If anyone ever brings up the idea of building out oauth or even vaguely user management, I try to point them to at least try a POC (Proof of Concept) with https://www.keycloak.org/ (Apache 2.0 License) or https://www.gluu.org/ (MIT License) before they considering building.
Another solution is OpenLDAP (or JumpCloud) at the root and then supporting software:
OpenLDAP
├── PrivacyIDEA (TOTP/MFA with LDAP auth backend)
├──---└── SAML iDp (e.g. SimpleSAMLphp or Shibboleth) for SSO: AWS, Google, Github, Atlassian, Snowflake, Azure etc.
├── Dex (https://github.com/dexidp/dex) for anything that wants Oauth flow
├── Native LDAP for apps that support it (e.g. Metabase, Grafana)
├── Any other custom authT that supports LDAP as a backend
OpenLDAP itself isn't for the faint hearted but I've had a lot of success with JumpCloud (and Okta also have an LDAP directory service... though starting price is high).
I don’t think anyone building a modern identity solution should base it on openldap. LDAP is amazing as an identity provider in a data center, but does not offer support for modern authentication methods like oath and oidc. As such, it’s not a very good base for creating your organizations identity.
I’m happy to be proven wrong about this. I love open standards and protocols.
> LDAP is amazing as an identity provider in a data center, but does not offer support for modern authentication methods like oath and oidc.
I don't think lack of support for OAuth is a problem here. OAuth is specifically designed to obtain access to an HTTP service[1], and OpenID Connect is specifically designed for OAuth. LDAP is not an HTTP service.
I think you've misunderstood my comment. LDAP gives you an extremely well supported back end from which to easily extend to virtually any form of authZ, including oauth.
