Why ZITADEL is a great Auth0 alternative
Founder and CEO
Quite often we get the question: “Why should we choose ZITADEL over Auth0?”. This article tries to shine some light on this topic. We will explain what main differences we see and why you should consider ZITADEL as a Auth0 alternative.
What is Auth0 and ZITADEL
What is Auth0
Auth0 is one of the most prominent Identity Solutions as of today. It has a strong developer focus and supports many use-cases and integrations. Auth0 is a purely SaaS oriented platform and is closed source. You can get dedicated setups (called "private cloud" in Auth0’s wording) on certain hyperscalers. The pricing is oriented around tiers and monthly active users with a free tier for developers which should not be used for a production setup. Auth0 supports many integration protocols like OpenID Connect, SAML 2.0 and even WS-Fed.
What is ZITADEL
ZITADEL is the identity experience platform built for developers. With its easy integration into your project ZITADEL solves the authentication, authorization and self-service challenges. All of this while providing a long term audit trail out of the box that gives security officers operational confidence. The main contributor is the company CAOS Ltd from Switzerland who founded ZITADEL. The identity experience platform does support features like B2B multi-tenancy, identity-brokering, multi-factor / passwordless authentication, delegated access management, in-context audit trail, OpenID Connect, SAML 2.0 and OAuth 2.0.
Main Differences
Source Code
Auth0 and ZITADEL have quite a big difference in regard to their position of publicizing their source code. While Auth0 is closed source, ZITADEL is an open source project with Apache 2.0 license. We are strongly committed to an Open Source approach with ZITADEL which provides transparency and trust in a security product like an identity management system.
Operating Model
While Auth0 operates a SaaS model, with the option to get a private cloud system on some of the hyperscalers, ZITADEL operates under an OpenSaaS ideology (SaaS built with OSS). Due to the nature of our OSS strategy customers can also choose to self host a ZITADEL instance to gain the highest amount of control over their data. We even offer to run a dedicated instance or support to our customers who are in need to self host. We compared self-hosting vs. SaaS in a previous blog.
Pricing
ZITADEL is committed to a „secure by default“ pricing. We think our customers should not need to pay extra for basics like multifactor authentication or the amount of users which encourages bad practices such as weak password-based authentication or account sharing, respectively.
Auth0, on the other hand, offers by default a „monthly active user“ pricing strategy. While this might sound good at first, it definitely has some downsides. The biggest being the need to pay extra for security features like multi factor authentication. The pricing-by-user is appealing to get started at low cost but the fact that critical security features are only available in more expensive tiers hides the true cost for production-ready scenarios.
Project Structure
ZITADEL has a unique way to group clients that belong to the same security context into what we call “Project”. Projects help users bundle together clients, for example a web-application and a mobile-application, that share the same authorization mechanics. With this developers don’t need to worry about fiddling with the audience scope and can be sure each client gets the same result. The project also allows you to delegate the access and access management to a third party. More details on how our “project grants” work can be found here. From our knowledge there is no way with Auth0 to properly manage applications that belong together.
Self Service
Auth0 does only provide an out of the box user interface for the sign-up, login and password reset. Other self-service aspects like a user profile page or the possibility to manage users as business partners are not available. ZITADEL on the other hand provides a high amount of self-service capabilities. These include user management, user profile page, access management including the delegation of such and even the possibility for business customers to create and configure their own identity providers.
Data Residency
With Auth0 you need to choose a geo region when setting up your tenant. You need to decide whether you want to store your data in the US, Europe, Japan, or Australia. As far as we are aware it is currently not possible to change the location easily. This single “region” approach might impact your customers' latency when they access your services.
ZITADEL, on the other hand, gives you the possibility to store your data globally, in a region including only GDPR safe countries, Europe or Switzerland (more regions and countries to come). All of this while being able to change your location after the creation of your ZITADEL instance. This gives you flexibility and always the best latency. For example if you decide that data can be distributed through GDPR safe regions you get a great latency from Montreal (Canada) through Zürich (Switzerland) to Osaka (Japan). This also protects your application from regional outages and makes ZITADEL highly resilient.
Location of incorporation
Auth0 is incorporated in the US, and ZITADEL in Switzerland. This might or might not be a problem for you. If you serve customers from the EU or have regulatory challenges it might be easier to explain to your compliance team why you choose a Swiss Company over a US company. While the european commission has recognized Switzerland to have adequate protection to allow personal data flow without additional safeguards, the problems around the US-EU Data Transfer problem remain, even with the newest announcements.
Extensibility
While Auth0 had rules and hooks to customize the behavior of its service for a long time, it recently announced that it is switching to a newer approach called actions. You can read in their announcement about their reasoning in more depth. While Auth0 actions are currently more mature (better debugging and logging capabilities) than ZITADELs approach we find the focus on Javascript and Typescript not an elegant design choice.
A few months earlier ZITADEL also allowed users to programmatically extend their setup with a feature called actions as well. The goal with ZITADEL to provide such programmatic extensibility is, to give developers the maximal degree of control and flexibility to customize ZITADEL for their needs. ZITADEL will in the future not only allow javascript and typescript but all languages that support WASM. This gives developers freedom of choice while still being able to efficiently run code at runtime.
Ideas for this feature:
- Integrations: Interact with business APIs to assert data into JWT Tokens
- Customizing Login: Currently ZITADEL supports similar capabilities as Auth0 “Classic Universal Login Pages” with a hosted login. In the future we will provide an SDK to create custom login pages for a domain.
- Reporting & Analytics: Create custom reports
- Attack Protection: Fine tune rate limits
- Observability: Integrate ZITADEL into your (open)tracing stack
Where ZITADEL is a better fit for your project
So now you might ask yourself “When should I choose ZITADEL over Auth0”? We think the answer to this is when one of the following points match your needs:
- You need to have the option to self-host
- Your project needs strong guarantees in regard to data protection, e.g you want/cant share data with a US incorporated company
- Open source is a must for your project
- You want a way to improve the tool you use
- The project you rely on has a strong need for longterm audit capabilities
- You think paying per user is an anti-pattern
- You think paying extra for support and security features is wrong
- You are generally interested in cloud native and serverless concepts
Disclaimer
The information for this comparison was retrieved on April 8, 2022. This article was last updated on October 12, 2022 to add links to our docs and to remove the disclaimer about multi-region availability, since this feature is now generally available in ZITADEL Cloud.
Does something seem outdated or not valid? Please let us know.