Home 零对冲(ZeroHedge)每日HackerNews

Show HN:Tesseral – 开源认证系统
Show HN: Tesseral – Open-Source Auth

原始链接: https://github.com/tesseral-labs/tesseral

Tesseral是一个开源的、API优先的B2B SaaS身份验证基础设施,专为多租户云环境而设计。它为开发者提供了一套全面的工具来管理用户身份验证和授权,包括托管登录页面、用户模拟、自助配置,并支持魔法链接、社交登录、SAML、SCIM、RBAC、MFA、密码密钥、TOTP和API密钥管理。 Tesseral同时提供托管服务 (console.tesseral.com) 和自托管选项。它包含适用于各种Web开发框架(如React和Flask)的SDK,简化了与现有技术栈的集成。一个可发布的密钥用于连接前端和后端组件。 主要功能包括自动令牌管理、登录门控和后端令牌验证的中间件。Tesseral简化了用户邀请流程,并提供Webhook用于实时数据同步。该项目由位于旧金山的初创公司Tesseral开发,鼓励社区贡献,并仔细考虑安全性。

Segment 前员工 Ulysse 推出了 Tesseral,一个面向 B2B SaaS 应用的开源身份验证解决方案。它旨在简化 B2B 身份验证的复杂性,提供单点登录 (SAML SSO)、多因素身份验证 (MFA)、SCIM 配置和基于角色的访问控制 (RBAC) 等功能。Tesseral 还支持 API 密钥管理,并具有基于 RBAC 的作用域限制。 Tesseral 功能强大,足以满足企业软件的需求,同时又注重开发者的易用性。用户可以选择自行托管或使用 Tesseral 的托管服务。 Hacker News 的讨论中,有人指出了 Tesseral 用户/组织模型 (一对多) 的问题,一些人认为对于更好地处理大型组织,应该采用多对多的方法。人们将 Tesseral 与 Keycloak 等其他身份验证服务进行了比较,Tesseral 强调其专注于 B2B 的抽象。同时也有人担心其对 AWS 的依赖,特别是对于寻求具有更多数据主权的云选项的欧洲公司而言。
相关文章
  • (评论) 2025-05-19
  • (评论) 2024-08-10
  • (评论) 2025-04-14
  • Show HN:Mastra - 盖茨比开发人员的开源JS代理框架 2025-02-21
  • (评论) 2025-02-21
    • 原文

    Tesseral is open source auth infrastructure for business software (i.e., B2B SaaS).

    Tesseral is a multi-tenant, API-first service designed to run on the cloud. It is not an authentication library tied to a particular language or framework; Tesseral works with any tech stack.

    Most developers should start by using Tesseral's managed service, available at console.tesseral.com. You can also self-host Tesseral.

    Tesseral bundles everything that a developer needs to manage users in business software.
    Hosted, customizable login pages

    Prebuilt UIs, customizable to your brand. Add and remove login methods with just a few clicks in the Tesseral Console.
    B2B multitenancy

    Tesseral is built for B2B SaaS. Your customer's admins control how their users log in to their tenant, and can add or remove users at will.
    User impersonation

    See exactly what your users see. Debug and support faster by logging in as your users.
    Self-service config for your customers

    Pre-built settings pages where your customers can invite coworkers, edit their login settings, and everything else they need.
    Magic Links

    Add "Log in with Email" support using magic links, without writing any code.
    Social Login

    Add Log in with Google, Log in with GitHub, and Log in with Microsoft support without writing any code.
    SAML (Enterprise Single Sign-On)

    Add SAML support to your product without writing any code.
    SCIM (Enterprise Directory Sync)

    Add SCIM support to your product without writing any code.
    Role-based access control (RBAC)

    Add fine-grained permissions to your product. The UI's done for you, just plug in hasPermission calls wherever you need them.
    Multi-factor authentication (MFA)

    Add 2FA to your product without writing any code. Your customers can choose to require MFA for their users if they wish.
    Passkeys / WebAuthn

    Add "Log in with Passkey" support to your product without writing any code. Supports all passkey platforms, including Touch ID, Yubikeys, and more.
    Authenticator apps (TOTPs)

    Add time-based one-time-password (TOTP) support to your product without writing any code.
    API key management

    Not just user authentication. If you want your customers to call your endpoints automatically, give them API keys. UIs, permissions, and authentication checks all come pre-built.
    User invitations

    Your users can invite their coworkers, or you can invite them yourself from the Tesseral Console.
    Webhooks

    Live-sync data from Tesseral into your database with realtime webhook delivery.

    We encourage all developers to read the full documentation first, which is available at tesseral.com/docs. This README provides only a very brief subset of the docs to illustrate some basic ideas.

    Tesseral currently offers several SDKs for common web development frameworks.

    • Clientside SDKs
    • Serverside SDKs

    More SDKs, in particular Next.js, are in active development. If you do not see your preferred framework listed here, please get in touch with [email protected]; we may be able to give you early access.

    For Tesseral’s managed service, you will first need to create an account at https://console.tesseral.com.

    You will need to create a Project and generate a Publishable Key. Publishable Keys always look like this: publishable_key_....

    To integrate Tesseral into your app, you'll first need to integrate your frontend. This example uses the Tesseral React SDK.

    Install the SDK like this:

    npm install @tesseral/tesseral-react

    Then, using your Publishable Key (starts with publishable_key_...), wrap your React app in the <TesseralProvider> component:

    import { createRoot } from "react-dom/client"
import { TesseralProvider } from "@tesseral/tesseral-react";
import App from "./App.tsx"

const root = createRoot(document.getElementById("root")) 
root.render(
  // use your Project's Publishable Key here
  <TesseralProvider publishableKey="publishable_key_...">
    <App />
  </TesseralProvider>
)

    The <TesseralProvider> will handle a variety of auth-related tasks for you, including:

    • Redirecting unauthenticated users to the login page ("login gating")
    • Refreshing users' access tokens in the background when they're close to expiring
    • Automatically including access tokens in requests from your frontend to your backend

    Once you have your frontend integrated with Tesseral, you'll then need to integrate your backend.

    Tesseral works with any backend or framework. SDKs are available for the following:

    Your app might look something like this example, using the Flask SDK:

    from flask import Flask
from tesseral_flask import access_token_claims, require_auth


app = Flask(__name__)

# use the same Publishable Key you used for your frontend
app.before_request(require_auth(publishable_key="publishable_key_..."))


@app.route("/api/hello", methods=["GET"])
def hello():
    # get the user's email from the current request
    # Tesseral ensures that user emails are always verified
    email = access_token_claims().user.email
    return ("hello, " + email)


if __name__ == "__main__":
    app.run(debug=True, port=5050)

    Tesseral's require_auth() middleware (or its equivalent in your framework's SDK) validates access tokens for you, and only authenticated requests will go through to your endpoint handlers. A client can successfully GET /api/hello if and only if it has a valid Tesseral access token.

    You can extract out details about the requester using:

    Or their equivalent in your framework's SDK.

    Once you have your backend integrated, you have implemented Tesseral!

    MIT.

    We welcome outside contributions!

    Please be aware, however, that auth software is complex and extremely delicate. We are very cautious with the changes that we merge. We recommend you first open a GitHub issue outlining any proposed changes.

    Please immediately report any potential vulnerabilities to [email protected]. We will get back to you over email.

    Please do not open GitHub issues for any security-related concerns.

    We love enterprise software and the people building it.

    Please join our community and stay up to date on new releases, events, and other Tesseral news by following us on LinkedIn and on X (Twitter). You can also check out our newsletter and our blog.

    You should also feel welcome to get in touch at [email protected] with questions.

    This is commercial open source software managed by Tesseral, a startup based in San Francisco. We previously built SSOReady, an open source middleware for SAML SSO and SCIM provisioning.

    Primary technical responsibility for Tesseral belongs to Ulysse Carion, cofounder and CTO at Tesseral, and to Tesseral's technical staff: Blake Williams and Dillon Nys.

    联系我们 contact @ memedata.com