Auth is actually a combination of two things: authentication and authorization.
Whatever you do, please do not build either by yourself. It always starts simple and it is guaranteed to get more complex than anyone is willing to maintain (unless you have a dedicated security engineering team)
There are many providers for each. Authentication is about the user's identity and where they belong in the organization (directory), and authorization is about what they are allowed to do based on their identity, role, and attributes.
Cerbos[0] is an open-source authorization solution which integrates with many identity providers to enable your product to implement fine grained permissions. We have integrated with the most popular authentication providers and they can be found on our ecosystem page[1]
Cerbos also has an out-of-the-box integration with Prisma[2] which enables you to fetch only those records that the user has permissions to from your data store - one of the most tricky parts of implementing authorization.
Whatever solution you end up going with, please save yourself some time and do not re-invent the wheel!
Just went to the cerbos.dev site-- there is a cookie banner that says you serve targeted ads, and asks me to "accept all". No option to reject tracking/ad cookies.
At this point, why even have the banner? Real As*hole design
Sorry about that and thank you for bringing it to our attention. As you might imagine we spend a lot of time on that site and did not notice the option to reject is not available. We will action this very soon.
Auth is actually a combination of two things: authentication and authorization. Whatever you do, please do not build either by yourself.
It's blanket statements like this that really make me rant on this subject. Lets mystify auth and tell devs to stay away from it! By the way, pay me to do it for you...
I mean by your own blanket advice, you should have never made the start-up that you did. There are no absolutes (well only for siths). Just tell people the pros and cons and what features you have. I work on apps in production, running for almost a decade, which we rolled our own auth on, and that have been maintained with a very basic level of tech-debt. I stand beside that work and guarantee it to our stake holders. What I cannot guarantee is X-company for the next ten years and if we will be able to migrate our data off their platform if they don't get funding.
Auth is not that hard. Policies are not that hard. Unix solved permissions 40+ years ago. I would argue, that if you are a small business use-case, you will probably never have to worry about these issues. If you are enterprise, you will have money to spend on it and be able to hire the talent and expertise. If you are somewhere in-between, then sure, go for some easy-use provider that gives you a form you can iframe or react component into your app or whatever. There is a market and use-case for cloud based services for user management, auth, policies, etc... I'd personally go with AWS cognito in this case, which I think is even a good cloud-native approach for enterprise. But please stop telling every dev to never build auth or policies by themselves just because you just recently did it and are now trying to monetize it.
You are overlooking a very simple fact in your comment. Cerbos is open source and has an Apache2 license. Therefore most of your points are irrelevant:
* No one needs to pay
* No need for a company to be around for the next 100 years.
What I am not overlooking is that they as a company and in this comment have an implicit bias against Dev's rolling their own auth since their business model is based on them not doing that. The most critical point that I raise that is not irrelevant is they are prone to making blanket statements and falling into absolutes with "Never ever do this..." and "This is way too hard for you..." even though there are a wide array of diverse scenarios and use cases in web dev. And even if it is open source, a lot of enterprise won't touch it if there's not a support plan, or at least a lot of companies would not be willing to fork and maintain a large open source lib they had little dev involvement with. So their death as a company would essentially equal EOL for a good number of clients regardless.
Built-in logging is definitely one of the main benefits. However, the following are also other major benefits of using a service like Cerbos:
* By running as a standalone service, any part of your application stack (in any language) can make consistent authorization checks
* Support for most major programming languages via SDKs
* Infinite scalability via serverless functions or sidecar deployment model
* GitOps enabled policy development and deployment via a full testing suite for ci/cd pipelines.
* Full audit trails of every decision made and how they were derived.
* Simple human readable YAML policies
* Ability to have different policies for different environments and ability to have canary deployments
You can find more about all of the benefits and features on our product page[0]
Keycloak handles both authentication and authorization and they are tightly coupled. Cerbos solely focuses on authorization and is capable of integrating with any authentication method that is already existing in your application.
Auth is actually a combination of two things: authentication and authorization.
Whatever you do, please do not build either by yourself. It always starts simple and it is guaranteed to get more complex than anyone is willing to maintain (unless you have a dedicated security engineering team)
There are many providers for each. Authentication is about the user's identity and where they belong in the organization (directory), and authorization is about what they are allowed to do based on their identity, role, and attributes.
Cerbos[0] is an open-source authorization solution which integrates with many identity providers to enable your product to implement fine grained permissions. We have integrated with the most popular authentication providers and they can be found on our ecosystem page[1]
Cerbos also has an out-of-the-box integration with Prisma[2] which enables you to fetch only those records that the user has permissions to from your data store - one of the most tricky parts of implementing authorization.
Whatever solution you end up going with, please save yourself some time and do not re-invent the wheel!
[0]: https://cerbos.dev [1]: https://cerbos.dev/ecosystem [2]: https://cerbos.dev/blog/fully-featured-authorization-for-you...