Open Systems, a leading networking and cyber security organization, updated their IAM strategy by adopting ZITADEL, an open-source identity management system. ZITADEL is flexible such that it offers both self-hosting and cloud options, aligning with their diverse global client needs. It's a practical case of leveraging open-source technology to enhance security and operational efficiency in a large company.
Check out ZITADEL— It fuses the best features of Auth0 and Keycloak into a more modern, innovative package. (full disclosure, I'm part of the team)
It's an open-source IAM solution. It offers a cloud-based SaaS option and can also be downloaded for self-hosting. You can try the hosted cloud version for free - https://zitadel.com/signin
It provides:
- authentication and authorization capabilities (including SSO, IdP Federation)
- auditing
- custom extensions
- support for standards such as OIDC/OAuth/SAML/LDAP
- full API support
- various authorization strategies, including Role-Based Access Control (RBAC) and Delegated Access, making it a great choice for both B2C and B2B scenarios.
It mostly aims to ensure ease of operation and scalability (users love the simplicity). The community and team actively contribute towards development and support.
I found Nate Barbettini's video on OAuth and OpenID Connect incredibly insightful for understanding these topics. He explains everything so well- https://youtu.be/996OiexHze0.
Additionally, I'm part of the ZITADEL team, an open-source project that's free to download or use in our cloud offering. So, you can always tinker around with it as some others have already suggested. Our blog dives into various security topics, ranging from OAuth, OpenID Connect, and Single Sign-On, Authentication, Federation to emerging issues like Passkeys. We also discuss real-world Identity Management problems and solutions seen by ZITADEL users— https://zitadel.com/blog.
For any specific security-related queries, feel free to join the conversation on our Discord chat: https://zitadel.com/chat. We're always discussing and sharing insights on these topics.
In integrating ZITADEL with Warrant.dev or other tool, you would first rely on ZITADEL for user authentication, which provides an access token(typically a JWT as demonstrated in the article—or you can also fetch the ID token). Your application's backend should validate this token to confirm user identity, either via JWKS or a separate introspection call. Following this, for any user action requiring permission checks, you'd make API calls to Warrant.dev, using the roles or permissions from the token to determine access rights. This is useful for highly granular permission management. If you're looking for Attribute-based Access Control (ABAC), ZITADEL's actions, custom metadata, and custom claims can be used as explained in the post.
A good starting place is the issues. You can also check our documentation and make PRs for improvements. And feel free to jump into discussions. We also give swag to our first-time contributors as a token of appreciation.
Indeed. It is slightly misleading at first glance. But the author has stated that it is incomplete. ZITADEL(https://zitadel.com/), for example, pretty much checks almost all the boxes.
> ZITADEL doesn't support anonymous clients. Honestly, it's not the best practice anyway.
How would you accomplish the same thing using best practices? The closest is dynamic client registration without requiring an initial access token, but that still requires clients to support the protocol, and I know at least the Jellyfin and Discourse OIDC plugins do not. And even if they did what do you gain over anonymous auth?
- Exposing APIs or backend services as MCP servers
- Auto-generating MCP tool metadata from OpenAPI definitions
- Applying access control, rate limits, and observability policies
- Preparing for agent-driven discovery via the upcoming MCP Hub
The idea is to make APIs more usable as tools in agent workflows with governance and control for teams.
You can try it out here: https://bijira.dev Docs: https://wso2.com/bijira/docs/