How to deal with Authentication in SaaS Apps?
Hi Indie Hackers,
I'm struggling with a decision on the authentication system for an upcoming project (B2B SaaS) I'm working on. Here are the facts:
- The stack is going to be Flask for the backend API and Vue for the frontend.
- I need a logic for Users + Teams
- I wan't to implement SSO in the future (Not in MVP)
- Also I want to provide direct access to the API in the future (Not in MVP)
Now I'm thinking about Auth0 or some other services. What are your experiences with those kind of services and platforms? How did you integrate authentication in your Products?
Trending on Indie Hackers
Skip traditional in-house
username/email+passwordauthentication for the MVP and go straight to use Google, Apple..etc OAuth authentication. This will save you a lot time, I wish I did this for my current project.I don't recommend you to use Auth0, you will waste a ton of time learning it and in my experience it's a pain the ass if you have complex scenarios that are typical in B2B SaaS applications (e.g
accountsthat hassuper-usersandinvited users).I implemented it myself using PassportJS, I think it's not hard and can be a cool learning experience.
For the python ecosystem, you can use Authlib. But yeah, using Auth0 or Firebase will be faster if you don't have experience.
Even skipping username+password and jumping straight to Google,Facebook, etc... OAuth is a good first step. But that can still be quite complex to get right. You'll also see suggestions to better handle this, and additionally longer sessions with large frameworks you need to install.
One of the better things you can do is jump straight to integration with an auth provider. If this is just a learning experience, then using Firebase would be a good start. But if you are going for something more sustainable, you definitely want Auth0, Okta, or Authress.
Firebase is stupidly easy for not just authentication, but database management as well. Firestore is a breeze.
+1 on this.
You can also consider using Django with comes with authentication built in, and pretty easy to add a Team model on top. You can load Vue bundle in the template, and have sessions and auth work out of the box. You can still make internal APIs and also connect that to Vue.
Agree with django being an excellent choice with built-in auth and easy to add models. although If OP never used Django before it may be overkill to learn django just for the auth system
The main Django auth package is django-allauth. It's rather clunky but I've already gone down the rabbit hole. It's powerful and highly customizable, so it's worth the investment.
I've just released an SSO add-on for it last week: https://github.com/HostedMetrics/django-allauth-sso
I've used both Auth0 and Firebase at work.
I found that Firebase was really easy to set up and I liked working with it but it lacked some of the authorization tools like groups/roles/permissions functionality that Auth0 had.
Auth0 was a little more complicated and harder for me to "grasp" but in the end had the functionality that I needed. After the initial learning curve I like working with it.
If you want something that you can setup extremely fast and you're already using AWS, try Cognito. You can grant tokens to users to use API's to various AWS services like S3, provide auth for your own backend services, etc.
I've used both Auth0 and Firebase Auth at work and for a side project before. Both are good options for basic use cases. Since you need teams, API access and SSO (Auth0 has this, not sure about Firebase), I doubt they will cater to all of them. You might end up writing a lot of custom logic to handle those cases.
Disclaimer: We're building EasyAuth to address these exact problems and provide simpler tools for authentication and payments. DM me if you'd like to see if EasyAuth fits your requirement.
JWT Access + Refresh Token.
It's easy and safe (if implemented correctly of course)
I use Auth0 for all my startups. I really like how easy it is to bolt on additional functionality. Also if you do ever go enterprise, it’s really nice knowing that all you have to do is upgrade your Auth0 account and you can plug right into Active Directory.
I see a lot of people in this thread, and other threads complaining about Auth0 not having good support for teams. I think that’s just a misunderstanding, and Auth0 not being opinionated. It’s actually very easy to add teams, in my SaaS I just add a “TenantID” field to the app metadata. That accomplishes pretty much all of your team functionality with a tiny line of code.
Is the pricing for Auth0 for enterprise SSO affordable? I saw on Auth0's page that only the Developer Pro account gets up to 3 enterprise IdP, and that's minimally $130/month - is that accurate?
I actually thought it was even more expensive than that. However, if I take advantage of that functionality I plan on charging a minimum of $5,000 a month.
In our boilerplate Flask/React we use JWT. You can check the open source here:
https://github.com/saasforge/open-source-saas-boilerpate
specifically the authentication module
https://github.com/saasforge/open-source-saas-boilerpate/tree/master/src/modules/auth
In my previous version Flask/Vue I implemented just Flask-login, based on sessions, pretty easy and out-of-box.
I'm also building a B2B SaaS Product. I used PassportJS to authenticate (there's probably an equivalent library for Flask) and then issue the client both an access token and refresh token. I then use the Access Token / Refresh Token pattern to keep the user authenticated. If you go this route, this and this will help you understand the mechanics of the AT/RT pattern.
I would not recommend using Auth0, due to your requirements around Users & Teams. I went down that rabbit-hole and I wasted a whole day on it.
Another benefit here is that your client app is going to interact with your API using AT/RT the same way your future customers will when you open up API access to them. I believe this also sets you up to do SSO later on, but I haven't gotten there yet myself.
This comment was deleted 3 years ago.
we started with this recently and then pivoted to firebase. but, yes, auth0 is usually really good!
This comment was deleted 2 years ago.
+1 on this. Firebase Auth took me about an hour to set up and integrate into my app.
Do you also use firebase as a backend? I'm wondering how easy it is to use firebase only for authentication in like a rails or django website.
I do use firebase firestore as backend. But I do my authentication using their javascript library in the client (SPA), so the backend doesn't matter in this case.
If you want to do authentication from a server using rails or django, I'm not sure how that would work, but a quick google search yields these which may help:
https://rubygems.org/gems/firebase-auth
https://pypi.org/project/django-firebase-authentication/
Interesting, so I guess firebase would handle everything related to Users instead of your database, it seems easy to use if I create a project from scratch using it.
Tbh, I think in the future, it's probably best to just use firebase for everything on the backend.
Firebase auth handles very little - it handles authentication and stores minimal user data including uid, email. Firestore then stores the rest of user data (e.g. user information, preferences, subscriptions etc.) referenced by uid. But really any database could house that data, it doesn't have to be firestore.
I personally enjoy all of firebase. I think it's easy to use, and documentation is great. I like not having to worry about maintaining servers or scaling. But every app is different so you should figure out what you need to see if firebase is for you. My app is a client-side CRUD react app, and firebase is great for those.
+1 on this.