This is an Open Core product. The open source part of it seems to be quite limited (see https://supertokens.com/pricing) and therefore I have a hard time believing this version can be "an alternative to [...]".
Actually, the main motto of the frontpage is "Open Source User Authentication", which I also think is a bit of a mischaracterization of the software, since key features I'd look for on an authentication software are not open source.
I love that this is a Java-based project and the goals and ideas behind it; but I think the so prominent use of the terms "open source" is misleading and I recommend demoting them or using alternative terms to reflect a more precise reality.
Many of the core features are open source. Eg all the authentication methods - email password, passwordless, social etc are all in the open source product. You can also use the open source components to implement email based or SMS based 2FA.
RBAC, session management and user management dashboard are open source too. Its several years of an engineering team's work that is all open source.
Our philosophy is to keep features that are broadly required by developers and small companies in the open source version. Things that large companies require, will be source available.
We have several enterprises (more than $100M raised or several hundred employees) that are using SuperTokens at the scale of millions of monthly active users - all using the open source product. We think the open source product is a sufficient alternative (for a large enough population).
Are there any other features you feel should be in the open source version? Happy to hear any feedback and improve
Out of the 15 features I see in https://supertokens.com/pricing, 7 are only proprietary. That's roughly half of them. Without qualifying the weight of every feature, it numerically raises a significant challenge to your statement.
SAML, OAuth and 2FA strike me as key components for me that are not open source.
---
So I stand by my words. I feel put off by a wording that makes me believe a project is open source, when it is open core. Even if you don't like open core or argue the definition is not clear (which I'd disagree), at least marketing it as open source so prominently is IMO misleading, and puts me off (and apparently I'm not alone here).
It's fair to have a business model on open source (obviously!) and I wish you all the luck. But being honest about your business model choices should be the #1 tenet.
|| Without qualifying the weight of every feature, it numerically raises a significant challenge to your statement.
Well i think that is the only thing that matters.
If I split all auth methods into the 6 different features it really is, then it becomes 13 free features.
The ones listed as not open source is to indicate what we plan to build for our paid offering. If we removed those and 13/13 were open source, would that change your views? If yes, then that qualification is pretty important.
SAML client and OAuth client are both free. You can add auth with any OAuth 2.0 provider to SuperTokens.
Being an OAuth 'provider' (emphasis) is not open source as it is a feature you need for complex use cases.
You can add 2FA with email or SMS in the open source product too (just requires some customizations and overrides)
> Well i think that is the only thing that matters
It's not the only thing that matters. It may matter more, but not all. Yet since I'm not your CPO/CMO I won't get into the effort into analyzing their weights ^_^
> SAML client and OAuth client are both free. You can add auth with any OAuth 2.0 provider to SuperTokens.
I'm not denying what you say, but in your pricing page I read:
* "SAML Auth" --only proprietary version
* "2FA" --only proprietary version
so if they are open source, this feature naming is confusing.
We can go back-and-forth debating the merits of the non-open sourced features. But that doesn't change the gist of my comment: you are advertising something as Open Source, where only a fraction (big or small) is, and I consider this misleading. At least for me. I find it more honest to remove that prominent Open Source calls and instead replace for less prominent comments about part of your software being open source (which is fine and great!). But this is just my 2 cents, take them or leave them ;)
Also I definitely understand your perspective and it makes sense. SuperTokens still is 100% open source - but you are right, as we evolve into a paid offering, there is scope for improvement
> Being an OAuth 'provider' (emphasis) is not open source
Being an OAuth provider is precisely what everyone expects from a self-described "open source authentication service". If Supertokens does not support that out of the box, it should not really be called an open source authentication service.
I understand you want to capitalize from your work, but I feel this is a gross misrepresentation of a project.
Actually, the main motto of the frontpage is "Open Source User Authentication", which I also think is a bit of a mischaracterization of the software, since key features I'd look for on an authentication software are not open source.
I love that this is a Java-based project and the goals and ideas behind it; but I think the so prominent use of the terms "open source" is misleading and I recommend demoting them or using alternative terms to reflect a more precise reality.