The list is really helpful for people to navigate, and here is additional context to the complexity topic :)
If you use our managed services (https://console.ory.sh), it is easy to set up and scale because we have a bunch of defaults, UIs, and the security stuff all set up already.
If you run it completely on your own, which does require some skill especially in terms of (security) incident response, it is more work because you have to figure out a few pieces yourself (the stack is agnostic to the environment).
We have an option for self hosting with all the stuff we have built for the SaaS, but it only makes sense for businesses of a certain size.
Complexity also depends on how many services you combine, some people try to use everything at once and it's overwhelming.
What’s making Ory complex for people who do it by themselves, is that Ory is 3 different API first products that work stand alone or in concert. To wire this up, one requires understanding of every service. Here it is easier to spin up a cloud account, or use an alternate project which is e.g. just one docker container.
EDIT: For the record, I'm grateful Ory is open source and wish you all the success in the world. My comments below are specifically for the indiehosting case.
For indiehosting, my threat model is "what are my options if the team behind this software takes it in a direction I don't like?"
For some projects (Redis, Terraform), the answer is that a high quality fork pops up (Valkey, OpenTofu). For others (MongoDB), there's still not a FLOSS alternative included in major package managers.
But even if a fork does appear, they are relatively likely to eventually fall prey to the same incentives that impacted the original.
I try to cut this off at the root, and prefer software I would be confident forking myself. All of the options marked "simple" on my list fall under that category.
Sometimes you can't avoid complicated software, but you often can. For an indiehosted identity server, 5,000-10,000 lines of code provides pretty much all the features I need. I don't think the extra ~100,000-900,000k lines of code of the major players is worth the risk.
Funny, OpenAI is one site where I've noticed that the login is kinda wonky. Every so often it just randomly fails, gets stuck, gets caught in a redirect loop... That may not be Ory's fault, but unfortunately this may not be the ringing endorsement they were hoping for.
If you could share a HAR file (stripped of credentials of course) or a screenshot of your network tab when it happens, we'd love to take a look and figure out what's going on! If it's reproducible even better.
You can send it to aeneas at ory.sh. It may not be OAuth2 related, and I'd like to make sure.
What is going on with the continuous redirects? I think they are pushing users to either sign up and/or pay up and/or disable ublock. What kind of BS is that?
No worries - It forces me to use claude more and I’m cool with that.
Not as bad as their payment provider. So many problems... One of the worst integration I've ever seen. But who knows, maybe it was generated by their chat. That would explain a lot.
My gosh yes please! This is so annoying. Last time I checked it’s impossible to disconnect your email address from Google auth if you used that to sign up. And no way to delete the account and recreate with that email address.
Yeah, the case study is a little hand-wavey, but from hints on the ChatGPT login page, it seems like they still use Auth0 (at least for the free, consumer facing application that I use).
"OpenAI is rapidly building its new identity experiences, having already enabled unprecedented logins per second with levels of data transparency and infrastructure flexibility that were not possible with other vendor solutions."
Maybe they are using Ory for new auth experiences?
I'll be interested to see what pops up here, but you'd probably have better luck joining their slack community and asking there: https://www.ory.sh/community/
From what I can tell, Ory is a high quality auth stack capable of scaling up.
If you're looking for something a bit simpler to work with for indiehosting use cases, I maintain a list here:
https://github.com/lastlogin-net/obligator?tab=readme-ov-fil...
The list is really helpful for people to navigate, and here is additional context to the complexity topic :)
If you use our managed services (https://console.ory.sh), it is easy to set up and scale because we have a bunch of defaults, UIs, and the security stuff all set up already.
If you run it completely on your own, which does require some skill especially in terms of (security) incident response, it is more work because you have to figure out a few pieces yourself (the stack is agnostic to the environment).
We have an option for self hosting with all the stuff we have built for the SaaS, but it only makes sense for businesses of a certain size.
Complexity also depends on how many services you combine, some people try to use everything at once and it's overwhelming.
What’s making Ory complex for people who do it by themselves, is that Ory is 3 different API first products that work stand alone or in concert. To wire this up, one requires understanding of every service. Here it is easier to spin up a cloud account, or use an alternate project which is e.g. just one docker container.
EDIT: For the record, I'm grateful Ory is open source and wish you all the success in the world. My comments below are specifically for the indiehosting case.
For indiehosting, my threat model is "what are my options if the team behind this software takes it in a direction I don't like?"
For some projects (Redis, Terraform), the answer is that a high quality fork pops up (Valkey, OpenTofu). For others (MongoDB), there's still not a FLOSS alternative included in major package managers.
But even if a fork does appear, they are relatively likely to eventually fall prey to the same incentives that impacted the original.
I try to cut this off at the root, and prefer software I would be confident forking myself. All of the options marked "simple" on my list fall under that category.
Sometimes you can't avoid complicated software, but you often can. For an indiehosted identity server, 5,000-10,000 lines of code provides pretty much all the features I need. I don't think the extra ~100,000-900,000k lines of code of the major players is worth the risk.
> but it's still less work than setting up JVM correctly :D
I'm not sure that either of these are what I'd called "difficult"
OrI would guess parent is referring more to tuning the JVM.
That’s awesome. Bookmarking this. I’ve been surprised at how difficult it has been to find a simple auth tool for indie/homelab use cases.
Is this only for open source self-hosted solutions, or for any auth solution that can be self-hosted?
I'd like to add FusionAuth if the latter (we have a full featured free option but are not open source).
Should I just add a comment on the google sheet or is there a better way?
Yeah open source only, sorry.
No worries! I get it.
You should add Gluu/Janssen to your list; they are a venerable open source OIDC implementation: https://github.com/JanssenProject/jans
I'll check it out, thanks!
So what is tl;dr for simpler?
Funny, OpenAI is one site where I've noticed that the login is kinda wonky. Every so often it just randomly fails, gets stuck, gets caught in a redirect loop... That may not be Ory's fault, but unfortunately this may not be the ringing endorsement they were hoping for.
If you could share a HAR file (stripped of credentials of course) or a screenshot of your network tab when it happens, we'd love to take a look and figure out what's going on! If it's reproducible even better.
You can send it to aeneas at ory.sh. It may not be OAuth2 related, and I'd like to make sure.
Is Ory also used for auth in the ChatGPT macOS app? I regularly get login errors there.
Sure thing, I'll keep that in mind!
Someone else with the same problems!
What is going on with the continuous redirects? I think they are pushing users to either sign up and/or pay up and/or disable ublock. What kind of BS is that?
No worries - It forces me to use claude more and I’m cool with that.
Not as bad as their payment provider. So many problems... One of the worst integration I've ever seen. But who knows, maybe it was generated by their chat. That would explain a lot.
Funny thing is that its powered by Auth0. Its funny that Ory is asking for the HAR file
Why it's funny? It just shows their openness and dedication. Funny that you are flagging it as funny.
PS: no affiliation, heard 1st time today about them.
Maybe you guys should make it possible to add passwords to any account, including a Google authed one.
Like I get Keycloak is complicated but it is also very useful.
My gosh yes please! This is so annoying. Last time I checked it’s impossible to disconnect your email address from Google auth if you used that to sign up. And no way to delete the account and recreate with that email address.
That is definitely possible when you use our identity product, which is also open source: https://github.com/ory/kratos
There you can combine all authentication methods in any shape or form you wish!
So why isn’t it possible with OpenAI? They use Auth0, right? What exactly do they use Ory for?
Disclosure: I work for an Ory competitor.
Yeah, the case study is a little hand-wavey, but from hints on the ChatGPT login page, it seems like they still use Auth0 (at least for the free, consumer facing application that I use).
From https://www.ory.sh/case-studies/openai
"OpenAI is rapidly building its new identity experiences, having already enabled unprecedented logins per second with levels of data transparency and infrastructure flexibility that were not possible with other vendor solutions."
Maybe they are using Ory for new auth experiences?
Could also be that they use ory "only" for oauth 2.
Customer facing it looks like a combination of nextauth and auth0 (at least on my end)
Could you clarify what OpenAI actually uses Ory for? Their main login page is powered by Auth0
Does anyone here have experience with Ory products and Google Cloud?
Easy enough to set up CloudSQL with Postgres and run the Ory software on Cloud Run? Any weird issues/hiccups?
Disclosure: I work for a competitor of Ory.
I'll be interested to see what pops up here, but you'd probably have better luck joining their slack community and asking there: https://www.ory.sh/community/
thanks Dan!
To save you one click you can go here directly: https://slack.ory.sh/
(Disclosure: in charge of community at Ory ;-))
Is the full auth suite open-source, and can it be hosted locally? Would be nice to add a Dokploy plugin!
Yep! Check it out: https://github.com/ory
(Disclosure: I work with the community and customers at Ory)
Apparently Firefox is blocked `Failed to verify your browser - Vercel Security Checkpoint`.
Resolved, Vercel thought we are being DDoS’ed!
Did they only switch recently? I remember seeing Auth0 a few months ago.