Authentication ​

Currently use Hanko for all my auth.

Used oidc-client-ts for auth on web clients before it.

ZITADEL, Lucia, Warrant, Oso, Clerk, SpiceDB, Passkeys, Biscuit, Logto & ORY Hydra seem neat.

GoTrue is nice for generating SWT tokens.

Notes ​

• Authentication verifies identities, and Authorization grants access to resources based on those identities.
• Always download the recovery codes when you enable 2FA.

Links ​

• Firebase Auth
• IndieAuth specification proposal (Code)
• Ask HN: How do you currently solve authentication? (2020)
• frauth - Command line tool to verify the identity of friends in a decentralized manner.
• JWT is Awesome: Here's Why (2020) (HN)
• Learn Authentication The Hard Way (2020)
• Ask HN: What are problems with implementing authentication and authorization? (2020)
• BitAuth - Simple, Secure, Passwordless Login.
• Zanzibar: Google’s Consistent, Global Authorization System (2019) (Web)
• Jake Moshenko on Zanzibar: Google’s Consistent, Global Authorization System (2021)
• What is Zanzibar? (2021)
• samlify - Highly configuarable Node.js SAML 2.0 library for Single Sign On.
• OAuth2 Proxy - Reverse proxy that provides authentication with Google, Github or other providers.
• Verifiable Credentials Data Model - Expressing verifiable information on the Web. (Code)
• Authelia - Single Sign-On Multi-Factor portal for web apps.
• DID - Identity Provider, that authenticates users by verifying access to either an email address or securely stored private key.
• WebAuthn Awesome - Curated list of awesome WebAuthn/FIDO2 resources.
• The Ultimate Guide to handling JWTs on frontend clients (GraphQL) (2019)
• React Google Login - Google oAUth Sign-in / Log-in Component for React.
• OAuth2 for Go
• OAuth 2.0 Security Best Current Practice (2020) (HN)
• Just-for-me Authentication (2020)
• Feather - Lightweight identity platform for adding flexible user authentication and authorization flows to your apps.
• Password authentication for web and mobile apps
• Authentication on the Client Side the Right Way: Cookies vs. Local Storage (2019) (Reddit)
• JSON Web Token (JWT) RFC (Lobsters)
• OAuth 2 Simplified
• Zero-knowledge Auth
• AppAuth - iOS and macOS SDK for communicating with OAuth 2.0 and OpenID Connect providers.
• Simple Auth Setup for Your React App (2020)
• Magic Link - Delightful auth & Web3 onboarding. (GitHub) (Twitter) (Go SDK)
• User authentication with passwords, What’s SRP? (2020)
• JustAuthenticateMe - Passwordless email-based authentication for your web app.
• loginsrv - Standalone minimalistic login server providing a JWT login for multiple login backends.
• Designing an Authentication System: a Dialogue in Four Scenes (1988) (HN)
• Okta Identity Cloud - Gives you one trusted platform to secure every identity in your organization, including your workforce and customers. (Okta Developer Platform)
• Building a Secure Signed JWT (2020)
• Keycloak - Open Source Identity and Access Management. (Go package) (Code)
• TokenCLI - Command line utility for interacting with OAuth2 infrastructure to generate tokens.
• Decentralized Identifiers (DIDs) - New type of identifier that enables verifiable, decentralized digital identity.
• jwt - Golang implementation of JSON Web Tokens (JWT) that helps you avoid common security mistakes.
• HN: Pioneers of web cryptography on the future of authentication (2020)
• openidconnect-rs - OpenID Connect Library for Rust.
• OAuth2 Rust - Extensible, strongly-typed Rust OAuth2 client library.
• JavaScript Authentication & Authorization Book/Course
• ASGI middleware that authenticates users against GitHub
• JSON Web Tokens - Open, industry standard RFC 7519 method for representing claims securely between two parties. (Web Code)
• JSON Web Token Docs Introduction
• Auth Boss - Learn about different authentication methodologies on the web.
• JWT auth visualized
• Simple Auth with Magic.link and Next.js (2020)
• jwt.ms - Decode auth tokens.
• Platform authenticators for Web Authentication in Safari 14 (2020)
• OAuth in one picture
• Why we won’t be supporting Sign in with Apple (2020) (HN)
• yup-oauth2 - Utility library which implements several OAuth 2.0 flows. It's mainly used by google-apis-rs, to authenticate against Google services.
• AuthGuardian by OneGraph - Secure your GraphQL API.
• Pass - Identity app for fintech applications.
• Note on Auth
• How does Single Sign-On work?
• The Future of Online Identity is Decentralized (2020) (Lobsters) (HN)
• Everything You Need to Know About OAuth (2.0) (2020) (HN)
• OAuth 2.0 and OpenID Connect (in plain English) (2018)
• Best practices for password hashing and storage
• Xkit - Build OAuth integrations in minutes. (HN)
• Galileo's Proposed Authentication Algorithm (2020)
• Let's build the GitHub authorization model (2020)
• Oso - Open source policy engine for authorization that’s embedded in your application. (Code) (GitHub) (Sam Scott, co-founder and CTO of Oso)
• I Actively Discourage Online Tooling Like Jwt.io and Online JSON Validators (2020) (Lobsters) (HN)
• ORY Hydra - Hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption. (HN)
• The different kinds of authentication protocols
• gologin - Go login handlers for authentication providers (OAuth1, OAuth2).
• What's in a JWT (Json Web Token)? (2020)
• Gazepass - Passwordless Authentication API.
• dex - Federated OpenID Connect provider. (Web)
• Aperture - HTTP 402 Lightning Service Authentication Token Reverse Proxy.
• Kerbrute - Quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.
• OAuth 2.0 Simplified - Guide to building OAuth 2.0 servers.
• Authenticator - Generates 2-Step Verification codes in your browser.
• WebAuthn.io - Demo of the WebAuthn specification. (Code)
• [Face ID and Touch ID for the Web (2020)]https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/() (HN)
• OAuth 3 - In-progress effort to redesign OAuth from the ground up. (HN)
• Portier - Email-based, passwordless authentication service. (Code)
• useAuth - Simplest way to add authentication to your React app.
• Consent Management: What You Need to Understand (2020)
• OAuth2: A Theatrical Introduction (2020)
• JWT authorization in a microservices gateway (2020)
• ORY Kratos - Cloud native Identity and User Management System. No longer necessary to implement a User Login process.
• SSSD - Daemon to manage identity, authentication and authorization for centrally-managed systems. (Docs)
• OAuth is Not User Authorization (2020)
• otplib - Time-based (TOTP) and HMAC-based (HOTP) One-Time Password library. (Web)
• SuperTokens - Open source alternative to Auth0 / Firebase Auth / AWS Cognito. (Code) (HN) (HN)
• FastAuth - Simple authentication server that can also be used for local development with reasonable defaults to kickstart the local development.
• Web Authentication Methods Compared
• About authentication methods (2020) (HN)
• Steam's login method is kinda interesting (2021) (Lobsters) (HN)
• passport-magic-login - Passwordless authentication with magic links for Passport.js.
• node-oauth2-server - Complete, compliant and well tested module for implementing an OAuth2 server in Node.js.
• Learn JWT by reverse engineering
• SAML vs. OAuth (2021) - Engineer’s Guide to Enterprise-grade Single Sign-on.
• Userbase - Auth and E2E encrypted storage in a few lines of code. (HN) (HN 2) (Code)
• Authentication and Authorisation 101 (2021)
• oidc-provider - OpenID Certified OAuth 2.0 Authorization Server implementation for Node.
• A Primer on JSON Web Tokens (2021)
• github/webauthn-json - Small WebAuthn API wrapper that translates to/from pure JSON using base64url.
• Clerk - All of user management as-a-service, not just authentication. (HN) (Tweet) (JS Client)
• Persona - Identity infrastructure for any business.
• JWT in Go
• Twingate – Building the foundation for identity-first network security (2021) (HN)
• GoTrue - Small open-source API written in Go, that can act as a self-standing API service for handling user registration and authentication for JAM projects. (Fork)
• FusionAuth - Authentication and Authorization built for devs.
• Hidden OAuth attack vectors (2021)
• Vercel Basic Auth - How to add Basic Authentication to a Vercel deployment using various languages / frameworks.
• Do You Know Your OAuth Flows? (2021)
• OAuth 2.0 Authentication Vulnerabilities (HN)
• The Modern Guide to OAuth (2021) (HN)
• MagicSquared - Magic Magic Link Authentication.
• Behind GitHub's new authentication token formats (2021) (HN)
• Ory Keto - Open source implementation of "Zanzibar: Google's Consistent, Global Authorization System".
• Basic HTTP Auth via Cloudflare Workers - Can be used to protect static HTML pages.
• Single Sign-On Solutions (2021)
• AuthCompanion - Effortless, open source, token-based user management server - well suited for microservices and static website projects.
• Biscuit, the foundation for your authorization systems (2021)
• Soto Cognito Authentication Kit - Authenticating with AWS Cognito.
• JWT should not be your default for sessions (2021) (HN)
• Webhook Authentication Learnings for GitHub, GitLab, and Bitbucket (2021)
• Himeji: a scalable centralized system for authorization at Airbnb (2021)
• All you need to know about user session security (2019)
• JWT Tokens are NOT safe (2021) (HN)
• Продвинутая JWT авторизация на React и Node js. Access, refresh, активация по почте (2021)
• Verify Apple idToken - Verify the Apple id token on the server side.
• Paseto - Platform-Agnostic Security Tokens. (Web)
• Keratin AuthN - Authentication service that keeps you in control without forcing you to be an expert in web security. (Code)
• WebAuthn Library - WebAuthn (FIDO2) server library written in Go.
• react-query-auth - Authenticate your react applications easily with react-query.
• Dynamic Row-Level Authorization on Web Maps using JWT (2021)
• Raider - Web authentication testing framework.
• OAuth2orize - OAuth 2.0 authorization server toolkit for Node.js.
• jwx - Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies.
• Tekitoi - Lightweight, opensource and simple to use alternative to Auth0 and Keycloak.
• SAML is insecure by design (2021) (HN)
• ZITADEL - Best of Auth0 and Keycloak combined. Built for the serverless era. (Code)
• Biscuit - Delegated, decentralized, capabilities based authorization token. (3.0) (HN)
• How does Google Authenticator work? (2021) (HN)
• Ethereum Single Sign-On (2021)
• Why Authorization is Hard (2021) (HN)
• jwt-decode - Decode JWT tokens; useful for browser applications.
• TypeScript OAuth2.0 Server - Standards compliant implementation of an OAuth 2.0 authorization server for Node, written in TypeScript.
• HIBA: Host Identity Based Authorization - System built on top of regular OpenSSH certificate-based authentication that allows to manage flexible authorization of principals on pools of target hosts without the need to push customized authorized_users files periodically.
• CASL - Isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access. (Web)
• NetAuth - Easy to deploy, easy to use authentication and identity provider. (Web)
• OAuth2AuthCodePKCE client - OAuth 2.0 client that ONLY supports the Authorization Code flow with PKCE support.
• localfirst/auth - Provides decentralized authentication and authorization for team collaboration, using a secure chain of cryptographic signatures.
• Guide to Web Authentication (Tweet) (HN)
• Webauthn-rs - Implementation of webauthn components for Rustlang servers.
• Access Temporary Authentication (2021)
• jwt-cli - Command line tool for working with JSON Web Tokens (JWT).
• Casdoor - UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC. (Web)
• JWT-to-RBAC - Lets you automatically generate RBAC resources based on JWT tokens.
• auth-server - Simple authentication and authorization server.
• Kanidm - Identity management platform written in rust. (HN)
• oxide-auth - OAuth2 server library, for use in combination with common web servers, featuring a set of configurable and pluggable backends.
• external-auth-server - Easy auth for reverse proxies.
• Awesome Loginless
• Single sign-on: What we learned during our identity alpha (2021) (HN)
• OAuth “Sign In With Google” in a WkWebView (2021)
• Using Kerberos for Authentication Relay Attacks (2021)
• Jumio - End-to-End ID and Identity Verification Solutions.
• AuthX - Ready to use and customizable Authentications and Oauth2 management for FastAPI.
• OpenID Connect SDK (client and server) for Go
• How to use OAuth to Add Authentication to Your React App (2021) (HN)
• WebAuthn OCaml Server - Authenticating users to services using public key cryptography.
• UCAN: Authorizing Users Without a Back End (2021) (Demo)
• Gothic - User registration and authentication SWT/JWT microservice. It supports REST, gRPC, and gRPC Web API, reCAPTCHA & a variety of DBs with Gorm.
• How We Turn Authorization Logic into SQL (2021) (HN)
• secret-handshake - Mutually authenticating key agreement handshake.
• Simple Things That Are Actually Hard: User Authentication (2021)
• Admin UI for Auth0, Azure AD and AWS Cognito
• Authorizer - Open source authentication and authorization system.Bring your database and have authentication microservice ready in few clicks. (Code) (Tweet)
• Authentik - Open-source Identity Provider focused on flexibility and versatility. (Code)
• KES - Stateless and distributed key-management system for high-performance applications.
• Awesome Authorization
• Authenticate users with Netlify Identity - Perfect for gating static content.
• Cerbos - Painless access control for cloud-native applications. (Code)
• Grant - OAuth Proxy.
• Fosite - Extensible security first OAuth 2.0 and OpenID Connect SDK for Go.
• Charon - Authorization and authentication service.
• Biscuit - Authorization token with decentralized verification, offline attenuation and strong security policy enforcement based on a logic language. (Code) (Tweet)
• jwtex - Serverless application that takes JSON Web Tokens (JWTs) in one format and converts them to another format.
• Auth0 CLI - Build, test, troubleshoot and manage your integration with Auth0 directly from your terminal.
• ORY Oathkeeper - Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules.
• Cognito + Google federated identity - Use Cognito's Google federated identity integration to allow your app users to login with their Google account.
• Userfront - Auth without complexity. (HN)
• Aserto - Cloud-Native authorization as a service. (Article) (HN)
• Ory - Open Source Identity Solutions For Everyone. (GitHub) (Kubernetes Helm Charts for ORY) (Examples)
• casbin-rs - Authorization library that supports access control models like ACL, RBAC, ABAC in Rust.
• oauth2l - Simple CLI for interacting with Google API authentication.
• ed25519-login - Login to websites using a base64 encoded Ed25519 signature. Simple alternative to webauthn. (HN)
• Supabase Auth Helpers
• Supabase Auth UI
• You probably don't need OAuth2 / OpenID Connect (2022) (HN)
• Why Single Sign on Sucks (2022) (HN)
• Online JWT tool - JWT Decoder, Verifier, Generator, Decryptor. (Code)
• Permify - Authorization service and API. Build flexible and faster apps with custom RBAC system.
• OAuth 2 / OpenID Connect Client for Web API runtimes
• webauthn_proxy - Proxy for enforcing webauthn authentication, written in Go.
• A Summary of OAuth 2.0 Attack Methods (2022) (HN)
• PropelAuth - End-to-end auth service for B2B products. (HN)
• ts-ucan - Auth tokens for a distributed, user-controlled world.
• UCAN Distributed Auth (Spec Code)
• BoxyHQ - Open-source alternative to Auth0/WorkOS. (HN)
• Authlib - Ultimate Python library in building OAuth and OpenID Connect servers. (Web)
• Simplest possible OAuth authentication with Auth0 (2022)
• SimpleWebAuthn - WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers and Node. (Docs)
• policy - CLI for managing authorization policies.
• Bearer tokens are just awful (2022) (HN)
• Netlify Identity Widget - Zero config, framework free Netlify Identity widget. (Code)
• Localauth0 - Auth0 docker image for local developemnt.
• Auth0 - Secure access for everyone. But not just anyone.
• Awesome Self-Sovereign Identity
• Pritunl - Open Source Enterprise Distributed OpenVPN, IPsec and WireGuard Server. (Terraform Provider)
• Pritunl-Zero - Zero trust system that provides secure authenticated access to internal services from untrusted networks without the use of a VPN.
• Infra - Single sign-on for your infrastructure. (Code)
• Online Identity (2022) (HN)
• Next-Generation Mutual Authentication with Cilium Service Mesh (2022)
• ADX - Experiment in self-authenticating data structures for a federated social network. (HN)
• Tailscale Authentication with Traefik
• Hanko - Clean approach to user authentication that takes you on the journey beyond passwords. For better security, conversion rates, and happier users. (Web)
• web-auth-library - Collection of utility functions for working with Web Crypto API.
• SAML Jackson - SAML SSO service designed as an OAuth 2.0 flow. Integrate SAML with just a few lines of code.
• Apple Passkey (HN)
• Is "acceptably non-dystopian" self-sovereign identity even possible? (2022)
• diridp: replace access keys with public key crypto (2022) (Lobsters)
• Ask HN: What do you use to build auth? (2022)
• Why Passkeys Will Be Simpler and More Secure Than Passwords (2022)
• Awesome IAM
• OAuth2 client for Node and browsers
• Passkeys (2022)
• fido2-lib - Node.js library for performing FIDO 2.0 / WebAuthn server functionality.
• Logto - Helps you build the sign-in experience and user identity within minutes. (Code) (HN) (Connectors)
• Barricade - Docker container that implements logon and registration forms for your application.
• Permify - Open-source authorization service & policy engine based on Google Zanzibar. (Web) (HN)
• Shield - Role-based cloud-native user management system, identity & access proxy, and authorization server for your applications and API endpoints.
• OTP Gateway - Standalone server for user address and OTP verification flows with pluggable providers (e-mail, SMS, bank penny drops etc.).
• Web Authentication: An API for accessing Public Key Credentials (Code)
• Compute@Edge OAuth application starter kit - Authentication at Fastly's edge, using OAuth 2.0, OpenID Connect, and Compute@Edge.
• OpenFGA - High performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar.
• Kala Go - Authorization framework written in Go based on Google's Zanzibar.
• lldap - Light LDAP implementation.
• auth - Highly modern, secure and minimal identity management platform.
• Stytch - User infrastructure + passwordless authentication.
• Ask HN: What are the alternatives to phone authentication? (2022)
• IndieLogin - Sign in with your domain name. (Web)
• Passkeys (2022) (Lobsters) (HN)
• pizauth - Program for obtaining, handing out, and refreshing OAuth2 access tokens.
• JWT vs. Opaque Tokens (2022) (HN)
• Why you should not use JWT (2021)
• pizauth, an OAuth2 token requester daemon, in alpha (2022)
• Go Auth Lib - Authentication via oauth2, direct and email. (HN)
• Why JWTs Suck as Session Tokens (2017) (HN)
• Auth UI | Supabase - Pre-built Auth UI for React.
• How to authenticate content in the age of AI?
• Ask HN: WebAuthn – Replace Password or Second Factor? (2022)
• Passkeys.io - Passkey Authentication Demo. (HN)
• Passkeys as a tool for user retention (2022)
• Idemeum - Passwordless access to apps and infrastructure. (HN)
• Federated Credential Management API (Code)
• Ballerine - Open-source user onboarding and KYC flow made with Svelte. (HN)
• Topaz - Cloud-native authorization for modern applications and APIs. (Code)
• Auth0 Verifiable Credentials (HN)
• Basic WebAuthn client and server in go
• JSON Web Token Toolkit - Toolkit for validating, forging, scanning and tampering JWTs.
• Branca - Authenticated and encrypted API tokens written in Rust. A secure JWT alternative.
• Generic Low Overhead Message Exchange (GLOME) - Protocol providing secure authentication and authorization for low dependency environments.
• 1Password Shell Plugins - Seamless authentication for every tool in your terminal.
• Google Zanzibar Through Our Eyes (2022) (HN)
• CLI for OAuth (HN)
• Micro TOTP - Small, modern library for TOTP.
• Multi-factor Authentication via Row Level Security Enforcement (2022) (HN)
• Apple SignIn Auth Node
• Ask HN: Lightweight Authentication (2022)
• Permit - Makes it easy to add an authentication layer to any Node API.
• Collection of useful "no sign-in" web apps
• Authorized Wire Authenticated Key Exchange (AWAKE)
• Authentication Lab - Selection of challenges all related to authentication or authorisation.
• Nango - Open-source OAuth service for 40+ APIs. (HN)
• Boruta - Lightweight Identity and Access Management server.
• Passkeys for Infrastructure (2023) (HN)
• Portunus - Self-contained user/group management and authentication service.
• Why is OAuth still hard in 2023?
• jwtauth - Minimal CLI to interact with JWT Auth Tokens.
• OAuth Support in Bluesky and AT Protocol (2023)
• Warrant - Open Source Access Control Service (inspired by Google Zanzibar).
• Securing Your Go Application (2023)
• Feature flags and authorization abstract the same concept (2023)
• How Clerk uses JWTs (2023)
• Troubleshooting JWT validation
• Ask HN: Why is WebAuthn so slow to take off? (2023)
• btn.social - Implement social authentication in seconds.
• Why is OAuth still hard in 2023? (HN) (Lobsters)
• OAuth 2.0 for First-Party Native Applications
• Issues with hand rolling auth (2023)
• Passkeys.directory
• Why Clerk auth is nice (2023)
• Does OAuth2 have a usability problem? (yes!) (2023)
• Purpose of OAuth 2
• gotrue-js - Isomorphic JavaScript library for GoTrue.
• Cedar - Language for writing and enforcing authorization policies in your applications.
• oauth Go library - Library for performing OAuth Device flow and Web application flow in Go client apps.
• Understanding Passkeys (2023) (HN)
• Build a Multi-Tenanted, Role-Based Access Control System (2023)
• authenticus - Modern OAuth 2.0 client for JavaScript.
• Why Google Zanzibar shines at building authorization (2023) (HN)
• "Webauthn, Passkeys, and You - The Future of Authentication" - William Brown (2023)
• Ssokenizer
• Passkey Authentication with Rodauth (2023)
• Implementation of a FIDO2 Authenticator Library in Zig - David Sugar (2023)
• Blueprint for a distributed multi-region IAM with Go and CockroachDB (2023) (HN)
• akarso - Implement SSO sign-up with 10 lines of code.
• OAuth 2.0 Explained with Simple Terms
• An introduction to Decentralized Identity (2023)
• How to Implement OAuth in Rust (2023)
• A simple application of OAuth: Mastodon's API (2023)