OpenAI uses open source Ory to authenticate over 400M weekly active users
34 comments
·March 20, 2025mintplant
aeneas_ory
If you could share a HAR file (stripped of credentials of course) or a screenshot of your network tab when it happens, we'd love to take a look and figure out what's going on! If it's reproducible even better.
You can send it to aeneas at ory.sh. It may not be OAuth2 related, and I'd like to make sure.
quinncom
Is Ory also used for auth in the ChatGPT macOS app? I regularly get login errors there.
mintplant
Sure thing, I'll keep that in mind!
ustad
Someone else with the same problems!
What is going on with the continuous redirects? I think they are pushing users to either sign up and/or pay up and/or disable ublock. What kind of BS is that?
No worries - It forces me to use claude more and I’m cool with that.
advaitruia
Funny thing is that its powered by Auth0. Its funny that Ory is asking for the HAR file
zenlot
Why it's funny? It just shows their openness and dedication. Funny that you are flagging it as funny.
PS: no affiliation, heard 1st time today about them.
apitman
From what I can tell, Ory is a high quality auth stack capable of scaling up.
If you're looking for something a bit simpler to work with for indiehosting use cases, I maintain a list here:
https://github.com/lastlogin-net/obligator?tab=readme-ov-fil...
aeneas_ory
The list is really helpful for people to navigate, and here is additional context to the complexity topic :)
If you use our managed services (https://console.ory.sh), it is easy to set up and scale because we have a bunch of defaults, UIs, and the security stuff all set up already.
If you run it completely on your own, which does require some skill especially in terms of (security) incident response, it is more work because you have to figure out a few pieces yourself (the stack is agnostic to the environment).
We have an option for self hosting with all the stuff we have built for the SaaS, but it only makes sense for businesses of a certain size.
Complexity also depends on how many services you combine, some people try to use everything at once and it's overwhelming.
What’s making Ory complex for people who do it by themselves, is that Ory is 3 different API first products that work stand alone or in concert. To wire this up, one requires understanding of every service. Here it is easier to spin up a cloud account, or use an alternate project which is e.g. just one docker container.
apitman
EDIT: For the record, I'm grateful Ory is open source and wish you all the success in the world. My comments below are specifically for the indiehosting case.
For indiehosting, my threat model is "what are my options if the team behind this software takes it in a direction I don't like?"
For some projects (Redis, Terraform), the answer is that a high quality fork pops up (Valkey, OpenTofu). For others (MongoDB), there's still not a FLOSS alternative included in major package managers.
But even if a fork does appear, they are relatively likely to eventually fall prey to the same incentives that impacted the original.
I try to cut this off at the root, and prefer software I would be confident forking myself. All of the options marked "simple" on my list fall under that category.
Sometimes you can't avoid complicated software, but you often can. For an indiehosted identity server, 5,000-10,000 lines of code provides pretty much all the features I need. I don't think the extra ~100,000-900,000k lines of code of the major players is worth the risk.
gavinray
> but it's still less work than setting up JVM correctly :D
I'm not sure that either of these are what I'd called "difficult"
FROM openjdk:21
sudo apt install openjdk-21-jdkapitman
I would guess parent is referring more to tuning the JVM.
null
mooreds
Is this only for open source self-hosted solutions, or for any auth solution that can be self-hosted?
I'd like to add FusionAuth if the latter (we have a full featured free option but are not open source).
Should I just add a comment on the google sheet or is there a better way?
apitman
Yeah open source only, sorry.
mooreds
No worries! I get it.
You should add Gluu/Janssen to your list; they are a venerable open source OIDC implementation: https://github.com/JanssenProject/jans
throwaway894345
That’s awesome. Bookmarking this. I’ve been surprised at how difficult it has been to find a simple auth tool for indie/homelab use cases.
zenlot
So what is tl;dr for simpler?
advaitruia
Could you clarify what OpenAI actually uses Ory for? Their main login page is powered by Auth0
aidenesco
Does anyone here have experience with Ory products and Google Cloud?
Easy enough to set up CloudSQL with Postgres and run the Ory software on Cloud Run? Any weird issues/hiccups?
mooreds
Disclosure: I work for a competitor of Ory.
I'll be interested to see what pops up here, but you'd probably have better luck joining their slack community and asking there: https://www.ory.sh/community/
vinckr
thanks Dan!
To save you one click you can go here directly: https://slack.ory.sh/
(Disclosure: in charge of community at Ory ;-))
gtirloni
Apparently Firefox is blocked `Failed to verify your browser - Vercel Security Checkpoint`.
aeneas_ory
Resolved, Vercel thought we are being DDoS’ed!
doctorpangloss
Maybe you guys should make it possible to add passwords to any account, including a Google authed one.
Like I get Keycloak is complicated but it is also very useful.
rvanmil
My gosh yes please! This is so annoying. Last time I checked it’s impossible to disconnect your email address from Google auth if you used that to sign up. And no way to delete the account and recreate with that email address.
aeneas_ory
That is definitely possible when you use our identity product, which is also open source: https://github.com/ory/kratos
There you can combine all authentication methods in any shape or form you wish!
doctorpangloss
So why isn’t it possible with OpenAI? They use Auth0, right? What exactly do they use Ory for?
mooreds
Disclosure: I work for an Ory competitor.
Yeah, the case study is a little hand-wavey, but from hints on the ChatGPT login page, it seems like they still use Auth0 (at least for the free, consumer facing application that I use).
From https://www.ory.sh/case-studies/openai
"OpenAI is rapidly building its new identity experiences, having already enabled unprecedented logins per second with levels of data transparency and infrastructure flexibility that were not possible with other vendor solutions."
Maybe they are using Ory for new auth experiences?
oulipo
Is the full auth suite open-source, and can it be hosted locally? Would be nice to add a Dokploy plugin!
jeffhickman
Yep! Check it out: https://github.com/ory
(Disclosure: I work with the community and customers at Ory)
null
Funny, OpenAI is one site where I've noticed that the login is kinda wonky. Every so often it just randomly fails, gets stuck, gets caught in a redirect loop... That may not be Ory's fault, but unfortunately this may not be the ringing endorsement they were hoping for.