Interesting. I'm in the space (I work for FusionAuth) and I've seen the following trends:
- tons and tons of startups entering the space since the Auth0 acquisition by Okta in 2021. Probably due to a combination of: stickiness, standards, the fact the market was defined by Auth0 (so you don't have to define it or explain it), and the critical nature of it.
- providers focusing on time to market and ignoring OAuth/OIDC (or delaying delivery of standards based functionality): clerk, stytch
- providers focusing on certain use cases: workos (enterprise SSO), propelauth (b2b), clerk (react components to begin with, though they've expanded)
- self-hosting solutions with a more modern feel than Shibboleth and Keycloak (Duende Identity Server, FusionAuth, Zitadel, Ory)
- OSS providers monetizing by offering to operate their system, sometimes making it hard to find the download button so you can run it yourself
- hyper scaler solutions that are usually the default for folks building there, until limits are reached. These solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
It could be the folks I talk to, but most of them aren't interested in implementing auth themselves. They see it as undifferentiated functionality, like a database or message queue, and only worth implementing in certain specific circumstances. However, they're also worried about lock in. And they are thinking about the speed to market vs external dependency of SaaS offerings for critical application components.
However, choices really depends on team size and skillset. Startups are best served by using a SaaS offering or library framework that will give basic functionality and get out of the way so you can get to PMF and/or build features you can charge for. Bigger teams need more flexibility and have the ops skills to run auth themselves and remove the third party dependency.
- tons and tons of startups entering the space since the Auth0 acquisition by Okta in 2021. Probably due to a combination of: stickiness, standards, the fact the market was defined by Auth0 (so you don't have to define it or explain it), and the critical nature of it.
- providers focusing on time to market and ignoring OAuth/OIDC (or delaying delivery of standards based functionality): clerk, stytch
- providers focusing on certain use cases: workos (enterprise SSO), propelauth (b2b), clerk (react components to begin with, though they've expanded)
- self-hosting solutions with a more modern feel than Shibboleth and Keycloak (Duende Identity Server, FusionAuth, Zitadel, Ory)
- OSS providers monetizing by offering to operate their system, sometimes making it hard to find the download button so you can run it yourself
- hyper scaler solutions that are usually the default for folks building there, until limits are reached. These solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
It could be the folks I talk to, but most of them aren't interested in implementing auth themselves. They see it as undifferentiated functionality, like a database or message queue, and only worth implementing in certain specific circumstances. However, they're also worried about lock in. And they are thinking about the speed to market vs external dependency of SaaS offerings for critical application components.
However, choices really depends on team size and skillset. Startups are best served by using a SaaS offering or library framework that will give basic functionality and get out of the way so you can get to PMF and/or build features you can charge for. Bigger teams need more flexibility and have the ops skills to run auth themselves and remove the third party dependency.