Need help understanding Zitadel for large corporations and custom UI
Hi, Im looking into Zitadel to replace our custom identity system. One thing I immediately noticed was that Zitadel is trying to be everything at once and that can be very hard to pull off. On paper it looks like a great option but when I dug deeper I found some nuances. For example we are a well established entity and have front end and mobile application engineers so I wanted to use our own UI, the endpoints for the create user and session require authentication (probably by a service account). So I’ll need another service wrapping Zitadel and handling dos attacks and etc. I don’t get the design philosophy of putting everything behind an API is it because of multi tenant feature? We are B2C so we just have to put up with it not being reproducible?? My other option is Ory Kratos which I believe to be superior in security but slow in features and development. I want something in the middle I like the activity and development on the Zitadel and the integration of Ory. I don’t want a UI to change things I want well thought and secure APIs. It gives me Keycloak vibes.
These are all my opinions and feel free to correct me if I’m wrong.
4 Replies
👋 hello @amirsalarsafaei thanks for reaching out to our community!
This is Federico Coppede, glad to help you. Regarding Zitadel's philosophy, it's focused on B2B use cases, but that doesn't mean you can't use it for other scenarios. Regarding this, feel free to share a common use case you need to address and I can provide a high level overview of how it could be implemented using Zitadel.
With regards to UI customization, you can either use the hosted login UI, or deploy and host your own. We have a new Login UI we are working on that can be self-hosted. This means you can also fork the code and modify it freely, there is a step by step guide on how to deploy your own UI here: https://zitadel.com/blog/how-to-self-host-zitadel-typescript-login-ui
Finally, Zitadel has built-in security features like DDOS protection, but you can also place a reverse proxy in front of it like CF to implement your own security rules.
Let me know if you have any follow up questions regarding this, thanks!
ZITADEL • Identity infrastructure, simplified for you
ZITADEL • Identity infrastructure, simplified for you
This post dives into some of the key aspects of hosting your own custom login UI using the Zitadel typescript library.
Hi @fcoppede thanks for the response. For example I wanted to try out a custom ui and sms otp login. I thought it be straight forward but I’ll need a proxy for the service account as you mentioned. This implied to me that handling of csrf and security issues is left to the implementer. Why is the token required in the first place?
hello @amirsalarsafaei, assuming you refer to the PAT
ZITADEL_SERVICE_USER_TOKEN, that is used in the custom login UI -> the token is required because the custom login UI uses the Session API internally. The token should have only the appropriate manager role (IAM Login Client). If you plan to fully customize the login experience, yes, security measures are the responsibility of the implementer.Well. That’s what I was referring to. Zitadel is good as long you use the hosted UI. The custom UI experience is very basic and better features could be found through libraries. It’s a shame cause I really like the features Zitadel offered, if only it would’ve focused on providing robust apis like flows as ory Kratos does. I doubt it will have massive enterprise’s adoption due to this flaw. For start ups django and django tenants exists wish you would’ve provided a solution to this as ory does.
Thanks for clarifying things🙏