Reply to thread

Message

<blockquote data-quote="Hacker News" data-source="post: 73690" data-attributes="member: 365">I’m Rishabh and the co-founder and CTO at <a href="https://supertokens.com" target="_blank">https://supertokens.com</a> (YC S20). We offer open-source user authentication and we just released our user roles product for companies implementing authorization.Our users are web developers, and a prominent and adjacent pain point for our users is authorization. Developers typically implement two independent solutions for authentication and authorization. Offering AuthN and AuthZ in a single solution is something we’ve been thinking about for the last few years.Quick primer, authentication is knowing who the user is, and authorization is knowing what the user has access to. A physical analogy: A person enters a building. Authentication means reading their ID card and knowing that the person’s name is John. Authorization means knowing which floors, offices, and files John has access to.With increasing privacy and data complexity, companies like Netflix[1], Slack[2], and Airbnb[3] have built out their own complex authorization systems.To build our user roles product, we started with a first principles approach of covering authorization use cases using scripting languages such as XACML and OPA. But looking at existing solutions built by talented teams like Oso[4], Aserto[5], Cerbos[6], Strya[7], we realized that while these were powerful solutions, they were often overkill for most early to mid-stage companies (especially on the B2C side).We went back to the drawing board, reached out to our users and after dozens of conversations, we realized that most authorization needs require the ability to1. Assign and manage roles and permissions2. Store roles in the DB and session tokens to make it readable on the frontend and3. Protect APIs and websites based on these roles and permissions.And so, we built user roles – a simple RBAC authorization service that focuses on the balance between simplicity and utility. It doesn’t cover many complex cases and we’re not looking to displace any of the authorization incumbents. But you can add AuthN and AuthZ using a single solution, quickly.In the near future, we’ll be launching an admin GUI where you can manage your users and their roles with a few clicks.We’d love for you to try it out and hear what additional functionality you’d like to see. What are your favorite authentication providers and what do they get right?- [1]: <a href="https://conferences.oreilly.com/velocity/vl-ca-2018/cdn.oreillystatic.com/en/assets/1/event/270/The%20distributed%20authorization%20system_%20A%20Netflix%20case%20study%20Presentation.pdf" target="_blank">https://conferences.oreilly.com/velocity/vl-ca-2018/cdn.orei...</a>- [2]: <a href="https://slack.engineering/role-management-at-slack/" target="_blank">https://slack.engineering/role-management-at-slack/</a>- [3]: <a href="https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574" target="_blank">https://medium.com/airbnb-engineering/himeji-a-scalable-cent...</a>- [4]: <a href="https://www.osohq.com/" target="_blank">https://www.osohq.com/</a>- [5]: <a href="https://www.aserto.com/" target="_blank">https://www.aserto.com/</a>- [6]: <a href="https://cerbos.dev/" target="_blank">https://cerbos.dev/</a>- [7]: <a href="https://www.styra.com/" target="_blank">https://www.styra.com/</a><hr />Comments URL: <a href="https://news.ycombinator.com/item?id=33450860" target="_blank">https://news.ycombinator.com/item?id=33450860</a>Points: 7# Comments: 0<a href="https://news.ycombinator.com/item?id=33450860" target="_blank">Continue reading...</a></blockquote>

[QUOTE="Hacker News, post: 73690, member: 365"] I’m Rishabh and the co-founder and CTO at [URL]https://supertokens.com[/URL] (YC S20). We offer open-source user authentication and we just released our user roles product for companies implementing authorization. Our users are web developers, and a prominent and adjacent pain point for our users is authorization. Developers typically implement two independent solutions for authentication and authorization. Offering AuthN and AuthZ in a single solution is something we’ve been thinking about for the last few years. Quick primer, authentication is knowing who the user is, and authorization is knowing what the user has access to. A physical analogy: A person enters a building. Authentication means reading their ID card and knowing that the person’s name is John. Authorization means knowing which floors, offices, and files John has access to. With increasing privacy and data complexity, companies like Netflix[1], Slack[2], and Airbnb[3] have built out their own complex authorization systems. To build our user roles product, we started with a first principles approach of covering authorization use cases using scripting languages such as XACML and OPA. But looking at existing solutions built by talented teams like Oso[4], Aserto[5], Cerbos[6], Strya[7], we realized that while these were powerful solutions, they were often overkill for most early to mid-stage companies (especially on the B2C side). We went back to the drawing board, reached out to our users and after dozens of conversations, we realized that most authorization needs require the ability to 1. Assign and manage roles and permissions 2. Store roles in the DB and session tokens to make it readable on the frontend and 3. Protect APIs and websites based on these roles and permissions. And so, we built user roles – a simple RBAC authorization service that focuses on the balance between simplicity and utility. It doesn’t cover many complex cases and we’re not looking to displace any of the authorization incumbents. But you can add AuthN and AuthZ using a single solution, quickly. In the near future, we’ll be launching an admin GUI where you can manage your users and their roles with a few clicks. We’d love for you to try it out and hear what additional functionality you’d like to see. What are your favorite authentication providers and what do they get right? - [1]: [URL='https://conferences.oreilly.com/velocity/vl-ca-2018/cdn.oreillystatic.com/en/assets/1/event/270/The%20distributed%20authorization%20system_%20A%20Netflix%20case%20study%20Presentation.pdf']https://conferences.oreilly.com/velocity/vl-ca-2018/cdn.orei...[/URL] - [2]: [URL]https://slack.engineering/role-management-at-slack/[/URL] - [3]: [URL='https://medium.com/airbnb-engineering/himeji-a-scalable-centralized-system-for-authorization-at-airbnb-341664924574']https://medium.com/airbnb-engineering/himeji-a-scalable-cent...[/URL] - [4]: [URL]https://www.osohq.com/[/URL] - [5]: [URL]https://www.aserto.com/[/URL] - [6]: [URL]https://cerbos.dev/[/URL] - [7]: [URL]https://www.styra.com/[/URL] [HR][/HR] Comments URL: [URL]https://news.ycombinator.com/item?id=33450860[/URL] Points: 7 # Comments: 0 [url="https://news.ycombinator.com/item?id=33450860"]Continue reading...[/url] [/QUOTE]

Verification