Worth mentioning Casbin as well (https://github.com/casbin/casbin) - it's been around for a while and takes a slightly different approach. Instead of being purely Zanzibar-inspired, it uses a PERM (Policy, Effect, Request, Matchers) metamodel that lets you implement RBAC, ABAC, or ReBAC depending on what fits your use case.
Keycloak was good but has too much legacy for 10+ years. Casdoor is pretty new and has become a good replacement for Keycloak for me with more functionalities.
Casdoor is a promising open-source IAM solution: https://casdoor.org/ , written in Go and React. All features like OIDC, OAuth 2.0, SAML, CAS, LDAP, WebAuthn and 2FA are all supported. SaaS management is also supported like pricing, subscription etc.
1. Support high-concurrency and use less memory (Go v.s. Java)
2. More modern SPA-style web UI (with React and Ant Design), more CDN friendly
3. full-fledged RESTful API
4. Support a lot of provider types: OAuth, SMS, Email, CAPTCHA
5. More powerful authorization (powered by Casbin), Casbin is a popular authorization solution with a lot of integrations for DBs and applications: https://casbin.org/
SaaS hosting is also provided at: https://casdoor.com/ for anyone who don't want to self-host
From their system info page: https://door.casdoor.com/sysinfo, it only consumes about 10MB memory and with no less features (more features actually) than Keycloak
I just never heard of it, I went through reddit and looked at what people were using, and awesome-xyz lists, and then went through docs and pages to see which projects had the same priorities as me.
And Authelia looked like the best match.
I think I looked at:
- Keycloak
- Zitadel
- Authelia
- Authentik
And maybe a few more, but I never heard of Casdoor before today, and even now there are few Reddit references to it.
Casdoor is another promising open-source IAM solution: https://casdoor.org/ , written in Go and React. All features like OIDC, OAuth 2.0, SAML, CAS, LDAP, WebAuthn and 2FA are all supported.
Compared to Keycloak, Casdoor has:
1. Support high-concurrency and use less memory (Go v.s. Java)
2. More modern SPA-style web UI (with React and Ant Design), more CDN friendly
3. full-fledged RESTful API
4. Support a lot of provider types: OAuth, SMS, Email, CAPTCHA
5. More powerful authorization (powered by Casbin), Casbin is a popular authorization solution with a lot of integrations for DBs and applications: https://casbin.org/
SaaS hosting is also provided at: https://casdoor.com/ for anyone who don't want to self-host
> 1. Support high-concurrency and use less memory (Go v.s. Java)
In the context of Go vs Java this is a kind of weird unsubstantiated claim. For example if you think a garbage collector leads to higher memory use; Go uses a garbage collector, just like Java. There are loads of applications which support high concurrency in Java. Such as Elasticsearch and Apache Kafka.
I's a fact that I also don't know why, maybe not mainly because of GC. Java's high concurrency is not impossible but just requires more efforts to tune the performance
The fact is a "true" fact, I'm not saying something which is wrong. This is all I care about. I don't need to know why. I'm not an expert on programming languages or look into compiler source code either. If you think the "fact" is not true, plz just give your opinions and evidences.
An open-source Identity and Access Management (IAM) / Single-Sign-On (SSO) platform powered by Casbin and AI gateway with web UI supporting OAuth 2.0, OIDC, SAML and OpenAI ChatGPT
Why would an IAM/Oauth2 platform need Chatgpt? Is this just buzzword bingo?
I'm Casbin author. XACML is nearly 20 years old and it was a very classic ABAC implementation in the world. I used, learnt and studied it through my master and Ph.D career in the last ten years. That's part of the reason why I created Casbin 3 years ago during my Ph.D. I hope Casbin is some kind of improvement compared to XACML. XACML has been stable these years but Casbin is yound and still growing, so we can fix things that are not that good compared to XACML. Authzforce is under GPL-3, which needs to handle carefully for commercial use. Casbin is Apache 2.0. If you want to follow more famous standard, choose XACML. Otherwise choose Casbin.
