How do you manage auth for your SaaS?

That's exactly the question I asked myself a couple of weeks ago! I've worked as a pentester and if I learnt one thing it's this: implementing login forms yourself is extremely hard to get right. It's possible to make a mistake when integrating something like "login with Google", true, but it's almost certain that a custom login will be vulnerable to at least some kinds of attacks (i.e. horizontal brute force).

That's why if my goal was to let the greatest possible number of people sign-in to my app and I didn't want to spend my time on setting this up, I'd delegate this task to a company like Auth0.

And if I wanted something nearly free, but not so inclusive, I'd just add a bunch of "login with X" buttons. Depending on your needs, it may be an advantage to accept only those people who have active Google/FB/Apple/Twitter/Whatever accounts.

If I wanted to give at least some of my users something really cutting-edge, I'd pick Passkeys so that people can sign-in using biometrics (and get some pretty nice protection against phishing).

To sum it up, I believe the choice should be based on these factors:

• Will it be usable? Not everyone uses Facebook, for instance.
• Can I afford it money-wise? Some services get pretty expensive at a bigger scale.
• Can I afford it time-wise? Some things seem easy, versatile and cheap money-wise, but are super tricky to get right and end up costing tons of money, such as custom sign-up/sign-in forms.

Cheers!

For the most part, I just reuse code from my older projects. Depending on your language / framework there will be dozens of third party tools to get you up and running. To be honest, you could just use OAuth social logins like Google to make your life a bit easier (Don't have to worry about password storage / resetting).

I won't recommend using code from older projects - security and compliance is the biggest concern here.

Also, since you have started building SaaS, I would recommend using Password-free (at-least traditional passwords free) authentication.

There are many alternative authentications that you could use, like Magic Email Link, SSO, or maybe biometric (if it suit's your audience).

Tool - from my experience, I would recommend using authentication and user management tools - they take off the burden from your head and ensure convenience and security for both you and product consumers.

Maybe try using - https://mojoauth.com/

1- I always use code from older projects. Because creating your own framework takes weeks. So, if you are starting a ready framework which you are used to you will earn two weeks.
2- Absolutely yes, do not discovering America for the second time.
3- I use JWT mechanism, it is easy to Authorize and Authenticate requests with JWT. You can add roles to your JWT token and manage authorization.

In my opinion, reusing code you already have tested and validated is a great strategy to improve time to market. Why not? It would be the question for me. But not for authentication or authorization.

Regarding open source projects, it's probably more secure than creating your authentication and authorization mechanisms, but you have to consume tons of time in terms of regulatory concerts to adapt your procedures and infrastructure.

Last but not least, yes, Auth0 is worth it; at least for healthcare projects, I consider it a must. They are already certified for most healthcare regulations, like HIPAA or GDPR, so you could focus on your core business by delegating authentication and authorization responsibilities to a well-known provider. It's the equivalent of Google Cloud data Engine for data, also a must to be ready for production.

I'm working in the healthcare sector now, and I only conceive projects with Auth0. It's a relief to delegate something critical when creating your product confidently. This talking about security, but think about all the time you could need to integrate all the different auth mechanisms like Active directory or SAML

Best!

As an Indie hacker or a solo founder it's best to use something like firebase auth or supabase. It's because we already have so much to manage and managing authentication is not only a hassle but also a major security concern. I always try to delegate these kinds of task so that I can focus on the core functionality of my saas that makes me money.

Firebase Auth, NextJS, NextAuth the only choice

For NextJS, NextAuth the only choice

I use Firebase Auth.

I just use OAuth with GitHub atm, but will integrate with rodauth in the future to add a normal email/password login as well :)

I use Supabase Auth and I built a boilerplate for my company that we now use as the base for every project. It‘s available to everyone at https://supastarter.dev if you want to check it out 😊

In general I would highly advise against building authentication yourself. It’s a waste of time and you will probably not get it as good and secure as the available (and often free) solution there already are. After going through the pain of implementing auth. manually for 3-4 projects, I would never do it again since I know Supabase and Auth0. Clerk is also a nice option you can check out!

I've used FirebaseAuth, Auth0, and Okta in the past. Use firebase if your app is small and you don't expect too many roles or fine-grained permissions.

Go with Okta or Auth0 if you anticipate permission-based access, SSO etc.

Use some sort of authentication library is best, for example, if using Laravel you can use something like Sanctum.

Or NextJS you can use NextAuth.

Using a library that implements it for you is much better, more secure and easier than trying to implement something yourself.

I usually use Supabase Auth, since I’m already using Supabase for my DB, and it’s super easy to use. Recently discovered they released a lib of Auth UI components (JS) to make it even easier.

I’ve used Passport.JS on a project once because it was in the boilerplate I used. It’s fine and easy enough, but I’ve found I prefer Supabase Auth.

I started to implement Netlify Auth one time. I loved how easy it was. I would have stayed with it, but had to move my project to Vercel due to some other reasons.

I wanted to try Auth0, and might still one day. The one time I thought to try it, I decided the target audience might be uncomfortable being redirected to a 3rd party for auth since the niche isn’t inherently tech and they might not be familiar with Auth0.

I believe Auth0 is probably the easiest and most secure. But often I just reuse some of my code and do Magic Link through Supabase Auth to start with.

I use Firebase UI flow. Also, there is option to build your own UI with firebase SDK. When I build my next project I will just use boilerplate low code options like Firebase auth to quickly build. Some one has recently posted SaaSPegasus(https://www.saaspegasus.com/). I have not used it but it seems worth exploring.

clerk.dev

I'm definitely biased here - I'm the founder of PropelAuth (https://www propelauth.com). We typically work with B2B SaaS and have authentication and authorization features specially for B2B (organization management, invite flows, 2FA, and enterprise SSO/SAML). We also provide out of the box UIs to get you up and running as quickly as possible - feel free to DM me if you have any questions.

we are looking at using Keycloak on kubernetes

I put some of my thoughts here, looking more deeply at supabase and clerk: https://www.felixvemmer.com/blog/supabase-vs-clerk-dev-user-authentication-comparison/

Using IdentityServer4 we implemented the Auth system for my saas project.

When using Next.JS I prefer next-auth, otherwise I use Firebase auth.

Hi @ghoshbishakh!

The general consensus at the highest levels in the tech world is "Never build your own auth." I don't entirely agree with that, but I think it's build on very solid logic.

The line of thinking is, you're tackling a very difficult problem, and most people who try to implement their own methodology make mistakes.

That being said, things have changed in recent years where there are some reasonably strong open source options out there, which have had years to be vetted.

I have a heavy background in security (around 30 years), so I'm comfortable rolling my own in most cases.

However, if I was making something for the healthcare industry, I would most likely go with something like Auth0 until I could get an in-house team of experts who stayed on top of all of the latest in that space.

In other words, we run much lower risk by going with a company who is staffed out to constantly keep on top of that. However, if we're making a lot of money in the future, we potentially could shave off that extra little bit of risk of Auth0 being compromised by going in-house. But even then, it would greatly increase cost, and we'd have to choose very carefully, so it would be a choice to make carefully!

Best of luck on your SaaS product!

Authentication is very hard to build and manage, it is quite complex and security is keep changing. We have built a passwordless product with quick integration, you can check it out: mojoauth.com.

Let me know your feedback!