In the early version of our architecture, we used a custom Java backend for user authentication. It got the job done and helped us launch quickly. But over time, we started to hit hard limits:
- It didn’t support open standards.
- It was never audited for security — so it could easily hide critical vulnerabilities.
- Every new application required writing a custom adapter, making the system harder and harder to evolve.
When we decided to rebuild the infrastructure, we chose Ory.sh — a modular identity management platform built on open standards like OIDC, OAuth2, WebAuthn, passwordless login, and more.
This shift gave us three strategic wins:
- We drastically reduced the amount of code we needed to support authentication.
- We stopped pouring time into legacy infrastructure and focused on delivering user value.
- And we finally implemented passwordless login — something we had long wanted but kept postponing because it was too painful in the old setup.
How the new system works
The diagram above shows the modular structure of our current architecture.
To read it properly:
- Bold modules are the ones we wrote ourselves.
- Italic modules are still in the planning stage but already designed into the system.
The modules we built:
-
Onboarding script
Automates account creation across all subsystems:- In Ory, it creates an identity with username, login, and (if needed) password.
- In Aisystant Space, it sets up an account and a starting set of workbooks.
- In Aisystant Club, it creates a space for thinking through writing — blog, drafts, and a personal archive.
-
Discourse Connect module
This component implements the official DiscourseConnect SSO protocol via our OIDC provider.
We couldn’t find a plug-and-play solution that worked with our stack, so we built our own:
If you’ve read this far and found a working off-the-shelf module, feel free to tap the author on the head. This kind of approach is exactly what we’re trying to move away from.
Then again — maybe we just created the first actually usable Discourse + OIDC integration.
-
OIDC module for Aisystant Space
Aisystant Space is built on top of NocoDB, which — in its open-source version — doesn’t support OIDC.
So we had to dust off Emacs, rub some tiger balm on our wrists, and write the integration ourselves.
It seems to work.
Modules in planning:
Some modules are still being designed. We don’t yet know exactly how they’ll be integrated, but since the architecture is built on open standards, we’re confident they’ll plug in cleanly and scale well.
Why we’re still using the free version
Right now we’re in MVP mode, testing technical hypotheses. We use the free cloud version of Ory to avoid spending time on deployment and maintenance.
Once we hit its limits, we’ll decide whether to:
- switch to the self-hosted open-source version,
- or upgrade to Ory Enterprise.
In either case, the decision will be based on real-world experiments — not assumptions.
Personal note
Before this project, I thought I had a solid grasp of how authentication works.
After diving into the Ory stack, I realized I didn’t know nearly as much as I thought.
This transition turned out to be more than an architectural upgrade — it was an engineering coming-of-age moment.
Where we once tried to build everything from scratch, we now assemble infrastructure from proven, well-supported components.
If you’re still using custom-built authentication — check out ory.sh.
You might be surprised how much you don’t have to build yourself.