I went back and forth deciding if I should use a service like auth0 / Clerk / Stack Auth for my Flask based app. Ultimately I decided on doing it myself. Storing users and organization in the SQLite db and using a Flask package like Flask-Login. I didn’t want to have to migrate to an ORM (SQLAlchemy) and needed a few basic constraints:
- Users can optionally be assigned to an organization but not required.
- Email address is globally unique.
- A user can only be associated to a single organization.
- 2FA support.
- Single-Sign-On support with Google, Facebook, and GitHub.
I have a feeling not using a framework or auth service is going to bite me in the butt down the line, but it just felt easier to roll my own implementation to start.
Great demo videos -- looks like lots of strong design decisions! Will definitely try this in a future project.
... actually, given you already have a Golang SDK, I may try this very soon!
This is a very timely for us. We are close to pulling the trigger on KeyCloak.
We also looked at Auth0 and Fusionauth - KeyCloak won.
We did not check Teseral - could you help me understand why I would choose Tesseral over the other 3?
So you're competing with Auth0, Clerk and others. You really need some differentiator. For me that would be:
- Service-to-service authentication.
- User impersonation in S2S calls ("I'm a service SERVICE1 making a call on behalf of USER_JOE"), including for offline flows.
- A way to view and manage the offline grants for S2S impersonation.
- All of the above must be resilient.
I don't think any authentication solution actually tackles this.
When Ory came out I was excited because they have a solid product that is made in Go, however their lack of multi-tenancy that didn't require setting up servers for each tenant made them a non-starter
I just had to implement 2FA on our homegrown auth, and I can't wait to replace it with Tesseral
How does it compare to Keycloak?
Congrats on the launch Ulysse - impressive what you have been able to spin up with limited resources! Greetings from Ory :)
It's a nice project but I don't think any venture needs a separate service for user accounts right off the bat. And I level that same criticism at Clerk, Auth0, Cognito which are all stand-ins for a lack of BE engineering.
Rails + Devise + OmniAuth + Doorkeeper has kept me going for yeeeeeaaaaaarrrrrrs.
Congrats guys—looking good!
For the managed service, how do you think about the N+1 request/query issue and latency with things like org membership checks and authz checks? This always pushes me to want this stuff in my db or at least on my side of the network line. Seems that tesseral is self-hostable which is awesome and could be a solution, but I’d probably rather just use the managed service if it wasn’t for this issue.
Congrats on the launch! (From a FusionAuth employee!)
Also, I interviewed Ned, the CEO of Tesseral, on my newsletter. You can read his thoughts about the future of CIAM here: https://ciamweekly.substack.com/p/an-interview-with-ned-olea...
Seems python support is there. Would appreciate a Django walkthrough as well. Clerk, Betterauth and others mostly skip Django for some reason
What's so different about auth for B2B?
How does it compare to the other recent YC company Stack Auth?
Does this compete with IDMs with Sailpoint?
Have you had a pen test yet?
keycloak, better-auth, supertokens and now this, i would love to know how it compares to the rest
In the Django world I just ran into this project with similar goals:
Looks nice, we've been using https://zitadel.com/ and the journey to mutli-tennancy was fairly straight forward.
This looks neat, unfortunately the dependency on AWS is a show stopper for many European companies these days.
[dead]
[dead]
I rolled my own auth [0] and it works just fine. Why do I need another service for Auth, it's simple enough already. I guess B2B products need more auth features so it's worth using a library?
[0] https://github.com/wakatime/crackboard.dev/blob/main/package...
From the docs:
Users exclusively belong to Organizations; every User belongs to exactly one Organization.
But I also see a screenshot where, after login, the User has to choose an organization or to create a new one. It seems to me that you support Users and Organizations in a many-to-many relationship, is that correct?
At my work, we landed on the terminology of Users, Memberships, and Accounts to describe this (a User can have Memberships to multiple Accounts, an Account can have multiple Members, etc). As a result, you don't "delete a user", you "revoke a membership".