7
16 Comments

What's your Auth0 experience?

Hey there,

We are currently evaluating Auth0 and would really appreciate hearing about your Auth0 experience, especially if you are using rails. There have been a few posts about Auth0 on IH in the past, but they all lack details about actual implementations.

Background:
We are currently using the devise gem on Ruby on Rails. It's the default solution, battle tested, stable. However, it lacks quite a few bells and whistles we'd like to have, e.g.:

  • be able integrate with AD and Google Workspace as IdP
  • enable multiple types of 2FA (e.g. passwordless, webauthn, email)
  • manage users in teams/groups/customers/organizations (since we are building a B2B app)

We would like to implement teams, with or without Auth0 Organizations (ideally without first, since they have quite a high price point)

We do not want to go with a custom solution, or with extending devise ourselves, but want to treat auth like crypto or billing (i.e., don't roll your own).

I’d love to hear your experiences around building authentication using Auth0, specially for B2B apps with teams/groups of users.

We also couldn’t really find any code examples (besides a very simple sample app from Auth0), so if you have any production code that you can share this would be highly appreciated.

Thanks,
Jan

  1. 2

    Every single project I've used Auth0 on was considerably more work than just rolling my own. The problem is that Auth0 and similar all-encompassing solutions are very flexible and still require a lot of knowledge, not just about the domain but also their specific solution. Otherwise you won't have a secure system that behaves how you believe it does.

    A better option is use battle-tested libraries built at a slightly lower level of abstraction, keep conscious about what should and should not be possible in your system and build only the few features you need. Depending on the nature of your service, consider getting a security audit or putting up bouties on Hacker One.

    We do not want to go with a custom solution, or with extending devise ourselves, but want to treat auth like crypto or billing (i.e., don't roll your own).

    You should read what the creator of Devise thinks about this topic: https://dashbit.co/blog/a-new-authentication-solution-for-phoenix

    1. 2

      Thanks for the link, that was insightful.

      The problem I see coming is that we are currently using devise, but it simply is not B2B-y enough and we would prefer to hack on the core product, not fight SAML, SSO, all sorts of other auth-relevant topics for B2B. Libs like omniauth and others simply do not offer what we were hoping to find.

      We are indeed planning an audit and external certification, but the basic questions remains, outsource or not.

      In your project experience with Auth0 vs. rolling your own, did you roll your own B2B integrations, e.g. AD/LDAP/SAML/SSO etc...or were you focussed on B2C?

      1. 1

        It's been a pretty wide range. In most cases, it was pretty simple B2C stuff, in others it was SAML/SSO/etc and recently, I've encountered one where crypto-native (self-sovereign identity) auth was the default.

  2. 1

    I've used Auth0 in 2 companies so far including my current startup https://thefullstack.network/

    The best aspect of Auth0? You get going very fast with adding authentication to your app.
    They have tons of SDKS in most languages and many frameworks. Integration is a breeze. Developer docs are great. Plenty of great tutorials online if you google them. Auth0 has a great name in the developer community.

    If anything where Auth0 let me down is the backend admin app. Setting up and configuring it all is surprisingly confusing!

    Regarding B2B apps: Auth0 is more a Customer focused Identity Access Management tool. Not really for Enterprise employees. So it lacks there. Consider perhaps if B2B is your main goal investigating that further with Auth0. B2B is not their main focus. Buyer beware.

    Okta would I believe have more enterprise workforce auth management products.

    Also the reporting I.E. managing users etc a pain. The UX needs works. The search UX is lacking. It's a shame this areas lets them down in my opinion.
    Plus you need to ask yourself if it's worth it. Auth0 is not the cheapest.

    Good luck!

  3. 1

    I've been very happy with them so far.

    I haven't ventured much into the advanced AD or Google Workspace stuff or managing orgs. That stuff does indeed look a bit confusing like the others have said.

    I can speak to the overall experience of using them as a developer so far tough, and it has been buttery smooth. They have libraries that plug into Node.js/Express.js and React.js (for single page app configurations) super easily, and if I recall correctly I had basic auth setup in under 1-2 days.

    1. 1

      Their rails lib is not that bad either. Maybe I am just very biased, expecting that every company should have API documentation as good as Stripe's.

      So, you are only using the basic B2C functionality then?

      1. 1

        Yeah that's all I really needed. My app is B2B but I only really need the B2C features from Auth0 (as of right now)

  4. 1

    It is quite nice however their management api is not that well documented and webhooks is also not that nicely documented.

    1. 1

      Yeah, that's our experience as well. I was hoping somebody is as fed up as we are and published some code or better documentation elsewhere.

      1. 1

        I have been thinking about documenting my setup with the management api and webhooks if that would be of interest to you?

        1. 1

          I am sure it would not only be of interest to me! :)

          What frustrates us quite a bit that all blog posts and code sample we could find never went past the "This is how you start"-phase, so anything that goes beyond what is currently available would be highly appreciated.

          1. 1

            Yes I agree many blogs posts only cover the information rudimentary. I didn't find clear instructions for my use cases so I had to do additional research. I can give you some guidance directly. I think that will be faster than getting a blog post up if you would like to connect?

            1. 1

              This comment was deleted a month ago.

  5. 1

    I'm using auth0 and it's works pretty great for me(b2c and b2b use cases) :)

    They are really developer friendly unlike alot of auth solutions I was looking at, it takes a bit time to understand everything thing there but after you get in it's pretty easy to work with.

    1. 2

      We like it as well, but are pulling our hairs out due to the really bad documentation.

      How did you implement teams/companies in your B2B context? Are you using something like a customer_id in app_metadata? Or are you using Auth0 Organizations?

      Can you share any details, tips or tricks?

      1. 2

        I don't really get why you sad bad documentation it's pretty okay for me.

        So if we talk about B2B context and we have Company for example so we store on each user on user_metadata the companyId he is related to.

        You have rules which you can apply to the auth process for example https://auth0.com/rules/simple-domain-whitelist.

        https://auth0.com/docs/rules

        Feel free to contact me via any social channel so we can have better conversation if you like , will gladly help :)

        1. 1

          Thanks for the offer, I'll reach out to you.

Trending on Indie Hackers
Share your product or landing page, and I'll give you product design advice 63 comments Does anyone actually use productivity software? Which one? 29 comments Copywriting Examples — The world's best copy. In one place. 13 comments What did you work on this weekend? (Jan 15-16) 10 comments Working towards an MVP 9 comments Tips on growing a Slack app 4 comments