The problem is that everyone has their own implementation of it following loose, at best, standards. Some like Auth0 are fully hosted by them, but ORY’s is self hosted, configurable software. Then you also have Amazon’s IAM which is its own proprietary software. Many of the things you listed performs different tasks at different levels of auth flows.
I would first start by fully understanding the difference between authentication and authorization. The way we describe theses terms with the word “auth” does this distinction a disservice.
The OAuth 2.0 and OpenID standards are the best places to start. They are where standardization begins and (unfortunately) ends. OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.
>OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.
This is what I don't get. Using OAuth2 for authentication is so complex, whereas Ory has a simple authentication system based o cookies: https://www.ory.sh/docs/security-model
With OAuth2 it seems to me to be the same just with extra steps keeping track of tokens and expiration.
Why use OAuth2 for authentication, it was never designed for that.
My understanding is that this is usually done by companies that need to implement delegated authorization which is the bread and butter of OAuth 2.0. By starting and implementing their authentication flows with OAuth2, you can support both delegated authorization and native authentication where your own apps are simply OAuth clients with some special casing. That isn’t absolutely necessary since you could build authentication separately from OAuth but then you would still need those OAuth2 flows for delegated authz eventually if you do.
If Ory would have a UI for self hosted instances… that would be insane! User Management etc without a user interface is weird, not sure why it’s missing in the self hosted version.
I would first start by fully understanding the difference between authentication and authorization. The way we describe theses terms with the word “auth” does this distinction a disservice.
The OAuth 2.0 and OpenID standards are the best places to start. They are where standardization begins and (unfortunately) ends. OAuth is a Authorization protocol, not an Authentication protocol however people do mix in the authentication into the flows.
Basic intro to OAuth2: https://auth0.com/intro-to-iam/what-is-oauth-2
In depth explanation: https://www.digitalocean.com/community/tutorials/an-introduc...