Auth0 is the most expensive thing I've ever seen. Just yesterday I had a call with our CFO and 2 sales people from Auth0. They wanted to charge us $500.000 per year. Essentially $1 per monthly active user per year. And this price tag was already on a 66% discount. Usually they cost $3 per MAU per year (on the enterprise plan).
So that means you have over 40k MAU, so over 40k uniq active users a month. Its like yeah $500k sound like a lot of money, but hey for any app, service, system or whetever you call it with 40k MAU this should be ridiculous amount of money. It should produce enough reveneu to pay a single dolar for user a month (this should not be neceserely money reveneu, but any other reveneu the company defines). For sure you can develop your own auth system definitely cheaper than $500k, but there is more like future support, runtime support etc. and even a future proof law reason to use 3rd party software like this, u can transfer a responsibility for potentional data leak to 3rd party in speach of possible cash fine etc. Saas is a good thing don´t be scared (and yes I know its 2 years old comment it just popped up in my feed and I needed to say that :D)
@@bartas139 Your assumption would be reasonable if all 40k MAU were paying customer. However the reality is/was different. Only a small fraction (single digit percentage) of them paid, the rest was happy with the free tier. In contrast the offerings of AWS Cognito (which we went with (and totally regretted)) or GCP Firebase Auth are pennies per MAU.
This was a good summary for the topic. You should do a video on some of the high-high-level of what it takes to setup a complete "secure" website/server. Lots of unknown unknowns that make me worried about trying to get a project going that has any kind of sensitive data.
Thanks for the shoutout Ben! We are launching a cloud service for the whole Ory stack soon. If you or anybody in the comments would like to test drive that, feel free to hit us up!
I think we should be aware of things becoming commodities in the software industry. Then you can balance when to do it in-house, or when to buy it ready. For instance, you need to have MFA in your product. Buying an of-the-shelf solution will let the team focus on real customer value much quicker.
Auth0 and other managed services really shine where maintenance is involved in a project. They take care of trivial things at a fraction of your hourly rate so you can focus on features which actually matter.
I totally agree with you, we don't even know if they have their own implementation. Smaller ones just uses maybe the same thing you would, but we must say that the ease of use it's better.
Implementing the constantly evolving auth protocols requires a lot of time making sure you are keeping up with the latest security best practices. I also found auth0's definition of "active users" not too transparent and was specially fearfull of setting up a website that allowed public registration for that matter. Personally I find that having an IAM like Keycloak available as a microservice is the best option in terms of cost/benefict and your are always free to choose between implementing custom auth on your projects or adding another realm to the IAM service.
@@bawad Surprisingly easy I would say. Specially given how much you get “out of the box”. SSO, notification system, two factor auth, OTP, all the flow regarding registration, resetting, revoking, RBAC, connecting 3rd party providers, changing jwt algorithm on the fly, key rotation and the list goes on… You can customize the form templates to fit each application design. And most of the configurations are just a matter of filling a few form controls and activating switches on the dashboard. Oh and you already have an API implemented (at least for nodejs) to manage most things programmatically. The only downside on the free version is that you won’t get updates & patches, meaning you have to “manually” keep up with the releases which IMO in production you should already be pinning down everything and carefully planning updates. If you haven´t I would suggest giving it a spin. Hell that would even make be good video material for your channel :)
The risk of breaking GDPR or screwing up the authentication and getting hacked is just way too high for many businesses. Failing to meet GDPR is a maxiumum fine of £17.5million or 4% annual turnover whichever is highest. This is a pretty big fine and I would not risk it just for a couple $$$ a month. Also it takes ages to code it yourself and then maintain that code. Why re-invent the wheel when these solutions exist and their sole focus is in protecting their customers, imo the costs and features of these managed services outweigh the cons and we should leave it to the experts and instead use our time more effectively.
Great video on this, I have felt the same about most of the things you've said and like you try not to re-invent the wheel and just use what is out there. They spend a lot of money and time on these things so you would hope these are way better and more secure than what we could roll on our own. Thanks
I wouldn't say cost doesn't matter, some of these services can cost ~$20,000 a year as soon as you leave the (only really good for dev) free tier Edit: didn't wait 15 seconds for the next bit :P
Pay 100s of dollars per month using auth services or implement it yourself in like less than 2 days (forms, functionality, login using JWT, register, forgot password using email as OTP medium, logout), auth services are literally waste of money for us because we are highly technical people, I think they are primarily really for non-technical people, but auth services are not no-code things, you still have to code to some extent. We've used auth0 and if you want to customize your pages you still need to code, and of course you have to keep track of the user login state so you have to decide whether to show the login page or allow the user to proceed, to me, it's not worth it paying so much.
I think those auth services are built to save resources for business. With simple use cases, building your own auth system is easy. However, there are a lot of auth methods like SSO, Oauth, 2FA, etc, which are much more complex than `username` and `password`. Without having experience, implementing those features will take developers a lot of time. Developers are expensive. Using the auth services like Auth0 will save businesses tons of money and go to the market fast.
@@ngocoder senior devs will be able to implement 2FA relatively easily as well, it's quite literally the same concept as forgot password where you have to input the right code for you to be able to proceed, if you implement these yourself you would not need to pay 100s of dollars, not to mention that their implementation is not without flaw, as mentioned we've used auth0, and we encountered some problems while using it as well.
I agree with him in regards to using open source software . . . and hosting it on your own server. Another thing he didn't cover is 2-factor authentication. I want to control how that 2-factor auth works. I'm strongly considering QR codes (with alternative text input).
Definitely agree with your point on user data. I do believe that using a battle-tested open-source library or managed service is more secure. For example, firebase uses memory-hard functions and salts to make hashed passwords hard to break. But most people hand-coding their own authentication system probably doesn't know about these things. It does take some effort/knowledge to harden an authentication system.
I like your thought process and that is what most big companies does.. they induce the fear to do business. like AWS sell AWS certificate to make you think that you loose if you don't have one , or Auth0 sell security threats to make you sign up for them. I think they should give a fair picture than a biased one for people to choose.
Thanks! I scoured the internet, and I could not find content on this topic. DIY vs off the shelf authentication. Planning on doing the diy route, but seems a lot of companies are invested in getting developers to hand off this responsibility.
meh some are , you can convince alot of them for good reason. I convinced my boss to drop auth0 after he found out to issue jwt would cost us about 1k a month given our client base. i ended up writing the jwt auth system that hooks onto the legacy system and basically allows us to write micro-services now agnostic of our monolith code-base.
Yes, they want you to hand them everything and go from being a developer and knowing your stuff to becoming a consumer-plus. Don't code, just buy product.
I am working on an app and faced this crossroads. I have setup my own Auth stuff on Node, but decided for my project to use Auth0 in the end. But, I can see where it's kinda hard to decide. I had a lot of people tell me not to roll my own.
@@SteelVoltagerpg oh, in that case you can use pusher, but anyway, have you try third party services like auth0 or netlify identity? Might you tell me what you think about?
@@andresmontoya7852 Have you tried actually learning your craft instead of having other people do the work for you? It's not hard to implement basic authentication.
Maybe a hybrid solution would be a finished docker container with the logic and database for identity and access with all the options you need, wouldnt it be great? You'd have it installed and except for the initial configurations everything comes finished and ready to go
A battle-hardened preconfigured Docker image with an Auth0-like service would be really winning. I'm building out an enterprise SaaS app, and want to make sure that I'll be able to handle things like self-service account creation, corporate SSO, Google/Microsoft OAuth for the companies that use those, etc. Auth0 seems like the way to go. But I agree with the person who commented that Auth0's examples don't align with my needs. E.g., how can I set up my FastAPI back end to interact with an internal Postgres database, via SQLAlchemy, so that I can keep proprietary user data in sync with the users in Auth0? Where's the API I can use to provide administrative accounts for our customers to maintain their own users? How do I combine the authorization info in our back and and the users/roles info that is in Auth0 to generate JWT tokens that I can use to protect our FastAPI REST API, using `Depends` declarative security predicates in FastAPI? And how does that work with refresh tokens? Toy Node.js examples are insufficient for real users of their service. :-)
Exactly, also those ready to go solutions doesn't teach how authentication actually works. Seems like knowing one solution makes you stuck, and it's hard to implement it in different environment. Now I want to know where can I learn how authentication actually works..
Glad you hung in there! Does it not give anyone pause that passport is now listed as version 0.4.0? So if I use it and something goes wrong someone can come after me saying I'm not even using version 1.0.0 software. I suppose it does not matter since I use it at my risk anyway. But still I'm putting a LOT of trust in something that is not even version 1 yet.
All this "if you're a front end dev" or a "backend dev" but in the end we forget it's far more convenient for the user to have all accounts linked in one place.
Cognito makes a lot of sense when you're in the AWS ecosystem. The IAM role integration alone is very useful in combination with API gateway. In those cases I wouldn't bother with your own authentication solution, it's too much work and you won't do a better job than Amazon.
totally agree with this take. It was a bit annoying to figure out, but I actually have been able to use Cognito/ID pools pretty much a la carte even when the project is otherwise outside the AWS ecosystem.
"You won't do a better job than amazon" this is actually wrong lol, one time we were testing cognito turns out you can't do certain amount of tokens per second and it blocks your account lmao we had to call amazon by phone it was a really annoying experience
You missed Azure Active Directory. Okta is very good and not as well known as it should be as well. OpenID Connect is hard, using a service that implements proper security is definitely worth the time and money (unless it's Auth0, that thing is too expensive).
Came through this blog after watching this video. Please take a look of how to implement passport with your current stack. jkettmann.com/authentication-and-authorization-with-graphql-and-passport/
I haven't fooled around with in a few years now, but Auth0 was a complete PITA. Api changes, scattered, incomplete (or very hard to navigate) documentation, etc, were some of the difficulties I encountered. Then they raised their pricing and it looks like they have continued to do so. Also, they had several examples, but my use cases never seemed to parallel what they offered and all of the implementations had to cover too many edge cases that required re-writing their wheel. I would be very interested in a revisit to this video after you have tried some implementations :) Also - have you tried dryer sheets for the mosquitos?
Client wants to use Cognito on an upcoming project. I’m not against it. Will be used with a GraphQL api but I don’t want to use amplify or appsync. Every mention I see of cognito graphql refers to those two. Do you think there’ll be any issues integrating into Apollo server backed by mongo?
Currently working in similar architecture, If you can share your experience on how the appsync was setup .for me logic of some resolvers where bit complicated and ended up using lambda functions. Now thinking if it could have been better with a normal nodejs apollo server in fargate. Love to know your thoughts on the same.
@@cyrilgeorge7818 i ended up going with auth0 instead of cognito for that project. Was a headache to get working. If you use Amplify it works out the box though
Can't recommend Hydra. It's not very well documented and the maintainer is getting ahead of himself in asking for money in a way that if you ask him a question and don't understand what he wrote and ask a followup question he responds with something like "pay me". So keycloak it was. And you can see that the people who wrote and are writing keycloak know what is needed and what's good. It's written by people in the thick of the business and you can see that. Multiple realms, roles, role by client, groups, custom login flows. Good stuff. But Hydra is a bait and switch offer.
So after working with cognito and hearing about Auth0's prices I'd just rather do it myself. I don't have much experience as a dev in that regard but the impression they've left with me is they're not worth the effort. Cognito is very inflexible, poorly documented and kinda hard to use. Basic auth is fine. But the difficulty disproportionately grows faster than the complexity of what you wanna do. Worst part is what you're trying to do may genuinely be impossible. With your own auth you can put pieces together as you need
I agree with own authentication and again Auth0 is very too pricey at least for me, also never used. But you are missing the most important thing about Cognito and its like, that is not just managing user email and password or just security. But they provide full customizable workflow for sign up, login, password reset, with their trusted email networks, spam and fraud filters. So yes its worth to consider them, instead of writing from scratch. However if you have enough experience with writing your own solution, that is a different thing. I won't use some node package to do such things, either I wrote my own or use Cognito.
@@CanosieLabs Exactly. When choosing any framework or library you have to be very careful because it's basically a marriage. Marry the wrong cloud service and you could lose millions and need one hell of a divorce team
Take the time to roll your own. Its worth the control and easy to do using frameworks / open source. Im a msft.net guy and even Microsoft does a great job with identity services boilerplates. Auth0 is for the wannabe CTO who wants to brag about security riding their coattails. Services like this are too expensive when you actually have traction. Whats the point of building a profitable app, just to give away a share of revenue? Only way i would use Auth0 or any other identity service is if forced into it by management.
I work at Auth0. I was a developer for 5 years before going the sales route. We absolutely do not sell user data. We’re not cheap but with the SLA and features we provide we’re absolutely worth the money. As for hackers we’ve never been hacked and are fully compliant with every certification on the market with the exception of FEDRAMP which we’re in the process of getting. I’m more than happy to chat developer to developer sometime about how we could improve. Please let me know!
yeah i do the same, but it also depends on the context like he said, if you are targeting mainly enterprise clients for example their might ask you something like LDAP, OAuth, SSO auth with their existing identity management solution, and there you have the choice either to build and engine for that from django-registration (by extending it) or to use some existing package (maintained by others folks) or use something like Cognito or Firebase or anyother stuff (self hosted or not). Those tools sometimes have so many different features like Passwordless auth by default, SAML support, Brute Force monitoring etc... i am currently checking fusionauth.io
IAM still going to write my own auth stuff I'm into Enterprise stuff like building my own Enterprise so details id like to control them...still great video as always brother
What do you think about Apple ID? They hide the user's e-mail. From the end user's point of view, it is more convenient to use just one Apple password instead of remembering/storing 100 passwords for all websites implementing auth on their own.
I think using third party open source library is the answer if we need to build for million of users, or amazon cognito if hundred thousands of users is considered big. auth0 seems like too pricey
The saying is "Don't roll your own crypto!" It's about not trying to create your own custom cryptography. Authentication should be done by the service creator, not by a third party, unless security is not really a concern, E.G. No personal details are stored and it's just supplying public information that are non legally binding materials.
I hate it when people recommend Auth0 without realising how expensive it is if you have a large user base.. You could probably build your own for less..
@@DarkoLuketic Wow that just got more complicated than I thought it was. FreeIPA upstream for Red Hat Identity Management Keycloak upstream for Red Hat Single Sign-On So ... FreeIPA is like Kerberos implementation?
There are mosquitos on your face!?! I can't hear what you're saying while watching bugs landing on your head (eg 1:43), how does it not drive you crazy?
why is it complicated lmao . I hate those companies . like literally it's hash password , compare password , send jwt or session in cookie. Done ... it's an easy concept nothing complicated . yes there's more to it in some cases if you want to do something fancy like 2fa and such , but for most smes that's all it needs to be . Also just IMO , you can't call yourself a back-end developer if you can't write a simple login system. This is kind of why I'm not a big person on frameworks and things that do alot of magic for me (spring boot) .
"Done"... until you need to implement more auth flows and greater security-and there are tons of auth flows and security requirements that can come into play and should be applied. Even not supporting 2FA because the system was self-rolled and you don't have the resources to support an MFA integration to a home solution can be seen as a big security issue-users are left less secure because of the limitations of the approach originally taken and the limited resources you might have. Then you have Account Takeover/login attack prevention, CAPTCHA/Throttling/Account lockout, compromised-user-password detection, etc. etc.... the list goes on, and the more "home baked" you are, the more resources you need to expend to build the BE, UX, and FE for those features. It's a balance-customizing those same flows as they are supported by a 3p or open-source framework to fit your own app might require a lot of resources itself-but it behooves everyone to consider the features they give up (without extensive resources to support) when choosing to roll their own auth.
You wouldn’t believe how many companies spend millions each year on hiring developers for maintaining identification systems. It’s crazy. I’d love to share some data with you. Btw I work at Auth0
@@connorbrereton9016 that would be really great, I have used passport to implement authentication before and it didn't seem that difficult, hence the comment
Finally someone calling out Auth0 being confusing due to OAuth. Thank you!
Auth0 is the most expensive thing I've ever seen. Just yesterday I had a call with our CFO and 2 sales people from Auth0.
They wanted to charge us $500.000 per year. Essentially $1 per monthly active user per year.
And this price tag was already on a 66% discount. Usually they cost $3 per MAU per year (on the enterprise plan).
that’s actually ridiculous
At that point I'd rather risk a lawsuit by storing my users in a unencrypted text file :p
So that means you have over 40k MAU, so over 40k uniq active users a month. Its like yeah $500k sound like a lot of money, but hey for any app, service, system or whetever you call it with 40k MAU this should be ridiculous amount of money. It should produce enough reveneu to pay a single dolar for user a month (this should not be neceserely money reveneu, but any other reveneu the company defines). For sure you can develop your own auth system definitely cheaper than $500k, but there is more like future support, runtime support etc. and even a future proof law reason to use 3rd party software like this, u can transfer a responsibility for potentional data leak to 3rd party in speach of possible cash fine etc. Saas is a good thing don´t be scared (and yes I know its 2 years old comment it just popped up in my feed and I needed to say that :D)
@@bartas139 Your assumption would be reasonable if all 40k MAU were paying customer. However the reality is/was different. Only a small fraction (single digit percentage) of them paid, the rest was happy with the free tier.
In contrast the offerings of AWS Cognito (which we went with (and totally regretted)) or GCP Firebase Auth are pennies per MAU.
@@philipptanlak what was your experience like with aws?
This was a good summary for the topic. You should do a video on some of the high-high-level of what it takes to setup a complete "secure" website/server. Lots of unknown unknowns that make me worried about trying to get a project going that has any kind of sensitive data.
Thanks for the shoutout Ben!
We are launching a cloud service for the whole Ory stack soon.
If you or anybody in the comments would like to test drive that, feel free to hit us up!
I’m really looking forward thanks
So do I, thanks!
I think we should be aware of things becoming commodities in the software industry. Then you can balance when to do it in-house, or when to buy it ready. For instance, you need to have MFA in your product. Buying an of-the-shelf solution will let the team focus on real customer value much quicker.
Auth0 and other managed services really shine where maintenance is involved in a project. They take care of trivial things at a fraction of your hourly rate so you can focus on features which actually matter.
4:00 fuck, that mosquito was hard to watch
put tiger balm on mosquito bites if they're itchy, works like a charm!
I was really doubting myself - is that a floating mole? hahahaha
I totally agree with you, we don't even know if they have their own implementation. Smaller ones just uses maybe the same thing you would, but we must say that the ease of use it's better.
If you pick the technology you use as a DEVELOPER by ease of use, you shouldn't be one.
Implementing the constantly evolving auth protocols requires a lot of time making sure you are keeping up with the latest security best practices. I also found auth0's definition of "active users" not too transparent and was specially fearfull of setting up a website that allowed public registration for that matter. Personally I find that having an IAM like Keycloak available as a microservice is the best option in terms of cost/benefict and your are always free to choose between implementing custom auth on your projects or adding another realm to the IAM service.
was Keycloak pretty easy to setup?
@@bawad Surprisingly easy I would say. Specially given how much you get “out of the box”. SSO, notification system, two factor auth, OTP, all the flow regarding registration, resetting, revoking, RBAC, connecting 3rd party providers, changing jwt algorithm on the fly, key rotation and the list goes on… You can customize the form templates to fit each application design. And most of the configurations are just a matter of filling a few form controls and activating switches on the dashboard. Oh and you already have an API implemented (at least for nodejs) to manage most things programmatically. The only downside on the free version is that you won’t get updates & patches, meaning you have to “manually” keep up with the releases which IMO in production you should already be pinning down everything and carefully planning updates. If you haven´t I would suggest giving it a spin. Hell that would even make be good video material for your channel :)
cool, glad to hear that!
The risk of breaking GDPR or screwing up the authentication and getting hacked is just way too high for many businesses. Failing to meet GDPR is a maxiumum fine of £17.5million or 4% annual turnover whichever is highest. This is a pretty big fine and I would not risk it just for a couple $$$ a month. Also it takes ages to code it yourself and then maintain that code. Why re-invent the wheel when these solutions exist and their sole focus is in protecting their customers, imo the costs and features of these managed services outweigh the cons and we should leave it to the experts and instead use our time more effectively.
can we just take a moment to appreciate Ben's camera quality? I could see the blood moving through the mosquitoes straw
Great video on this, I have felt the same about most of the things you've said and like you try not to re-invent the wheel and just use what is out there. They spend a lot of money and time on these things so you would hope these are way better and more secure than what we could roll on our own. Thanks
I wouldn't say cost doesn't matter, some of these services can cost ~$20,000 a year as soon as you leave the (only really good for dev) free tier
Edit: didn't wait 15 seconds for the next bit :P
Pay 100s of dollars per month using auth services or implement it yourself in like less than 2 days (forms, functionality, login using JWT, register, forgot password using email as OTP medium, logout), auth services are literally waste of money for us because we are highly technical people, I think they are primarily really for non-technical people, but auth services are not no-code things, you still have to code to some extent. We've used auth0 and if you want to customize your pages you still need to code, and of course you have to keep track of the user login state so you have to decide whether to show the login page or allow the user to proceed, to me, it's not worth it paying so much.
I think those auth services are built to save resources for business.
With simple use cases, building your own auth system is easy.
However, there are a lot of auth methods like SSO, Oauth, 2FA, etc, which are much more complex than `username` and `password`. Without having experience, implementing those features will take developers a lot of time.
Developers are expensive. Using the auth services like Auth0 will save businesses tons of money and go to the market fast.
@@ngocoder senior devs will be able to implement 2FA relatively easily as well, it's quite literally the same concept as forgot password where you have to input the right code for you to be able to proceed, if you implement these yourself you would not need to pay 100s of dollars, not to mention that their implementation is not without flaw, as mentioned we've used auth0, and we encountered some problems while using it as well.
@@ngocoder exactly
I agree with him in regards to using open source software . . . and hosting it on your own server. Another thing he didn't cover is 2-factor authentication. I want to control how that 2-factor auth works. I'm strongly considering QR codes (with alternative text input).
Definitely agree with your point on user data. I do believe that using a battle-tested open-source library or managed service is more secure. For example, firebase uses memory-hard functions and salts to make hashed passwords hard to break. But most people hand-coding their own authentication system probably doesn't know about these things. It does take some effort/knowledge to harden an authentication system.
Exactly
Hashing & salting a password is like a few lines of code too.
@@kittymedusa3618 Bcrypt
It is most likely always "... stored on someone else's server" (6:13), except if you operate your own server @home or in you own data center.
Kudos to the three mosquiteers
I like your thought process and that is what most big companies does.. they induce the fear to do business. like AWS sell AWS certificate to make you think that you loose if you don't have one , or Auth0 sell security threats to make you sign up for them. I think they should give a fair picture than a biased one for people to choose.
you can roll jwt auth in like an afternoon
Self host auth is OK to not have lockin
Thanks! I scoured the internet, and I could not find content on this topic. DIY vs off the shelf authentication. Planning on doing the diy route, but seems a lot of companies are invested in getting developers to hand off this responsibility.
meh some are , you can convince alot of them for good reason. I convinced my boss to drop auth0 after he found out to issue jwt would cost us about 1k a month given our client base. i ended up writing the jwt auth system that hooks onto the legacy system and basically allows us to write micro-services now agnostic of our monolith code-base.
Yes, they want you to hand them everything and go from being a developer and knowing your stuff to becoming a consumer-plus.
Don't code, just buy product.
I am working on an app and faced this crossroads. I have setup my own Auth stuff on Node, but decided for my project to use Auth0 in the end. But, I can see where it's kinda hard to decide. I had a lot of people tell me not to roll my own.
Why does not try Netlify identity? Also, you can use their serverless service to make your api
@@andresmontoya7852 Because I need node server for a few things, like running websockets and stuff
@@SteelVoltagerpg oh, in that case you can use pusher, but anyway, have you try third party services like auth0 or netlify identity? Might you tell me what you think about?
@@andresmontoya7852 Have you tried actually learning your craft instead of having other people do the work for you? It's not hard to implement basic authentication.
This is the best documentary I've seen
Maybe a hybrid solution would be a finished docker container with the logic and database for identity and access with all the options you need, wouldnt it be great? You'd have it installed and except for the initial configurations everything comes finished and ready to go
A battle-hardened preconfigured Docker image with an Auth0-like service would be really winning.
I'm building out an enterprise SaaS app, and want to make sure that I'll be able to handle things like self-service account creation, corporate SSO, Google/Microsoft OAuth for the companies that use those, etc. Auth0 seems like the way to go. But I agree with the person who commented that Auth0's examples don't align with my needs. E.g., how can I set up my FastAPI back end to interact with an internal Postgres database, via SQLAlchemy, so that I can keep proprietary user data in sync with the users in Auth0? Where's the API I can use to provide administrative accounts for our customers to maintain their own users? How do I combine the authorization info in our back and and the users/roles info that is in Auth0 to generate JWT tokens that I can use to protect our FastAPI REST API, using `Depends` declarative security predicates in FastAPI? And how does that work with refresh tokens?
Toy Node.js examples are insufficient for real users of their service.
:-)
Watching in 2022, just delving into auth. Would be interested in a how to set up your own auth video/series.
Our use case is using people's social calendar to provide a unified dashboard for their events. Not sure if we should use a third party service.
Exactly, also those ready to go solutions doesn't teach how authentication actually works. Seems like knowing one solution makes you stuck, and it's hard to implement it in different environment. Now I want to know where can I learn how authentication actually works..
Glad you hung in there!
Does it not give anyone pause that passport is now listed as version 0.4.0? So if I use it and something goes wrong someone can come after me saying I'm not even using version 1.0.0 software. I suppose it does not matter since I use it at my risk anyway. But still I'm putting a LOT of trust in something that is not even version 1 yet.
tbh I've never looked at the version, just at the popularity
What do you guys think about firebase auth?
it's amazing and completely free
Well, thank you. I am currently building an authentication system xd
it's been 10 months have you finished your authentication system yet?
@@v01d_r34l1ty ya finished it a log time ago. Almost 10 months :D
@@isurumaldeniya9536 Lol nice, more productive than me!
I really like your videos because you always help me clarify some concepts.
Just heard a presentation at university and this simple video is like 10x better hahahaha
Help studying computer science is just not gripping
cognito is a bit different, its secondary use case is authentication directly to aws for your users.
This video popped up the moment I was complementing how to use auth.
I suppose this video will really contemplate your knowledge of auth
All this "if you're a front end dev" or a "backend dev" but in the end we forget it's far more convenient for the user to have all accounts linked in one place.
Cognito makes a lot of sense when you're in the AWS ecosystem. The IAM role integration alone is very useful in combination with API gateway. In those cases I wouldn't bother with your own authentication solution, it's too much work and you won't do a better job than Amazon.
totally agree with this take. It was a bit annoying to figure out, but I actually have been able to use Cognito/ID pools pretty much a la carte even when the project is otherwise outside the AWS ecosystem.
Its not that hard to make your own auth and cognito has a lot of flaws its still kinda new
"You won't do a better job than amazon" this is actually wrong lol, one time we were testing cognito turns out you can't do certain amount of tokens per second and it blocks your account lmao we had to call amazon by phone it was a really annoying experience
@@vinzer72frie it's not hard to implement out own auth, the hard part is maintenance.
Hey Ben! Can you also talk about how to share the authentication between different web applications
You missed Azure Active Directory. Okta is very good and not as well known as it should be as well. OpenID Connect is hard, using a service that implements proper security is definitely worth the time and money (unless it's Auth0, that thing is too expensive).
what's your take on Passport.js?
I like it, especially for social logins
Came through this blog after watching this video. Please take a look of how to implement passport with your current stack. jkettmann.com/authentication-and-authorization-with-graphql-and-passport/
@@juancamiloq1 Hey thanks for the link, it was very helpful.
I haven't fooled around with in a few years now, but Auth0 was a complete PITA. Api changes, scattered, incomplete (or very hard to navigate) documentation, etc, were some of the difficulties I encountered. Then they raised their pricing and it looks like they have continued to do so. Also, they had several examples, but my use cases never seemed to parallel what they offered and all of the implementations had to cover too many edge cases that required re-writing their wheel.
I would be very interested in a revisit to this video after you have tried some implementations :)
Also - have you tried dryer sheets for the mosquitos?
Client wants to use Cognito on an upcoming project. I’m not against it. Will be used with a GraphQL api but I don’t want to use amplify or appsync. Every mention I see of cognito graphql refers to those two. Do you think there’ll be any issues integrating into Apollo server backed by mongo?
I think it should be doable but you might have to use examples in REST and apply them to GraphQL
Currently working in similar architecture, If you can share your experience on how the appsync was setup .for me logic of some resolvers where bit complicated and ended up using lambda functions. Now thinking if it could have been better with a normal nodejs apollo server in fargate. Love to know your thoughts on the same.
@@cyrilgeorge7818 i ended up going with auth0 instead of cognito for that project. Was a headache to get working. If you use Amplify it works out the box though
Why are Keycloak and Ory Hydra more private for developers?
Not sure about Ory, but with keycloak, you have to deploy it on your server and it uses your DB for storage.
I'm more of a front end developer, but setting up an api in PHP for a mysql database is easier and cheaper
can you make a video on setting up a hydra container and connecting it to a regular crud app without auth
when I try hydra, sure
Can't recommend Hydra. It's not very well documented and the maintainer is getting ahead of himself in asking for money in a way that if you ask him a question and don't understand what he wrote and ask a followup question he responds with something like "pay me". So keycloak it was. And you can see that the people who wrote and are writing keycloak know what is needed and what's good. It's written by people in the thick of the business and you can see that. Multiple realms, roles, role by client, groups, custom login flows. Good stuff. But Hydra is a bait and switch offer.
Did you find the hydra container and connecting it to a regular crud app without auth?
So after working with cognito and hearing about Auth0's prices I'd just rather do it myself. I don't have much experience as a dev in that regard but the impression they've left with me is they're not worth the effort. Cognito is very inflexible, poorly documented and kinda hard to use. Basic auth is fine. But the difficulty disproportionately grows faster than the complexity of what you wanna do. Worst part is what you're trying to do may genuinely be impossible.
With your own auth you can put pieces together as you need
Amen! My Brother.
How about FusionAuth, on your own server?
this was a great straight forward video
Thank you! That smile though😁.
I agree with own authentication and again Auth0 is very too pricey at least for me, also never used. But you are missing the most important thing about Cognito and its like, that is not just managing user email and password or just security. But they provide full customizable workflow for sign up, login, password reset, with their trusted email networks, spam and fraud filters. So yes its worth to consider them, instead of writing from scratch. However if you have enough experience with writing your own solution, that is a different thing. I won't use some node package to do such things, either I wrote my own or use Cognito.
Could you show a tutorial on making authentication?
AWS cognito, you can't export or backup your system users data ... : Yuck
Really? that is fucked up
Yeah so in their pricing model it should say: "THIS IS A LIFETIME CONTRACT"
That's the problem with these systems. You get vendor locked once you integrate with them!
@@CanosieLabs Exactly. When choosing any framework or library you have to be very careful because it's basically a marriage. Marry the wrong cloud service and you could lose millions and need one hell of a divorce team
That is exactly what AOL did with email contacts. I made a lot of money doing manual contact transfers for my customers, but felt dirty doing it.
Any open source IAM that is certified by OpenId Connect is good alternative. You don't need to pay for auth0
you should probably make videos on authentication and authorization so we can learn from you.
Auth0 sucks, Costs a lot! Huge target for hackers and storing user data you know they sell
What do you think about Netlify Identity, is it more expencive than auth0 or is better?
Take the time to roll your own. Its worth the control and easy to do using frameworks / open source. Im a msft.net guy and even Microsoft does a great job with identity services boilerplates. Auth0 is for the wannabe CTO who wants to brag about security riding their coattails. Services like this are too expensive when you actually have traction. Whats the point of building a profitable app, just to give away a share of revenue?
Only way i would use Auth0 or any other identity service is if forced into it by management.
Not to be that guy but do you have _any_ proof they sell userdata?
I work at Auth0. I was a developer for 5 years before going the sales route. We absolutely do not sell user data. We’re not cheap but with the SLA and features we provide we’re absolutely worth the money. As for hackers we’ve never been hacked and are fully compliant with every certification on the market with the exception of FEDRAMP which we’re in the process of getting.
I’m more than happy to chat developer to developer sometime about how we could improve. Please let me know!
@@connorbrereton9016 I hate your documentation so fucking much.
What about Clerkdev? Do you support that?
Right on ! Easy to do yourself.
I use django-registration/django allauth with DRF. Authentication is just one import away for me. All my auth needs are fulfilled by this library
yeah i do the same, but it also depends on the context like he said, if you are targeting mainly enterprise clients for example their might ask you something like LDAP, OAuth, SSO auth with their existing identity management solution, and there you have the choice either to build and engine for that from django-registration (by extending it) or to use some existing package (maintained by others folks) or use something like Cognito or Firebase or anyother stuff (self hosted or not).
Those tools sometimes have so many different features like Passwordless auth by default, SAML support, Brute Force monitoring etc... i am currently checking fusionauth.io
IAM still going to write my own auth stuff I'm into Enterprise stuff like building my own Enterprise so details id like to control them...still great video as always brother
Haha he said IAM
Nice video bro, can you suggest any sources to set up our own auth2 server
Do you recommend using passport with JWT?
sure
Hi. I'm a beginner in web development. Can you kindly explain to me what Authentication in react is?
do you still need an answer?
@@longisland1131 Thanks but I do 't code anymore.
@@gouldbenney2943 I'm curious to know why you don't code anymore
What do you think about Apple ID? They hide the user's e-mail. From the end user's point of view, it is more convenient to use just one Apple password instead of remembering/storing 100 passwords for all websites implementing auth on their own.
What about 2FA (without SMS/voice call) and WebAuthn?
Shooting outside for the light?
Hey ben, those were some precious points.
Btw, from where do i learn a solid authentication in node?
ua-cam.com/video/25GS0MLT8JU/v-deo.html
I use Ory Kratos which is open source.
2:29 an*
incentive starts with a vowel
I think using third party open source library is the answer if we need to build for million of users, or amazon cognito if hundred thousands of users is considered big. auth0 seems like too pricey
Or a self hosted service like Identity Server?
If you are an aspiring backend developer or a fullstack developer the anser is no, not worth going with auth0
The saying is "Don't roll your own crypto!" It's about not trying to create your own custom cryptography.
Authentication should be done by the service creator, not by a third party, unless security is not really a concern, E.G. No personal details are stored and it's just supplying public information that are non legally binding materials.
Isn’t firebase google auth just free ?
Great overview, thanks
0:49 yup..... -.-
im front end and i dont need a backend for database and even auth for my web app !!
ups i was wrong . what a noob i was🤣
I hate it when people recommend Auth0 without realising how expensive it is if you have a large user base.. You could probably build your own for less..
You cannot unsee the 3 mosquitoes on his neck.... Poor man 👨
I can't unfeel them :(
So any of you here that can tell me HOW to build your own secure authentication?
Everyone here are security experts now, including Ben hahaha
What do you suggest for Enterprise solutions? Should someone do it by himself? Would be nice to hear your opinion on this one also.
idk I guess it depends on the requirements
red hat's ... aw man what is it called again... FreeIPA is a lot more than just oidc but is also using oidc.
@@DarkoLuketic Wow that just got more complicated than I thought it was.
FreeIPA upstream for Red Hat Identity Management
Keycloak upstream for Red Hat Single Sign-On
So ... FreeIPA is like Kerberos implementation?
Yeah, Ory is awesme.
Do you have still the same opinion about it?
He just uploaded a video 2 days ago regarding the same.
What happened to php auth?
OAuth is an authorization method
There are mosquitos on your face!?! I can't hear what you're saying while watching bugs landing on your head (eg 1:43), how does it not drive you crazy?
Great video, but, I can't help but notice the mosquito that is draining your life force from 1:57 to 3:04...
But what about netlify i think its good
is there any one out there that could guide me on how to implement my own authentication flow from scratch ?😃
How are just just sitting there getting completely devoured?
why is it complicated lmao . I hate those companies . like literally it's hash password , compare password , send jwt or session in cookie. Done ... it's an easy concept nothing complicated . yes there's more to it in some cases if you want to do something fancy like 2fa and such , but for most smes that's all it needs to be .
Also just IMO , you can't call yourself a back-end developer if you can't write a simple login system. This is kind of why I'm not a big person on frameworks and things that do alot of magic for me (spring boot) .
"Done"... until you need to implement more auth flows and greater security-and there are tons of auth flows and security requirements that can come into play and should be applied. Even not supporting 2FA because the system was self-rolled and you don't have the resources to support an MFA integration to a home solution can be seen as a big security issue-users are left less secure because of the limitations of the approach originally taken and the limited resources you might have. Then you have Account Takeover/login attack prevention, CAPTCHA/Throttling/Account lockout, compromised-user-password detection, etc. etc.... the list goes on, and the more "home baked" you are, the more resources you need to expend to build the BE, UX, and FE for those features. It's a balance-customizing those same flows as they are supported by a 3p or open-source framework to fit your own app might require a lot of resources itself-but it behooves everyone to consider the features they give up (without extensive resources to support) when choosing to roll their own auth.
Auth0 for the win. The name is definitely confused with OAuth though!! haha
OAuth vs auth0, whats what.
Just implement an open source authentication?? Like OAuth2, its so easy why wouldn’t you?
Would rather pay a freelance backend developer to implement this than pay Auth0 or AWS lol
I-I'm not insecure right now, you are.
who hires a developer just only for handling authentication?
You wouldn’t believe how many companies spend millions each year on hiring developers for maintaining identification systems. It’s crazy. I’d love to share some data with you. Btw I work at Auth0
@@connorbrereton9016 that would be really great, I have used passport to implement authentication before and it didn't seem that difficult, hence the comment
@@jemail8746 What's the best email to reach you on?
@@connorbrereton9016 jemailesmail@gmail.com
If you make your own api you can do almost everything no problem.
mosquito is biting you on your neck.. tack care bro. Good information
7:00 Wait for it