Are you guys using solutions such as Auth0 to authenticate and manage users?
I would like to know if you guys go with third-party solutions to provide authentication features to your users, if so, which one?
Thanks in advance.
Trending on Indie Hackers
No I don't use it. Someone recommended it to me but I didn't really see the value. I don't see what's so hard about implementing auth yourself.
It isn't hard, but is it really worth the time? When other solutions out there do not just oauth but have nice features built in that you don't have to worry about.
Yeah it may not be worth the time. At my last job we worked with so many different vendors and spent most of our time integrating with them. Because of that experience, when I started my own SaaS business I wanted to go the other way. Do everything myself.
If I used Auth0 I think it would have been fine. However, I've never thought "oh man I'm wasting so much time dealing with auth issues, if only I used Auth0".
I reckon you're fine either way.
@AnGuRuSO Thanks for your reply.
I think that as long as one follows the standards and best practices it shouldn't be that much challenging.
I implemented authentication myself and I now regret it. I should have used Auth0 instead of doing my own. If you are building a new product, I highly recommend using them (or using an existing authentication provider).
I really don't get it. Can you elaborate why you would prefer Auth0?
Auth0 or any other auth provider is fine. What I think is a pain is to implement each authentication method yourself. It's easy to support one but when you want to add another one, it will take more time and you will make bugs. Best thing is to use an auth provider that simplifies all potential integrations.
Hi @juli1pb what challenges are you facing with your own implementation?
If you want to add a new auth provider for example, it's quite a pain to implement yourself.
Uff, I understand what you mean. It can ben a daunting task.
I'm using Supabase's auth, was pretty easy to set up.
I know Clerk.dev also has some nifty components for auth.
Next Auth is also pretty good for Next JS websites.
Hi @StephCode
I hadn't heard about Clerk.dev until now. Thanks for mentioning it.
Yep we use Auth0. It’s dirt cheap for B2B SaaS(or anywhere you don’t have to support free users). Like everything it has Pros and Cons.
Pros
Cons
Custom functionality can be almost impossible to implement
We have an invite only app, and don’t want to make our users login immediately after settling a password. Over 40 hours of dev time, and we still can’t accomplish this simple task.
They have downtime
Last year there was 2 days when they went down for a few hours. Guess what happens to your app if the login functionality is down? Yep, you’re app is also 100% down.
They did have downtime this past year, but after talking to representatives, it seems like it was early pains of integrating into okta's system (they bought them if you don't know)
Oof. Their downtime is your downtime. That's gotta be frustrating.
Edit: looks like it's just happened to OneLogin, too.
I haven't used it before. However I have an idea for you.
After people complete their setting password, redirect them to a different page . As this page loads, programmatically log them out.
Not sure, it's possible to redirect to different page after login based on previous user activity. If possible, then I believe my idea should work.
Let me know....
Thanks for your reply @shanefromfargo
Regarding the last cons, that's quite a scary scenario for me to grasp. I wonder how did you handle it within your company?
You just have to deal with it. We send out emails, and will call some users and let them know what’s going on. The downtime is pretty much always tied to an AWS outage. So it’s usually pretty easy to include a link to a news article that says “hey the whole internet was down today”.
It’s just extra painful for us, because we’re on Azure. Because we use Auth0 we’re vulnerable to both Azure and AWS outages.
@shanefromfargo “hey the whole internet was down today”.
What a badass message, I love it.
I used to, but found Auth0 and similar to be a waste of time, ultimately. It's much better to have control of your own users table.
I use code generators and do auth in-app. If you're using a full-stack framework, there are usually either built-in generators or a go-to library to do authentication for you.
Why can't you have both? You can just check the jwt and if it is valid and the user isn't in your db you just add it.
I usually don't usually use a JWT unless there's a good reason since they're fairly heavy-weight.
Secondly, if you're using an external tool for authentication, your user table is in their database. This makes a number of things more complex—authorization, testing, conversion optimization (from visitor to user), staging environments with prod data, etc, etc.
For me that's the main downside of Auth0. Synchronizing user data seemed to be way more work than implementing Auth myself.
Hi @SquishyCoder, thanks for your cents.
For almost all projects, I really dont see any advantage of building your own. Just save yourself time and effort but using an out-of-the-box solution. You should have way more important stuff to build
@printscreen Very well said.
My web framework of choice (Django) comes with decent built-in auth, and for most side projects that's good enough. Lots of Django plugins (we call them "apps") to do things like signin with Google.
Also depends on what I'm building, I don't really want to store anyone's password (even if hashed) if it's a side project and don't store any sensitive information. I'll just email users a one-time link to login. If that's good enough for Slack, it's good enough for me.
Hi @kujirajuunigou thanks for your cents on this topic. Passwordless auth is more becoming an alternative for username-password auth.
I use supabase
How's your experience been like so far?
I'm using Firebase Auth. Super simple, easy to use, free (other Firebase products are not free though, and I believe there is a cost for Phone auth). Great documentation, can't recommend it highly enough.
https://firebase.google.com/products/auth
According to the firestore site it is free up to 10000 per month, therefore if your application grows a lot you will have to pay for each authentication.
That limit is only for phone authentication. All other auth (e.g. email, google account, social account, etc.) is free and unlimited.
Thanks for the info!
Just use Firebase. It’s unbeatable in its simplicity to setup. My go-to for any POC or MVP.
Interesting.
No, I believe a lot in owning your auth. I am building a Rails template so I build it once and use for all my projects.
I think that people lean towards solutions such as Auth0 due to the lack of pre-made self-hosted solutions, and the need to move fast.
I am aslo in favor of owning your auth, but I understand that decent auth can be challenging to implement for some teams.
@strzibnyj Nice work with Business Class Kit. Is it Rails-exclusive, or people will be able to deploy it with Docker for instance and just consume its APIs?
It's just for Rails. The idea is not only self host but really adopt the code, that's why I don't use any private libraries. Of course people could use it to build a self-hosted Auth0, but I suspect that would still be some work ;)
Using Supabase which includes email/password and social login. They're currently working on supporting more enterprise options like saml, Openid connect, etc.
Have enjoyed using NextAuth in the past.
I’ve looked into it quite a bit. If django (my framework of choice) didn’t have good built in auth as well as packages for some extra things (social auth etc) then I probably would use auth0, but since it’s easy and I don’t have to rely on a third party I don’t really have a reason to use auth0.
Oh that's nice to know. Thanks!
I use Auth0 even though I'm capable of writing my own authentication system and have done on a few apps.
It's good value if your use cases mean you can stay on the free or developer plan. It can actually get expensive once you have more 'enterprise' needs though. I also find the documentation painful at times, security changes quickly, and some documentation (particularly related to specific SDKs/code examples) can often be out of date and doesn't always have a clear date on the article.
Other issue I have is migrating between environments, there is a lot of configuration and it's really hard to spin up a UAT and/or production instance off a dev tenant... I find myself manually copying many settings/configuration and it takes a while and is easy to miss things. Just today I was having to change email templates (e.g verification/change password), and a couple of 'rules' (code that runs after login) and I had to manually replicate across 3 environments... they do have a 'management API' which is likely there answer for many of the issues I have for moving things between environment, but I'd prefer it's built into the dashboard rather than having to write code to replicate things.
I used aadb2c. It's free for 50k users. Auth0 have better documentation (even for aadb2c)
Yes, I've been using Auth0 for several projects and it' does the job pretty well with good integration support for a number of frameworks and languages. Has a lot of features, most of which I don't use - I just want the JWTs for API auth.
I don't love that they were acquired by Okta, though.
I know many people who were very skeptical of Auth0 at first. Why do we need a third-party service here? We'd better write it ourselves. But if you look closely, Auth0 is a monster. It already has so much stuff stuffed in it, and so many different cases are provided. It's clear that in most projects, Auth0 is used for 20%. Here you have out of the box
And that's just the basics. You can do many things with Auth0, but you can't do it without reading the documentation for days unless you want to do some basic authentication.
Hi @ViktoriaInqoob thanks for your reply.
By mentioned some of the features Auth0 offers you've touched precisely on what led me to ask this question, I cannot imagined a product team being lean and focused on solving a business / opportunity o problem while working on a custom and reliable authentication / user management system.
There are libraries for this. Even in the niche language I've gotten into the last couple of years, Elixir, there are plenty of generators and libraries for doing all of these things.
I used Auth0 before and moved away from it, mostly for productivity reasons.
Our users authenticate using their face or fingerprint through an application or security key (Yubikey). HYPR is truly passwordless, so your users will never have to remember or manage a password for workstations or web apps again. Rather than implement a solution to protect the problem, it's easier to remove the problem altogether.
I am using firebase for authentication. But I am planning to soon move to Auth0.
As we at vadelabs are building API unification platform, we were integrating all authentication providers within our platform.
I just finished implementing auth for Sitefox, a ClojureScript web framework. It took a lot of work but hopefully it will save time for users of the library.
I've used devise (rails library) or nextauth (nextjs library) to implement authentication. In combination with postmark it takes maybe 3 hours of work to have authentication setup. Even if you're setting up oauth providers.
I'm amazed how many of you are using auth0. I tried it once but the synchronization of userdata seemed way more work than implementing Auth myself. I guess I'm missing something here. I don't see the value of Auth as a service. However, bundled as a backend as a service solution (like supabase, firebase, nhost) I can definitely see a lot of value there.
Sure, Auth0 or services like AWS Cognito have it all and it's great if you have the budget.
If you're looking for alternatives that can be run free forever and you're fine with self hosted infrastructure, it is worth checking out these alternatives:
I use Outseta. It also provides me with subscription billing, email marketing, chat, and a bunch of other useful stuff.
I've been working with oauth for a long time. And would say I'm a bit of an expert (its also not that hard to understand). But even still, I still use auth0 to do all my authentication because it is just one less thing that I have to do.
I've used auth0, okta, and cognito, and I personally prefer auth0 for B2C products. It has a lot of nice features that make things super easy.
When you think about it too, once someone logs in once they should stay in indefinitely until they log out. So customers won't spend very long on those pages so why waste time you don't need to when there are cheap solutions out there.
Auth0 is good. If you need a lot of enterprise grade features you can also check our FrontEgg.
Yes, I'm using firebase auth for two projects and it works very well so far for me.
If you're using Next.js for your web app, NextAuth is a super good option and I found it very easy to setup.
I want to try NextAuth, it seems simple. I'm using firebase currently and its been good, but it was tough to set up in next initially
I'd definitely recommend it, they also have a ton of providers which make it easy to integrate social logins such as Google, Twitter, GitHub, etc.
Happy Firebase user here. Firebase Auth is great. Used together with Firebase Database (Realtime or Firestore) it provides everything you need to authenticate and manage users, across web & mobile.
Hi @TheMattF, thanks for sharing your experience with Firebase Auth. If you don't mind, beyond username-password, do you provide any other auth mechanism to your users?
We use Twitter as a federated identity provider for Firebase Auth to let our users authenticate with their Twitter account. It's a bit more complex to implement but it works well.
I use it for one of my products. It has great libraries if your product is built on a JS based stack (node, react). I haven't had any real complaints about it.
That said, I recently built a new product on a Firebase stack using Firebase Auth and it was even simpler to wire up, if I'm being honest. I think for future products, unless I need absolute control over how data is stored and the tech used, I'll probably opt for Firebase going forward.
Sure, because I hate doing login forms again and again.
instead of trying to invent the wheel, my team was able to create cool working dashboard in just 3 months of work. and I'm proud because as Lazy Team Lead I was able to drop everything that was unnecessary and focus on important functionality.
we even don't have a database from beginning. I was like - "fuck it, I don't know right now what we should use, but we will figure it out later"
I really like your philosophy, there is no need to build auth every time a new product is being built. Is the dashboard you've created for internal use only?
we already had a dashboard, it was connected with our main product and codebase. but it was not secure, an outdated code... and our inner team of developers always tried to avoid fixing bugs, related to that part of the project.
by moving things out we accomplished a lot of goals. first of all, I show that it's cheap and easy to build an MVP that might move our workflows forward. Our team started to grow quickly and you need an automation in order to avoid mistakes that newbies can do.
< created for internal use only?
for use of 10-15 people
cc @ropesneer