It's a nice project but I don't think any venture needs a separate service for user accounts right off the bat. And I level that same criticism at Clerk, Auth0, Cognito which are all stand-ins for a lack of BE engineering.
Rails + Devise + OmniAuth + Doorkeeper has kept me going for yeeeeeaaaaaarrrrrrs.
We use Clerk and it's expensive but works great and saved us a ton of time on enterprise readiness. Saying "just BE engineer it" is all well and good until you need 2FA and org management and SSO and RBAC and configurable 2FA enforcement and passwordless sign-in and SMS and a lock-out policy and JIT account provisioning and all the UI to match and so on.
Recently, I spoke with a person who had experience in the startup world, and the one thing he would do differently in the future was to use Keycloak from the beginning instead of cloud-native authentication services, to have control over the user authentication flow.
Given that context, having other self-hosted options sounds like a good thing.
What about ventures without top quality engineering talent?
Security is the one thing that absolutely has to work and keep working as new threats develop. There’s thousands of LLM assisted projects being created by one person teams that will, and probably should, hand off this problem.
Bad quality CRUD is one thing, bad quality auth is another.
> all stand-ins for a lack of BE engineering.
Well, yes, any dependency is technically a "lack of engineering". That's kinda the point - engineering capacity is limited and should be directed towards core business differentiators, not generic infrastructure.
That said, Auth is not really like all the rest of the services. It's special in that it controls all access to everything else making it the load-bearing stone in your entire architecture. Fundamental mistakes in your user auth model tend to be very very hard to unwind. So take the time to do the engineering work (thinking) even if you eventually outsource to a hosted provider - at least you'll know what you're outsourcing and the implications.
Auth0’s main differentiator is their tutorials for every framework under the sun. Want to have a SwiftUI, angular and Python command line frontends? They have tutorials for all that.
Eh, I don't really mind a service playing in the same space as Keycloak.
It's really not much work to spin up a service, and personally having used Rails + Devise + OmniAuth + Doorkeeper... I'd pick Keycloak instead.
The level of complexity is pretty similar at the end of the day, but you get more robust auth service, with a lot more flexibility.