docs: update comparison #2
Conversation
|
If you have to setup 3 different pieces of software (kratos, oathkeeper, and in parts hydra) to achieve the same goal I don't know if I'd qualify that as simple. Oh wait 4 with Ory Network. I'm all for improving marketing materials (comparison matrix) to be more accurate though. |
Quoting myself:
Ory Network is the SaaS product combining the individual services into one coherent offering and it's literally two clicks to set it up with a nice UI, or using two commands with the Ory CLI. I'd say that qualifies as simple. If the comparison is about self-hosting (it's not, it just says "simple"), then definitely setting up one service is significantly easier than 3 or more! If it's about general product offering, I'd disagree with your assumption. |
|
The description of the project, and the introduction both include in the first sentence “ designed for self-hosters” so yeah, I would assume the expectation of people interested in the comparison matrix have that context in mind. |
|
Thank you for correcting my mistake of what Ory Network was. So self hosting only requires setting up 3 services (maybe less depending on features needed?), not 4. |
|
|
||
| | | [obligator](https://github.com/anderspitman/obligator) | [Authelia](https://www.authelia.com/) | [Authentik](https://goauthentik.io/) | [KeyCloak](https://www.keycloak.org/) | [Vouch](https://github.com/vouch/vouch-proxy) | [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) | [Dex](https://dexidp.io/) | [Ory](https://www.ory.sh/) | [Zitadel](https://zitadel.com/) | [Casdoor](https://casdoor.org/) | | ||
| |--------------------------|--------------------------------------------------------|---------------------------------------|--------------------------------------|---------------------------------------|-----------------------------------------------|--------------------------------------------------------------|---------------------------|----------------------------|---------------------------------|---------------------------------| | ||
| | Simple | ✅ | ✅ | ❌ | ❌ | ❓ | ❓ | ❓ | ✅ | ❓ | ❓ | |
There was a problem hiding this comment.
| | Simple | ✅ | ✅ | ❌ | ❌ | ❓ | ❓ | ❓ | ✅ | ❓ | ❓ | | |
| | Simple to self-host | ✅ | ✅ | ❌ | ❌ | ❓ | ❓ | ❓ | ❌ | ❓ | ❓ | |
|
Added a suggestion according to your feedback - thanks! |
|
Thanks @aeneasr! This will save me a lot of time filling out the table for Ory. Also I must say that Ory is some of the best looking OIDC software out there, even if it's not what I'm looking for. I agree with @jedahan here that the table is specifically for self hosting open source projects. I think that's pretty clear from the rest of the readme. I'm aware of dynamic client registration. The spec talks about an optional initial access token. Does Ory require such a token for registrations or can clients dynamically register completely anonymously? And if they can register without an initial token, what advantage does this approach have over anonymous authentication as implemented by obligator? |
Thank you - I appreciate it! :)
Fair point - maybe it makes sense to have "Simple to deploy" as the name for the column?
An initial token is not required, and the feature is optional. Honestly, there are no real differences or advantages between either approach other than that OIDC Dynamic Client Registration is a public spec. However, the approach obligator takes I think is totally fine for the sake of simplicity / ease of use. |
|
Also, are you aware of any popular client apps that implement dynamic client registration? One big advantage of anonymous auth is that it works with existing clients. |
Excellent, I'll merge this and add a new row for dynamic client registration. Thanks again! |
|
It's not required for registration, the token is however needed to perform updates to the client. You can also do it completely without tokens using the Admin API: https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/createOAuth2Client |
|
FYI, after playing with it for several weeks now - self-hosted open-source ory stack does not have an "Admin UI". |
4 participants
First of all, congratulations on publishing a successful open source project :) It looks like you are solving a real pain in your realm and it's awesome to see it being published in the open!
With this PR I want to clarify a few things in the comparison which I believe are unfair to Ory. I will try to add explanations for every point. I think the comparison to Ory Hydra directly is unfair, because Ory Hydra is an Authorization Server, not an identity provider. This project here however is an identity provider and (as far as I understand) reverse proxy. Ory has these capabilities as well, and they are the projects Ory Kratos, Ory Oathkeeper, and in parts Ory Hydra. That's why I changed the description to "Ory".
I hope this helps understanding the reason for the PR. I wish you all the best with your project and if you have any questions related to auth feel free to drop me a slack message in our slack :)