~20 years ago everyone rolled their own auth.
~15 years ago libraries like Passport started cropping up and gaining in popularity. I would guess this is when people started preaching "don't roll your own auth".
~10 years ago OAuth2/OpenID Connect became popular for UX reasons but only for centralized social login providers
~5 years ago Auth0/Okta was all the rage, though this is likely an HN ecochamber and maybe limited to enterprise.
The last few years it seems like self hosting is getting more popular, perhaps due to increased quality in open source offerings (Zitadel, Ory stack, many others[0]).
And very recently[1] there's been some excellent resources like OP focused more on teaching you how to roll your own again, incorporating the security lessons of the past couple decades.
[0]: https://github.com/lastlogin-net/obligator?tab=readme-ov-fil...
- tons and tons of startups entering the space since the Auth0 acquisition by Okta in 2021. Probably due to a combination of: stickiness, standards, the fact the market was defined by Auth0 (so you don't have to define it or explain it), and the critical nature of it.
- providers focusing on time to market and ignoring OAuth/OIDC (or delaying delivery of standards based functionality): clerk, stytch
- providers focusing on certain use cases: workos (enterprise SSO), propelauth (b2b), clerk (react components to begin with, though they've expanded)
- self-hosting solutions with a more modern feel than Shibboleth and Keycloak (Duende Identity Server, FusionAuth, Zitadel, Ory)
- OSS providers monetizing by offering to operate their system, sometimes making it hard to find the download button so you can run it yourself
- hyper scaler solutions that are usually the default for folks building there, until limits are reached. These solutions include Cognito, Entra B2C (formerly Azure AD B2C), and Firebase.
It could be the folks I talk to, but most of them aren't interested in implementing auth themselves. They see it as undifferentiated functionality, like a database or message queue, and only worth implementing in certain specific circumstances. However, they're also worried about lock in. And they are thinking about the speed to market vs external dependency of SaaS offerings for critical application components.
However, choices really depends on team size and skillset. Startups are best served by using a SaaS offering or library framework that will give basic functionality and get out of the way so you can get to PMF and/or build features you can charge for. Bigger teams need more flexibility and have the ops skills to run auth themselves and remove the third party dependency.
For example: https://orcid.org/
Anyone who wants one can have their own Orcid Id in two minutes flat (and they're the only major SSO implementation i know that actually let's you keep your email private, other than Apple, i guess).
They support Oauth/OIDC, and you can even allow people to sign in to your own (non-commercial) service with their orcid via OIDC - it's no harder to setup the integration than Google or Facebook.
If GitHub were just the UI for submitting changes I think that could actually be quite effective as a lightweight wiki solution, so long as people's changes are deployed right away and don't require a maintainer to merge them. But it's likely very difficult to do that in a secure way with a standard static site generator.
That doesn't mean wikis can't have bans, require captchas, or lock pages that are frequently abused to tenured registered users, but the tooling needs to support instant updates and freedom to edit needs to be the default. Otherwise you're looking at a static site or a CMS, not a wiki.
There needs to be gatekeeping.
"Speak friend, and enter."
A wiki allows anyone to edit by default and their changes are deployed without verification by another user. Moderation takes the form of locking specific pages on a case-by-case basis to users with tenure (who can still edit instantly) and rolling back misguided changes.
There's nothing wrong with having a site that isn't a wiki, but this is just a static site maintained by one person, so calling it a wiki is odd.
Create a new site that is of some public good like this site. This site will probably gain domain and page authority much quicker than their main site and will attract more visitors and the key is that their page is linked through this auth.wiki site so their page (logto) will get the SEO benefit as well.
But personally I don't think this is an SEO play, more like a brand awareness thing. Some engineer at logto probably got pissed off with the state of auth documentation, went to his boss and proposed creating a simple static site with the "business case" being brand awareness and SEO.
Yes, this project began as an internal initiative motivated by the current state of auth documentation — fragmented and inconsistent in quality. The goal was to create a centralized, high-quality website that is independent of Logto’s product content, providing value to the wider community.
While it's hypocritical to deny the potential benefits for SEO and brand awareness, the main goal remains (and will continue to be): to provide valuable and independent knowledge for everyone developing or interested in auth and identity.
Sure, it’s a security risk, but this security circle jerking is exactly what I dislike about modern tech. IAM, OAuth, WebAuth—get lost. I just wanna try something out.
It would be great to actually make it a wiki (and have changes recorded in git).
From the Github readme:
> Crontributing
> Missing entry? Found a typo? Please don't hesitate to create an issue or submit a pull request.
> Edit on GitHub
> The content is located in src/articles. You can find the file and click the edit button (the pencil icon) in the top right corner to start editing.
The [Edit on Github] button didn't go anywhere for me and I don't see how to create a new 'card'/entry. There seems to be (IMO) too much friction for this to be well-maintained.
This is probably just a typo, but I love the unintentional pun. A wiki was called that because it allowed quick edits by its users. Crontributing to this site takes much more time...
