How does this differentiate from other open source identity solutions like KeyCloak or Ory? I wish there was more collaboration in this space, especially singe we’re talking security and these projects need pen testing, bug bounties, and more infrastructure to be considered „production grade“.
Quite a confusing comparison, especially against Keycloak. From what I can tell the open source part doesn't seem to do anything Keycloak doesn't do, but many of Keycloak's features aren't on the list.
The chart also assumes you're using the hosted solution (as 2FA isn't even available on the open source version according to that same page). If that's the case, it should compare against any hosted Keycloak provider, because SLA and management are readily available. I suppose the table could also compare the open source versions, but that wouldn't be very advantage to SuperTokens with major features still marked "coming soon".
One thing Keycloak lacks is an easy to use API, using complex OpenID/OAuth/etc. APIs and two language specific libraries instead. That seems like a much more sensible option to distinguish between these products. As someone currently using Keycloak (and not experiencing any problems with it after setup) this comparison just isn't very convincing.
If you ignore the subjective lines two and three of the comparison table, keycloak looks objectively better. And it has an Apache 2.0 license for the whole product.
Honestly, thanks for putting keycloak on my radar.
I see the supertokens team in this thread doing nothing to make me think that they intend to stop misleading people.
I'm happy with the way I've got Keycloak set up (especially ability to simply throw Apache's OpenID Connect in front of arbitrary paths) but I do recommend also looking into alternatives. Keycloak is great for enterprise SSO setups where you need to authenticate to ten different services on ten different domains, but there are much simpler options out there if all you need is auth for a single website!
I imagine the biggest reason to go for Supertokens is the first-party SaaS support. If you want to outsource auth (like Auth0/Firebase Auth/etc. do) then I think there's something to be said for this project. The open source-ness doesn't add too much value in that use case, though.
Right. Makes sense. I think what we had originally intended to communicate is the ease of customisability, in which case, we feel that Keycloak's UI customisation is more difficult to do.
Putting user satisfaction in the chart and not backing it with sources (I know at least a handful of companies who are very satisfied with e.g. KeyCloak) does not instill lots of confidence in the product differentiation. And what does customizability mean? KeyCloak has a rich Plugin system.
Other than that it seems to be quite equal, if you discount the more difficult things in Auth like providing standardized APIs, OAuth2 APIs and SCIM.
We've mentioned the source (if you hover) and it is based on our internal user research and conversations with users of these products. By no means is it perfect and there are many many satisfied customers of each of the other products.
Your point is taken though and maybe we will edit that point out or try to add further nuance.
I do believe however that broadly speaking, that reviews of keycloak lean towards it being relatively harder to use and maintain than Firebase. Arguably the reviews of Cognito are more mixed than "Low"
To add on to the comment about Keycloak, the comparison to AWS Cognito has a couple issues as well.
- The comparison suggest Cognito is more expensive. Cognito pricing starts at 50,000 MAUs for free. That's 10x the size of the SuperTokens free tier. It then tiers from $0.0055 down to $0.0025. That's 1/3 to almost 1/10 of the SuperTokens hosted open source option. MAUs who use SAML or OIDC are another $0.015. That's still equal to or less than the SuperTokens hosted open source version where SAML isn't even available.
- Multi-tenancy is a complex topic. But a common pattern using Cognito is to create a User Pool per tenant which provides a lot of flexibility depending on the number of tenants you anticipate.
Saying that GDPR is not needed because Keycloak is self-hosted is just outright wrong, which makes me wonder if the creators understands GDPR and how valid their claims to support GDPR is.
