(My) Identity Crisis: Ory Stack vs Others

Hello! I’ve been trying to find some explanation and guidance in my current task. I understand OAuth2’s flow and objective, as well as OpenID (Connect) layer on top of it. I’m struggling to make sense of the different terminologies regarding Identity (Provider vs Management) and others.

Scenario: The company provides a service for a business, that business has several employees with different ranks, and each can use different systems/softwares/services from the company. The idea is to have a Single-Sign-On system (and also a single identity?), so it’s easy to purge access if necessary. From this description it appears that I need a Customer Identity & Access Management, right?

I came across multiples options, including Ory, Keycloak, IdentityServer, FusionAuth, Gluu, Vault (from HashiCorp), Authelia and Dex. The problem is that they use different terminology, and I’m not sure exactly what I need?

Maybe I need a Federated Identity Management and each service from the company uses it? Can it be done with one of the softwares I mentioned? Or can you recommend another (OSS, self hosted)?

• Ory doesn’t come with an identity management server (or Identity Provider, what’s the difference?) but it appears to function without it? What am I missing? What can I use it to fill the void?
• Gluu looks very complete but I don’t see many people talking about it? What’s the deal?
• Vault is something that looks very powerful, they appear to have identity but I don’t think they do what I need from them? A little bit hackish ?
• Keycloak looks hard to setup and customize, but might do the job? Some people recommended Ory instead of Keycloak, so I assumed they were equivalent but I’ve seen people saying they are using both ?

Have you ever gone through something similar? I appreciate any bit of knowledge that I can get!

Since this discussion has no answer I’d like to step in and back up the OP request for clearer information on the terminology used and a comparison with other projects.

I know that ORY is currently focusing on the development of the product but new companies and projects who would like to implement the stack might not be experts of this field and lack of documentation might drive them away.

It would be extremely beneficial to have a simple table explaining the different terms with a description and synonym used by other products - this would make things a lot easier for everyone.

It would be also helpful to have a comparison table where ORY is compared to other stacks such as the ones mentioned by @tloriato in this post. How are they different? What are the benefits of using ORY? Which ones can be integrated with ORY? Which ones are focusing on different features?

I strongly believe that the entry barrier for the ORY stack should be lowered, and I fully agree that the lack of documentation on such a complex topic is one of the main points beginners struggle with.

Thanks Christian, I still think we all could use a little more clarity

Hey - sorry that I missed this. This is a good question, I will try to follow up with an answer.

Hey, just a follow up with this topic! Sorry to keep bothering you! Cheers!

Sorry for taking so much time, but this is obviously a long answer and difficult topic

• Identity Provider (IdP): An identity provider is a system entity that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network. A server capable of OpenID Connect is (part of) the Identity Provider. You may say: “I am using Google OpenID Connect as an Identity Provider”.
• Identity (and Access) Management: A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.
• Customer Identity and Access Management (CIAM): A Google product to differentiate from Google’s Cloud IAM system and their “Auth0”-style product.

If you have an identity in you system, you probably need certain tools of a Identity and Access Management framework. So for example, a service that stores user data and allows users to log in.

None of the mentioned products do really what you want, because they always involve a lot of complexity in adoption. Keycloak and FusionAuth (not open source!!) for example have user management (a page where users sign in, sign up, update their profile, …) but you need to adopt OAuth2 and/or OpenID Connect in your applications and that is really annoying and difficult.

We didn’t but we’re close to releasing ORY Kratos to fill the void.

Gluu is very enterprise/legacy. Last time I checked they didn’t even support Docker. They have things like LDAP and other very enterprisy things that you don’t need as a small team or even as a modern software enterprise.

Vault is not what you’re looking for. It has nothing to do with users. Instead, you’re storing secrets (e.g. some API keys for Google Maps, Google Cloud, AWS Credentials, …) and use other credentials to access those so that you don’t have all of these secrets flying around everywhere. But they explain that better than I on their website: https://www.vaultproject.io/use-cases/secrets-management/

I’ve personally not used Keycloak apart from a few tests. I know people that are using Keycloak and some have serious issues and for others it works. Keycloak was written as RedHat’s internal “IAM” toolchain and is therefore tailored for their use case. It’s really a full-stack JVM solution and has a lot of things like “HTML Rendering Engine”, “Java Plugin APIs” and so on. We’re simply taking a different approach to this - in terms of underlying technology (Go) and architecture (“cloud native”).

A big difference from Keycloak is the active community and support you get at Ory. We’re also in the process to set up a commercial cloud service with the technology we build and it will be accessible to small and large companies, whereas RedHat / IBM definitely focuses on enterprise sales only.

Hope this helps!

After reading this post I am now extremely hyped about ORY Kratos. ORY is doing an amazing job and as an Infrastructure Engineer I fully support their (your) choice about the stack being used to make it fully Cloud Native.

I hope to see ORY presented at some point at the KubeCon + CloudNativeCon in either 2020 or 2021.

I hope the project lives up to your expectations, but it has grown out of the same frustrating expirience

We might be at KubeCon EU and will probably do some tours in 2021

@hackerman,

Sorry to hijack this thread, but as a Keycloak-user I was just today looking into your products and I must say, very impressed!
I am considering completely switching over.

When you talk about setting up a commercial cloud based service, do you mean something equivalent to auth0/Okta? Because if you are, I would so be willing to pay for that. Finally an Identity as a Service provider who is based in Europe

I was wondering though, when I’m considering using an opensource tool, I am always thinking about the long term sustainability of the product.
You say you are talking about starting a commercial offering and I see you are even hiring people, but I don’t see any current commercial offerings on your website, so… How do you guys actually sustain this project?

I know you already exist for several years, so I guess you have some way of sustaining it?

Thanks for any feedback you could give and keep up the good work!

Thanks for posting and for considering ORY. We are indeed working on a commercial offering that will be a deployed service in the cloud - i.e. you will be able to consume ORY as a Service via API.

As you mention in your post - we have been at this for a number of years now. We also consider the open source projects the DNA of where we come from and it will guide us as go forward. It is something that we will continue to maintain.

We are presently hiring for a number of different engineering roles - we want to get people with a wide skillset who can not only help build a commercial offering but will also be able to contribute to the open source, as it is part of what we do at ORY.

As far as being sustainable - we are financed by a well known top-tier VC based in London and we will be continuing to build out the org and the business to become a world-class software company.

Thanks for your interest and your support. We look forward to speaking with you in the future when you consider using us as SaaS. Drop us an email so that we can have a conversation and understand what you are going to need.

@jaredpreston

Thanks for the reply, sounds good
Do you have an e-mail address where I could reach you? Don’t immediately see one on ory.sh?
(feel free to drop me a pm here for the email)

Thanks!

[email protected] or [email protected]