3 posts tagged with "transparency"

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.

Earlier this year, an open core project rejected a community contribution because it competed with the enterprise edition. A concern people often raise about monetizing open source is misaligned incentives: why would open core companies make the underlying open source project great when it could cannibalize their paid offering? Open core companies do need paying customers, but offering a substandard free product is hardly going to have people lining up to pay.

We’ve talked about alignment on this blog a lot, because we actually think it’s one of our biggest strengths:

• We’ve discussed how open core aligns company and community incentives.
• We argued that SaaS doesn’t actually align vendor and customer success, especially when it comes to identity management.

Today I want to talk about philosophical alignment with our customers and community, and how it benefits us all to have an open core and source-available enterprise version together with a culture that prizes transparency. We can collaborate closely with customers and potential customers, and everyone has greater visibility into how we respond to issues. But first, let’s look at when the open core model can fall flat.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

The XZ backdoor incident spooked a lot of people. Not all PRs are innocent—even from long-standing contributors—and this one would have created a backdoor in a utility included in almost all Linux distributions, had it not been caught.

But “open source = more vulnerable to exploits” is the wrong takeaway—being open source can actually be an advantage for security-focused products.

Access tokens make identity management and authentication relatively painless for our end-users. But, like anything to do with access, tokens also can be fraught with risk and abuse.

The recent announcement from Sourcegraph that their platform had been penetrated by a malicious hacker using a leaked access token is a classic example of this balance of tokens being great… until they are in the wrong hands.

This incident prompts all of us in the software industry to take yet another look at how our security around user identity and access can be best handled, to see if there are lessons to be learned and improvements to be made. These closer looks are not only at how our own software and users utilizes (and protects) access tokens, but also in how such incidents are caught, mitigated, and communicated.