How does this differentiate from other open source identity solutions like KeyCloak or Ory? I wish there was more collaboration in this space, especially singe we’re talking security and these projects need pen testing, bug bounties, and more infrastructure to be considered „production grade“.
Quite a confusing comparison, especially against Keycloak. From what I can tell the open source part doesn't seem to do anything Keycloak doesn't do, but many of Keycloak's features aren't on the list.
The chart also assumes you're using the hosted solution (as 2FA isn't even available on the open source version according to that same page). If that's the case, it should compare against any hosted Keycloak provider, because SLA and management are readily available. I suppose the table could also compare the open source versions, but that wouldn't be very advantage to SuperTokens with major features still marked "coming soon".
One thing Keycloak lacks is an easy to use API, using complex OpenID/OAuth/etc. APIs and two language specific libraries instead. That seems like a much more sensible option to distinguish between these products. As someone currently using Keycloak (and not experiencing any problems with it after setup) this comparison just isn't very convincing.
If you ignore the subjective lines two and three of the comparison table, keycloak looks objectively better. And it has an Apache 2.0 license for the whole product.
Honestly, thanks for putting keycloak on my radar.
I see the supertokens team in this thread doing nothing to make me think that they intend to stop misleading people.
I'm happy with the way I've got Keycloak set up (especially ability to simply throw Apache's OpenID Connect in front of arbitrary paths) but I do recommend also looking into alternatives. Keycloak is great for enterprise SSO setups where you need to authenticate to ten different services on ten different domains, but there are much simpler options out there if all you need is auth for a single website!
I imagine the biggest reason to go for Supertokens is the first-party SaaS support. If you want to outsource auth (like Auth0/Firebase Auth/etc. do) then I think there's something to be said for this project. The open source-ness doesn't add too much value in that use case, though.
Right. Makes sense. I think what we had originally intended to communicate is the ease of customisability, in which case, we feel that Keycloak's UI customisation is more difficult to do.
Putting user satisfaction in the chart and not backing it with sources (I know at least a handful of companies who are very satisfied with e.g. KeyCloak) does not instill lots of confidence in the product differentiation. And what does customizability mean? KeyCloak has a rich Plugin system.
Other than that it seems to be quite equal, if you discount the more difficult things in Auth like providing standardized APIs, OAuth2 APIs and SCIM.
We've mentioned the source (if you hover) and it is based on our internal user research and conversations with users of these products. By no means is it perfect and there are many many satisfied customers of each of the other products.
Your point is taken though and maybe we will edit that point out or try to add further nuance.
I do believe however that broadly speaking, that reviews of keycloak lean towards it being relatively harder to use and maintain than Firebase. Arguably the reviews of Cognito are more mixed than "Low"
To add on to the comment about Keycloak, the comparison to AWS Cognito has a couple issues as well.
- The comparison suggest Cognito is more expensive. Cognito pricing starts at 50,000 MAUs for free. That's 10x the size of the SuperTokens free tier. It then tiers from $0.0055 down to $0.0025. That's 1/3 to almost 1/10 of the SuperTokens hosted open source option. MAUs who use SAML or OIDC are another $0.015. That's still equal to or less than the SuperTokens hosted open source version where SAML isn't even available.
- Multi-tenancy is a complex topic. But a common pattern using Cognito is to create a User Pool per tenant which provides a lot of flexibility depending on the number of tenants you anticipate.
Saying that GDPR is not needed because Keycloak is self-hosted is just outright wrong, which makes me wonder if the creators understands GDPR and how valid their claims to support GDPR is.
Congrats on the launch, building a product in this space is incredibly difficult. I took a look at the stack, here are a few observations:
- "ISO certified secure auth": What does that mean? I could not find proof of your ISO certification. Can you please share?
- 10k M2M tokens for $250/month sounds like a really bad deal if I can just spin up https://github.com/ory/hydra that can easily handle 10k requests per second.
- Looks like you're using OAuth2 as the primary "login" and "session management". What compelled you to do this?
- It looks like you're using some open source technology under the hood for the OAuth2 flows - which one are you using (out of curiosity)?
And finally, what sets you apart? It looks like the same solution for the known problem that big players (such as Okta and Auth0 - publicly traded) have already mastered. Ory (github.com/ory) for example has it's global network approach where you no longer need datacenter locations and is Open Source. Clerk is targeting React devs. What's your niche? Doing everything from auth to billing is, in my experience, way too much for a small team with little resources. Just getting Auth right is a mammoth task.
In terms of pricing, 10k M2M tokens are included on our $25/month plan (as well as many other features) so no need to spend $250 :) We feel this is a fair value exchange for everything being offered on the plan. Of course, there is always the roll-your-own option and great open source solutions like Hydra and that's awesome too for people that are confident going down that path - but it's not for everyone.
The great thing we have found about going the OAuth2 route is that you are free to use Kinde with any library that supports OAuth2. We also have SAML available as an auth option.
There is no denying there are a number of great players in the auth space but this is really only the start for us. We’re an experienced team aiming to help create a world with more founders by bringing together the fundamentals of product development. The fact that we’re small means we’re able to move quickly. We’ve just shipped v1 of feature flags and have more exciting offerings to come!
> 10k M2M tokens for $250/month sounds like a really bad deal if I can just spin up https://github.com/ory/hydra that can easily handle 10k requests per second.
Spinning one up is easy, sure. Making sure it's production ready, is not so much.
