If your open source project competes with your paid product, you’re doing it wrong
authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.
Earlier this year, an open core project rejected a community contribution because it competed with the enterprise edition. A concern people often raise about monetizing open source is misaligned incentives: why would open core companies make the underlying open source project great when it could cannibalize their paid offering? Open core companies do need paying customers, but offering a substandard free product is hardly going to have people lining up to pay.
We’ve talked about alignment on this blog a lot, because we actually think it’s one of our biggest strengths:
- We’ve discussed how open core aligns company and community incentives.
- We argued that SaaS doesn’t actually align vendor and customer success, especially when it comes to identity management.
Today I want to talk about philosophical alignment with our customers and community, and how it benefits us all to have an open core and source-available enterprise version together with a culture that prizes transparency. We can collaborate closely with customers and potential customers, and everyone has greater visibility into how we respond to issues. But first, let’s look at when the open core model can fall flat.
What happens when there’s misalignment?
The example we shared above stung particularly for a couple of reasons:
- Months went by without a maintainer engaging or setting expectations. The founder and CEO eventually responded to close the PR, and there clearly wasn’t alignment ahead of time around what features are good candidates for the open source project vs the enterprise offering.
- The community contribution added core security functionality. This PR added support for OpenID Connect authentication, and was rejected due to SAML support being part of the project’s enterprise tier — a distinction that feels inappropriate when SSO is table-stakes for security in 2024.
How we balance open source and enterprise
For us, some features and capabilities are obvious candidates for the enterprise version: anything that would only appear on the checklist of a corporate auditor (typically compliance-related logging capabilities, FIPS compliance, and so on), or the ability for an organization to integrate directly with (and migrate away from) other enterprise identity provider solutions.
We always want to have an open source, free alternative that is fully functional for the individual or homelab user.
Core functionality isn’t paywalled
Logging is an essential piece of running any sort of infrastructure, so we don’t restrict all logging to enterprise licenses. We also don’t lock core, essential security features behind enterprise. That means SSO (as in the OIDC example above), API access, and service accounts are all available in the open source version to support core security, configurability, and automation.
We don’t use performance thresholds to strong-arm users into enterprise
We also don’t have arbitrary performance constraints to force users into an enterprise tier simply because you might have a lot of individual users, or service accounts. We try as best as we can to limit enterprise features to what would apply to actual commercial rollouts.
The open source project is actively developed
Far from neglecting the free and open source version of authentik in the hopes that people might upgrade to enterprise, it makes much more sense for us to continue to have a fully functional, well-documented product that people can try out and use for free, and offer valuable reasons to graduate to enterprise for specific use cases.
Most of our paying customers have already used authentik, either as individuals or as a trial for their company. If we gave them a substandard product, they wouldn’t come back asking for enterprise features. We have to create something compelling enough that they’ll want to use it at all — and want to continue using it as their needs evolve.
We’ve set things up so you don’t have to rely on our good will
We know the combination of open core and source-available enterprise codebase isn’t a guarantee of all of the above, and not every company that’s open core will be transparent by default. Working openly and together with customers and users is as much a product of company culture as it is licensing.
It is much harder to be transparent when you have a proprietary codebase and when responding to incidents isn't public by default, though.
Many of the commitments we make above are part of the charter we adopted as a Public Benefit Company. This means Authentik Security has “a legal responsibility to maintain and actively develop a viable, secure open source project in addition to any proprietary code.”
So, not only are Authentik Security’s business goals aligned with maintaining and improving the open source product, it’s a legal requirement. It’s part of our company mission never to take anything out of the free and open source authentik, and further to continue adding to it. We recently released our biennial report as a Public Benefit Company, in which we shared that of 5,675 total commits to authentik, 5,615 of those were to non-enterprise code.
99% of code commits over the past two years have been to the non-enterprise, open-source version of authentik.
The dream: we collaborate, everyone wins
With a closed source or a SaaS provider, things can change and you won’t always know when, why, or how. If you’ve built on top of them, things might break unexpectedly.
By being open core and transparent, we can allow our users to play more of an active role in the development of the product. Instead of submitting a feature request that goes into a black hole, our users and customers get a chance to influence the product. We recently shipped source property mappings for SCIM, OAuth, SAML and Plex sources in our 2024.8 release to support multiple customers who had requested this feature set, and we did so as part of the open source product.
We have release candidates for the community to test before each release, and we provide continuous access to our beta versions — as soon as the code is written. Early adopters get earlier access to more functionality, and user feedback helps us build a stronger product, faster. There are times when a customer might bump their production instance up to the bleeding edge if they really need a particular feature and don’t want to wait for the release. Users and customers get more advance notice of what’s changing and why, so they can test early and provide feedback.
Of course, there may be cases where we can’t prioritize a feature request. The approach outlined above empowers users with more visibility into what’s coming or what isn’t being prioritized, and agency over how they respond. They can give feedback if something is mission critical for them.
CoreWeave, for example, makes heavy use of Kubernetes in their infrastructure, and actually contributed code to include additional Kubernetes functionality in authentik. (CoreWeave also recently shared their story about collaborating with us to support onboarding developers to an AI/ML hackathon.)
The relationship is more collaborative. It’s faster for everybody and a better experience overall; everyone wins.
Can you trust, but verify, your security-critical vendors?
The advantages of having an open core, source-available product are especially important for identity products. Trust is critical for security software, but it’s hard to place your trust in a vendor with a poor track record when you can’t even see how they’re responding to breaches and vulnerabilities.
We serve technically minded people who want to dig into the code themselves. Our users and customers want to figure out how things work, and when vulnerabilities are discovered or if something goes wrong, they want to understand how they’re affected and what steps we’re taking to mitigate. By working in the open we’re able to share those things with them.
If you want more transparency from your identity provider, check out authentik. Whether you’re a homelab user or looking for an enterprise solution, we’d love to work with you. If you have any questions you can reach us on GitHub, Discord, or via email to [email protected].