The usage of CockroachDB in newer security products is refreshing. I wonder if users could run one share a CRDB cluster between Zitadel and SpiceDB[0] to have a full, modern AuthN+AuthZ stack with few dependencies.<p>[0]: <a href="https://github.com/authzed/spicedb" rel="nofollow">https://github.com/authzed/spicedb</a>
This seems very clean and handily beats keycloak there, at least.<p>I am building an application that will be deployed into a closed network, and it has some requirements regarding auth and authz that would be time-consuming(not to mention error prone) to implement. I also foresee there being a good chance of the customer wanting to integrate it with their existing stuff, so instead of having a custom user management system as part of the application, I ended up using keycloak.<p>So far, the experience has been .. okay. The beginning was kind of rough, and just recently there were some big changes, and some of the documentation is still out of date, and even more of the documentation is sort of .. meh. However, once I really started grokking both keycloak and the related authz concepts, it's been pretty smooth sailing since. There are some rough edges, like the nodejs admin client being somewhat janky(possibly auto-generated), but otherwise I would definitely use keycloak in other projects.<p>Zitadel seems like a very attractive alternative, and the documentation is stellar compared to keycloak's(at a glance at least, kudos for quickstart guides), but I'd still be sort of worried about the age and maturity of the project. Selling my customer on keycloak is relatively easy because it's not super young and being managed and actively developed by the folks at redhat. Selling them on zitadel would probably be harder.<p>Either way, best of luck. When there's a javascript client I might take this for a spin for a side project just to see how it compares to keycloak.
Regarding B2B: You know what B2B frequently calls for? SCIM.<p>Not provided in Zitadel. Keycloak either. WSO2 IS has it. I hate WSO2 with a passion but it does SCIM.<p>A non-Java on-premises IS is certainly welcome. Haul in SCIM and I'll take a swing at it.
This is interesting, but... how does one deploy this in a container without k8s (using Docker)?<p>Keycloak is big and complicated, but at least it's easy to hide all the complexity behind Docker. Other than configuring the database, one could treat it as an opaque blob.<p>Authentik is big and complicated and modular, so the complexity is apparent in the `docker-compose.yml`.
I had to set up a OIDC server so our website could act as the OIDC provider, and I got really surprised how hard that is to do if you really need the most basic setup. In fact it seems that everybody would just keep a Keycloak or whatever— in their cluster and would keep it up-to-date with whatever user schema they would have in their app. This felt like too much work for me (I didn't want to maintain a whole extra service to just be able and provide a couple Oauth scopes from our API back-end.) so instead I went on and implemented the server directly in our app using <a href="https://github.com/zitadel/oidc" rel="nofollow">https://github.com/zitadel/oidc</a>. In fact this was the only fully-functioning OIDC implementation in Go that I could just plug in and make it work. So big props up to the Zitadel guys, the only worry would be from my side that the server implementation could be more generic and could rely on a set of interfaces that the users would be able to implement easily, without having to import a bunch of code from 'examples/server' like we have to do at the moment?
When I checked this out 9 days ago there was a GitOps installation instructions page! I didn't have a chance to follow it up right away, but now it doesn't resolve anymore. What happened to GitOps support in Zitadel?<p><a href="https://docs.zitadel.com/docs/guides/installation/gitops" rel="nofollow">https://docs.zitadel.com/docs/guides/installation/gitops</a>
Interesting pricing model: <a href="https://zitadel.com/pricing/v2" rel="nofollow">https://zitadel.com/pricing/v2</a><p>Price per request isn't as common of an identity pricing model as MAU is.<p>(Only applies if you host with them, of course. If you self-host, I believe it is free.)
This looks great if you need it to scale but I would like a self contained version that works in a couple of docker containers and doesn’t need a cockroach db cluster in addition to a normal database. Anyway know of anything!?
> <i>ZITADEL components send errors and usage data to CAOS Ltd., so that we are able to identify code improvement potential. If you don't want to send this data or don't have an internet connection, pass the global flag --disable-analytics when using zitadelctl. For disabling ingestion for already-running components, execute the takeoff command again with the --disable-analytics flag.</i><p>So, on by default spyware. How could anyone trust this in their infra when they are so shameless about exfiltrating data without consent?
FYI your docs are broken - I can't scroll down on anything (such as <a href="https://docs.zitadel.ch/docs/guides/authentication/login-users" rel="nofollow">https://docs.zitadel.ch/docs/guides/authentication/login-use...</a>)<p>Chrome 101.0.4951.64 / MacOS 12.4<p>Very curious though as I've been doing a lot of OIDC work at Inrupt.
Yeesh, that name! What the heck were they thinking? "Hey, what if we combined Zit and Citadel!"<p>But seriously, now I want to know, what are the most unfortunate technology or startup names my fellow HN'ers have encountered? I'd bet a moderate sum there are some wild examples to be found in SV history.