Comments URL: https://news.ycombinator.com/item?id=46891425

Points: 1

# Comments: 0

You can convert an issue to a discussion and vice versa, so no duplication is needed and your notification should be preserved.

Or do you mean something else?

I think gitmore could be improved if it used the conventional commits specification, there is a reason almost everyone uses them.

The confusion here is about two different types of SSO:

_Admin SSO (for managing Ory itself)_ - Ory is fundamentally an API. For self-hosted deployments, you control access however you want - through your infrastructure, reverse proxy, or using Ory Polis. This is not gated.

_Organizations SSO (for your end users)_ - This is the paid feature. It allows your B2B customers to bring their own identity provider. If you're building a SaaS product and BigCorp wants their employees to authenticate using Okta or Azure AD, Organizations handles that federation.

The distinction matters because maintaining integrations with enterprise IDPs is continuous work. For example Google randomly changes their OIDC implementation on a Saturday evening. Someone needs to wake up and fix that. For products serving other businesses at scale, that operational burden is real.

Organizations is one of the few areas where we charge, specifically targeting the B2B SaaS use case. If you're self-hosting for internal use or building a consumer product, you don't need Organizations. If you're selling to enterprises that require SSO, you're generating revenue to support the cost.

It says "When deploying Ory open-source Servers, protect access to their APIs using Ory Oathkeeper or a comparable API Gateway."

CAPTCHA is not in scope for Kratos, there are already great solutions out there that you can use

CAPTCHAs aren’t a big help anymore in my personal opinion, but you can easily integrate them on the frontend when using Kratos. The commercial offering just bundles all of this out of the box for you.

If Keycloak fits your needs well and you see no room for improvement, that’s perfectly fine; by all means use what works best for you.

However the newest addition to the Ory ecosystem, called Ory Polis (formerly known as BoxyHQ) does close that gap. It is also Apache2 licensed, do check it out here: https://github.com/ory/polis

Feel free to message me on the Ory Community Slack if you want to discuss further: https://slack.ory.com/

At Ory, features like high-availability setups, zero-downtime upgrades, large scale multi-tenancy, and formal SLAs are part of the commercial offering. In most cases, if you’re not operating Ory at large enterprise scale, you won’t need those.

It’s a reasonable tradeoff: the commercial offering covers the costs of maintaining those capabilities and helps fund continued open source development. Big organizations that rely on Ory in production should ideally help sustain the ecosystem they depend on.

tbh i don't know too much about it other than that they moved away from the apache2 license recently

(disclaimer: I'm working for Ory)

If you are "just" doing first-party login, session, and user mgmt then Ory Kratos is all you need. I would say in the majority of cases you would be fine with just Ory Kratos.

If you want 3rd party integrations, or become an IDP (think "login with $yourcorp"), or you migrate an existing system that relies on OAuth2 that you want to keep, or you have more complex auth flows where OAuth2 shines, then you want Ory Hydra.

If you want a "fine-grained" global, centralized authz system, complex and scalable authz as described by Google Zanzibar, then you want Ory Keto.

If you want to support SAML as well, you want Ory Polis.

If you want a "zero trust" setup, then you want Ory Oathkeeper.

That being said in almost all cases Kratos will be fine and you can pick and choose what you actually need.

(i work for Ory as DevRel)