Whether you’re building a bustling online marketplace, a social platform aimed to make the world tick, or you’re looking to make your already successful and established product more secure, modern, and future-proof, you’ve probably wondered how to handle authorization and authentication.
While building a custom solution to manage users, access, and enforce the security practices that are vital in the modern day might be tempting, it’s not something that can simply be done in a few sprints by a small team of devs. If you want to focus on developing code rather than becoming a security solutions designer yourself, you can turn to one of the many products and companies that live and breathe security.
Let’s have a closer look and compare two well-established players in the security space with a dynamically growing, modern newcomer. This comparison of Auth0, Keycloak, and Ory will help you decide where it’s best to invest your trust and hard-earned money to provide the most modern, convenient, and secure experience to your users. We have a hunch that you will want to try Ory Network, but we’ll let you make up your mind.
To host, or not to host? SaaS vs. self-managed
The differences start at the very beginning of your journey.
Keycloak, an open-source project developed by a division of RedHat, doesn’t offer a readily available SaaS solution. As a result, using Keycloak will require putting aside some time of your development team, or even setting up a dedicated team that will handle the Keycloak-related operations.
On the other end of the spectrum, Auth0 is completely focused on and dedicated to providing its solution in the SaaS model. As the system runs in a multi-tenant environment, each of the Auth0 plans gets you a private tenant hosted in the Auth0 Public Cloud. Should you need more separation or better performance, the only way to get that is by paying extra to get the highest tier plan which gives you access to one of three tiers of private deployments. The company doesn’t offer any kind of licensing for self-managed setups.
With its open-source roots, Ory’s offering makes for a flexible solution, offering users a SaaS product, as well as the ability to work in a self-managed model. Ory Network, which is the company’s SaaS offering, is set up similarly to Auth0 and offers users private tenants in a managed, multi-tenant system. No “private cloud” option is available, meaning all users are provided with the same platform security and performance. In addition to that, Ory allows their users to self-host their software by working with the core open-source projects that are at the heart of Ory Network: Ory Kratos, Ory Hydra, and Ory Keto. Thanks to configuration parity between the open-source servers and their cloud implementations in the Ory Network, users get a unique opportunity to test drive and scrutinize Ory’s offering before they subscribe to the SaaS, as well as a fast track to move their setup over to the Ory Network.
Cracking the piggy bank - how much does security cost these days?
Many of us can agree with the message of the classic Ray Henderson song: the best things in life are, indeed, free. That begs the question - what do Keycloak, Auth0, and Ory offer their users without reaching into their wallets? And how much do they charge for their complete feature set?
You can use Keycloak and Ory for absolutely no charge. While that might be an alluring perspective, remember that, aside from integrating it into your system, you must set up and maintain your Keycloak or Ory self-hosted deployment.
In the case of Auth0 and Ory Network, you get to try out the solutions for free. How much of a taste you get, however, differs significantly between the providers.
An Auth0 free plan allows you to test the service for 22 days. During that time, you get 7000 MAUs (monthly active users), 2 social connections, and three Actions. This vertical slice might be good to get a general idea of the product, but it’s very limited in its feature set and duration, quickly leading you to upgrade to one of the available plans. The plans themselves are arranged into three categories: B2C and B2B, with a B2E option funneling users toward an Okta subscription.
Within the paid plans, Auth0 opted for limiting the availability of features in cheaper options. What that means is that small projects are left with the option to either stay on a cheaper plan that works well with the traffic they’re getting or paying much more to get a robust set of security features. For example, a B2C-oriented project must pay 1500$ a month for the Professional plan to get multi-factor authentication with TOTP such as the Google Authenticator. Projects that rely on machine-to-machine interactions hit a similar bump in the road as the cheaper, 228$ Essential plan gives them 1000 tokens and no option to buy more, while the Professional plan comes with 5000 tokens and allows to purchase more if need be.
In the Ory Network, the free plan takes on a much-telling name “Dev”. With no time constraints, the “Dev” plan allows developers to evaluate the full feature set of the Ory Network. This includes identity management and authentication, OAuth2 and OpenID Connect, and a Google Zanzibar-based permission management system. The only limitation of the free plan is that it is designed in a way that makes it not viable for large-scale, production use. This is regulated by limiting the daily active users (DAUs) to 100 and the number of machine-to-machine communication tokens to 1000 without the option to pay for more.
The paid plans come in three flavors: “Essentials”, “Scale”, and “Enterprise”. The “Enterprise” plan is designed to work with the biggest customers and gives them a lot of flexibility in setting up the exact conditions they need. What about the two more attainable plans? With the “Essentials” plan, subscribers get access to all features and don’t have to choose between security and staying within their budget. With 1000 DAUs, 10000 machine-to-machine tokens, and an option to simply pay for any usage that’s over these limits, this plan allows for high levels of flexibility, without requiring you to commit to a higher monthly fee. The same goes for the “Scale” plan, which packs up to 20000 DAUs and 1 million machine-to-machine tokens with the same pay-as-you-go model for any usage beyond that.
Aside from not keeping essential features from lower-tier subscribers, the pricing of Ory Network differentiates itself from that of Auth0 in one important way - the way the customer traffic is measured. While Auth0 uses the “monthly active users” metric, Ory instead focuses on the more granular and customer-friendly unit of “daily active users”. This way of measuring usage helps ensure that a weekend-long usage spike (think Black Friday) won’t cause you any financial problems and push you into the next pricing tier. Ory takes the fair approach of looking at the average daily number of users and allows you to pay extra if you exceed the limits of your plan, without forcing you to pay for a higher subscription tier.
Plug in, baby - a word about integrating with your code
With pricing and flexibility out of the way, let’s talk about the ease of integration. No matter how many great features the solution has, you have to be able to start using them in your application without many problems. Which solution can give you that?
Auth0 is known for great documentation. In many online discussions, developers highlight the fact that the provider’s docs help them understand the required steps easily, which is aided by an interactive approach to docs that allows you to connect to your Auth0 tenant and see calls and commands adjusted to run in the context of your environment. The ease of integration is additionally supported by a wide range of SDKs available for developers that cover SPAs, native apps, web apps, mobile apps, and more. Notable languages in the SDK library include React, Vue, Laravel, Ruby on Rails, Node.js, Python - the list goes on. In addition to that, since the summer of 2021, Auth0 is working on a management CLI to allow developers to manage their tenants directly from the terminal. This tool, however, is not the company’s main focus - it’s been created as a hackathon project and to this day is in an experimental phase.
Integrating with Ory Network is also supported by a breadth of available resources. While the list of SDKs might not be as long as that of Auth0, Ory provides libraries for all common languages which include Rust, Elixir, .NET, Go, Typescript, PHP, and more. Creating UI views that consume the identity management of the Ory Network and allow users to sign up, sign in, or recover accounts is made easier thanks to the Ory Elements UI component library for React, Preact, and TypeScript. More tools that allow to weave Ory Network into products, including styling in branding, are available to users in the Ory Console, which is the product’s management UI. There, users can quickly and easily style UI views that come bundled with the product, and adjust them to feature their branding and styling using an easy-to-use, no-code editor. The Ory Network is also at the center of a vibrant, active, open-source community, which discusses implementation ideas and hurdles, and talks about new features. The documentation has been recently re-shaped to make integrating with the Ory Network easier and features a breadth of code samples, explanations that use demo applications, and more complex, community-made examples of custom implementations. The company also offers a full-blown CLI for the Ory Network that helps developers manage their tenants and connect to them when developing applications. Additionally, customers of Ory get a unique opportunity to influence the Ory Network feature set - since the product is proudly rooted in open source, customers can contribute new features to the open-source codebase and help the core development team release them.
Keycloak provides a wide range of resources that help developers with their integration efforts. Being an open-source product, Keycloak enjoys the benefits of an open source community that discusses implementation ideas and hurdles. The most notable element of this community is the Kecloak forum which attracts many developers who discuss matters in multiple active topics in parallel. Being a free solution, Keycloak has a sizeable user base, and if you’re interested in joining yourself, you’ll have plenty of people to lean on in case of any problems or questions. When it comes to the ease of hands-on integration, Keycloak offers its spin on SDKs by offering “Client Adapters” that are designed to allow for very tight integration with the platform and are supposed to reduce the amount of required boilerplate code. These adapters are available for a significantly less impressive group of languages which contains only Java, JavaScript, C#, Android, iOS, and Apache HTTP. Managing the Keycloak instance is made easier thanks to its management UI which can be supplemented by the admin CLI that allows users to manage their instances directly from the terminal.
Is Ory Network the way to go?
Which of these solutions is the right fit for you? The answer is tied directly to the size of your business and your priorities.
If you’re already familiar with Keycloak and need to rely on its legacy integrations like for example LDAP, Keycloak is a good choice. However, if you're thinking of going down this road and you're not tied to any legacy protocols, why not try a more modern open-source solution in the form of Ory?
Auth0 on the other hand is good for those who have the cash to spend and want to benefit from a more mature console UI. Auth0 also offers multiple regions, while Ory currently offers deployments in Europe only. Ory is working on rolling out an US region, and will add more regions in the course of the year. While the pricing model is not suited for start-ups and smaller businesses, more conservative companies can find value in the Okta-owned solution.
Being the newest player on the market, Ory Network is an excellent offer for those who look for a fair-priced, modern, developer-friendly, and powerful security partner for their business. Rooted in open source, Ory Network is transparent and flexible, which is appreciated by the community of enthusiasts that surround it. Highly flexible plans allow businesses of all sizes to get access to the latest security mechanisms that include passwordless flows, MFA, and Google Zanzibar-based permission management and enforcement. Before going with one of the legacy providers, check out Ory Network for free and see why companies like blues wireless, fandom, or Sainsbury's decided to entrust their security with Ory.