up and gaining in popularity. I would guess this is when people started preaching "don't roll your own auth".
~10 years ago OAuth2/OpenID Connect became popular for UX reasons but only for centralized social login providers
~5 years ago Auth0/Okta was all the rage, though this is likely an HN ecochamber and maybe limited to enterprise.
The last few years it seems like self hosting is getting more popular, perhaps due to increased quality in open source offerings (Zitadel, Ory stack, many others[0]).
And very recently[1] there's been some excellent resources like OP focused more on teaching you how to roll your own again, incorporating the security lessons of the past couple decades.
[0]: https://github.com/lastlogin-net/obligator?tab=readme-ov-fil...
[1]: https://thecopenhagenbook.com/