Should you Implement Authentication Yourself?

Поділитися
Вставка
  • Опубліковано 24 гру 2024

КОМЕНТАРІ • 225

  • @stankokostic725
    @stankokostic725 3 роки тому +112

    Finally someone calling out Auth0 being confusing due to OAuth. Thank you!

  • @philipptanlak
    @philipptanlak 4 роки тому +90

    Auth0 is the most expensive thing I've ever seen. Just yesterday I had a call with our CFO and 2 sales people from Auth0.
    They wanted to charge us $500.000 per year. Essentially $1 per monthly active user per year.
    And this price tag was already on a 66% discount. Usually they cost $3 per MAU per year (on the enterprise plan).

    • @EZboyrocks
      @EZboyrocks 3 роки тому +27

      that’s actually ridiculous

    • @bartinos3929
      @bartinos3929 Рік тому +13

      At that point I'd rather risk a lawsuit by storing my users in a unencrypted text file :p

    • @bartas139
      @bartas139 Рік тому +3

      So that means you have over 40k MAU, so over 40k uniq active users a month. Its like yeah $500k sound like a lot of money, but hey for any app, service, system or whetever you call it with 40k MAU this should be ridiculous amount of money. It should produce enough reveneu to pay a single dolar for user a month (this should not be neceserely money reveneu, but any other reveneu the company defines). For sure you can develop your own auth system definitely cheaper than $500k, but there is more like future support, runtime support etc. and even a future proof law reason to use 3rd party software like this, u can transfer a responsibility for potentional data leak to 3rd party in speach of possible cash fine etc. Saas is a good thing don´t be scared (and yes I know its 2 years old comment it just popped up in my feed and I needed to say that :D)

    • @philipptanlak
      @philipptanlak Рік тому +7

      @@bartas139 Your assumption would be reasonable if all 40k MAU were paying customer. However the reality is/was different. Only a small fraction (single digit percentage) of them paid, the rest was happy with the free tier.
      In contrast the offerings of AWS Cognito (which we went with (and totally regretted)) or GCP Firebase Auth are pennies per MAU.

    • @meekdenzo7649
      @meekdenzo7649 Рік тому +5

      @@philipptanlak what was your experience like with aws?

  • @paulschneider7611
    @paulschneider7611 4 роки тому +69

    This was a good summary for the topic. You should do a video on some of the high-high-level of what it takes to setup a complete "secure" website/server. Lots of unknown unknowns that make me worried about trying to get a project going that has any kind of sensitive data.

  • @ORYAcademy
    @ORYAcademy 3 роки тому +57

    Thanks for the shoutout Ben!
    We are launching a cloud service for the whole Ory stack soon.
    If you or anybody in the comments would like to test drive that, feel free to hit us up!

    • @staplepin8099
      @staplepin8099 3 роки тому +2

      I’m really looking forward thanks

    • @lvidalio
      @lvidalio 3 роки тому

      So do I, thanks!

  • @seidenada526
    @seidenada526 4 роки тому +16

    I think we should be aware of things becoming commodities in the software industry. Then you can balance when to do it in-house, or when to buy it ready. For instance, you need to have MFA in your product. Buying an of-the-shelf solution will let the team focus on real customer value much quicker.

  • @Web3_Club
    @Web3_Club 4 роки тому +63

    Auth0 and other managed services really shine where maintenance is involved in a project. They take care of trivial things at a fraction of your hourly rate so you can focus on features which actually matter.

  • @guiquintelas
    @guiquintelas 5 років тому +66

    4:00 fuck, that mosquito was hard to watch

  • @nickwoodward819
    @nickwoodward819 5 років тому +76

    put tiger balm on mosquito bites if they're itchy, works like a charm!

    • @nclt1978
      @nclt1978 3 роки тому +2

      I was really doubting myself - is that a floating mole? hahahaha

  • @ProgrammingwithPeter
    @ProgrammingwithPeter 5 років тому +10

    I totally agree with you, we don't even know if they have their own implementation. Smaller ones just uses maybe the same thing you would, but we must say that the ease of use it's better.

    • @Reichstaubenminister
      @Reichstaubenminister 3 роки тому

      If you pick the technology you use as a DEVELOPER by ease of use, you shouldn't be one.

  • @SERV007
    @SERV007 5 років тому +6

    Implementing the constantly evolving auth protocols requires a lot of time making sure you are keeping up with the latest security best practices. I also found auth0's definition of "active users" not too transparent and was specially fearfull of setting up a website that allowed public registration for that matter. Personally I find that having an IAM like Keycloak available as a microservice is the best option in terms of cost/benefict and your are always free to choose between implementing custom auth on your projects or adding another realm to the IAM service.

    • @bawad
      @bawad  5 років тому

      was Keycloak pretty easy to setup?

    • @SERV007
      @SERV007 5 років тому +1

      @@bawad Surprisingly easy I would say. Specially given how much you get “out of the box”. SSO, notification system, two factor auth, OTP, all the flow regarding registration, resetting, revoking, RBAC, connecting 3rd party providers, changing jwt algorithm on the fly, key rotation and the list goes on… You can customize the form templates to fit each application design. And most of the configurations are just a matter of filling a few form controls and activating switches on the dashboard. Oh and you already have an API implemented (at least for nodejs) to manage most things programmatically. The only downside on the free version is that you won’t get updates & patches, meaning you have to “manually” keep up with the releases which IMO in production you should already be pinning down everything and carefully planning updates. If you haven´t I would suggest giving it a spin. Hell that would even make be good video material for your channel :)

    • @bawad
      @bawad  5 років тому

      cool, glad to hear that!

  • @dandogamer
    @dandogamer 3 роки тому +9

    The risk of breaking GDPR or screwing up the authentication and getting hacked is just way too high for many businesses. Failing to meet GDPR is a maxiumum fine of £17.5million or 4% annual turnover whichever is highest. This is a pretty big fine and I would not risk it just for a couple $$$ a month. Also it takes ages to code it yourself and then maintain that code. Why re-invent the wheel when these solutions exist and their sole focus is in protecting their customers, imo the costs and features of these managed services outweigh the cons and we should leave it to the experts and instead use our time more effectively.

  • @ozdagap1809
    @ozdagap1809 3 роки тому +7

    can we just take a moment to appreciate Ben's camera quality? I could see the blood moving through the mosquitoes straw

  • @causecaos
    @causecaos 5 років тому +5

    Great video on this, I have felt the same about most of the things you've said and like you try not to re-invent the wheel and just use what is out there. They spend a lot of money and time on these things so you would hope these are way better and more secure than what we could roll on our own. Thanks

  • @Tiddle_s
    @Tiddle_s 3 роки тому +6

    I wouldn't say cost doesn't matter, some of these services can cost ~$20,000 a year as soon as you leave the (only really good for dev) free tier
    Edit: didn't wait 15 seconds for the next bit :P

  • @aprilmintacpineda2713
    @aprilmintacpineda2713 3 роки тому +3

    Pay 100s of dollars per month using auth services or implement it yourself in like less than 2 days (forms, functionality, login using JWT, register, forgot password using email as OTP medium, logout), auth services are literally waste of money for us because we are highly technical people, I think they are primarily really for non-technical people, but auth services are not no-code things, you still have to code to some extent. We've used auth0 and if you want to customize your pages you still need to code, and of course you have to keep track of the user login state so you have to decide whether to show the login page or allow the user to proceed, to me, it's not worth it paying so much.

    • @ngocoder
      @ngocoder Рік тому +1

      I think those auth services are built to save resources for business.
      With simple use cases, building your own auth system is easy.
      However, there are a lot of auth methods like SSO, Oauth, 2FA, etc, which are much more complex than `username` and `password`. Without having experience, implementing those features will take developers a lot of time.
      Developers are expensive. Using the auth services like Auth0 will save businesses tons of money and go to the market fast.

    • @aprilmintacpineda2713
      @aprilmintacpineda2713 Рік тому

      @@ngocoder senior devs will be able to implement 2FA relatively easily as well, it's quite literally the same concept as forgot password where you have to input the right code for you to be able to proceed, if you implement these yourself you would not need to pay 100s of dollars, not to mention that their implementation is not without flaw, as mentioned we've used auth0, and we encountered some problems while using it as well.

    • @Vicsory
      @Vicsory 3 дні тому

      @@ngocoder exactly

  • @caLLLendar
    @caLLLendar 4 роки тому +4

    I agree with him in regards to using open source software . . . and hosting it on your own server. Another thing he didn't cover is 2-factor authentication. I want to control how that 2-factor auth works. I'm strongly considering QR codes (with alternative text input).

  • @xinpingzhang4506
    @xinpingzhang4506 4 роки тому +8

    Definitely agree with your point on user data. I do believe that using a battle-tested open-source library or managed service is more secure. For example, firebase uses memory-hard functions and salts to make hashed passwords hard to break. But most people hand-coding their own authentication system probably doesn't know about these things. It does take some effort/knowledge to harden an authentication system.

  • @AnsgarHugo
    @AnsgarHugo 3 роки тому +1

    It is most likely always "... stored on someone else's server" (6:13), except if you operate your own server @home or in you own data center.

  • @z-aru
    @z-aru 5 років тому +14

    Kudos to the three mosquiteers

  • @amareshsat
    @amareshsat 3 роки тому +1

    I like your thought process and that is what most big companies does.. they induce the fear to do business. like AWS sell AWS certificate to make you think that you loose if you don't have one , or Auth0 sell security threats to make you sign up for them. I think they should give a fair picture than a biased one for people to choose.

  • @boot-strapper
    @boot-strapper 4 роки тому +13

    you can roll jwt auth in like an afternoon

  • @Techonsapevole
    @Techonsapevole 5 років тому +10

    Self host auth is OK to not have lockin

  • @habibmkhan
    @habibmkhan 4 роки тому +9

    Thanks! I scoured the internet, and I could not find content on this topic. DIY vs off the shelf authentication. Planning on doing the diy route, but seems a lot of companies are invested in getting developers to hand off this responsibility.

    • @abeplus7352
      @abeplus7352 4 роки тому +3

      meh some are , you can convince alot of them for good reason. I convinced my boss to drop auth0 after he found out to issue jwt would cost us about 1k a month given our client base. i ended up writing the jwt auth system that hooks onto the legacy system and basically allows us to write micro-services now agnostic of our monolith code-base.

    • @Reichstaubenminister
      @Reichstaubenminister 3 роки тому

      Yes, they want you to hand them everything and go from being a developer and knowing your stuff to becoming a consumer-plus.
      Don't code, just buy product.

  • @SteelVoltagerpg
    @SteelVoltagerpg 5 років тому +8

    I am working on an app and faced this crossroads. I have setup my own Auth stuff on Node, but decided for my project to use Auth0 in the end. But, I can see where it's kinda hard to decide. I had a lot of people tell me not to roll my own.

    • @andresmontoya7852
      @andresmontoya7852 5 років тому

      Why does not try Netlify identity? Also, you can use their serverless service to make your api

    • @SteelVoltagerpg
      @SteelVoltagerpg 5 років тому

      @@andresmontoya7852 Because I need node server for a few things, like running websockets and stuff

    • @andresmontoya7852
      @andresmontoya7852 5 років тому

      @@SteelVoltagerpg oh, in that case you can use pusher, but anyway, have you try third party services like auth0 or netlify identity? Might you tell me what you think about?

    • @Reichstaubenminister
      @Reichstaubenminister 3 роки тому

      @@andresmontoya7852 Have you tried actually learning your craft instead of having other people do the work for you? It's not hard to implement basic authentication.

  • @sky_kryst
    @sky_kryst 3 роки тому

    This is the best documentary I've seen

  • @jkim17080
    @jkim17080 4 роки тому +4

    Maybe a hybrid solution would be a finished docker container with the logic and database for identity and access with all the options you need, wouldnt it be great? You'd have it installed and except for the initial configurations everything comes finished and ready to go

    • @RaymondPeckIII
      @RaymondPeckIII Рік тому

      A battle-hardened preconfigured Docker image with an Auth0-like service would be really winning.
      I'm building out an enterprise SaaS app, and want to make sure that I'll be able to handle things like self-service account creation, corporate SSO, Google/Microsoft OAuth for the companies that use those, etc. Auth0 seems like the way to go. But I agree with the person who commented that Auth0's examples don't align with my needs. E.g., how can I set up my FastAPI back end to interact with an internal Postgres database, via SQLAlchemy, so that I can keep proprietary user data in sync with the users in Auth0? Where's the API I can use to provide administrative accounts for our customers to maintain their own users? How do I combine the authorization info in our back and and the users/roles info that is in Auth0 to generate JWT tokens that I can use to protect our FastAPI REST API, using `Depends` declarative security predicates in FastAPI? And how does that work with refresh tokens?
      Toy Node.js examples are insufficient for real users of their service.
      :-)

  • @a1-x-yt
    @a1-x-yt 2 роки тому +1

    Watching in 2022, just delving into auth. Would be interested in a how to set up your own auth video/series.

  • @naehalmulazim
    @naehalmulazim 10 місяців тому

    Our use case is using people's social calendar to provide a unified dashboard for their events. Not sure if we should use a third party service.

  • @maxkosh4839
    @maxkosh4839 Рік тому

    Exactly, also those ready to go solutions doesn't teach how authentication actually works. Seems like knowing one solution makes you stuck, and it's hard to implement it in different environment. Now I want to know where can I learn how authentication actually works..

  • @eleah2665
    @eleah2665 5 років тому +5

    Glad you hung in there!
    Does it not give anyone pause that passport is now listed as version 0.4.0? So if I use it and something goes wrong someone can come after me saying I'm not even using version 1.0.0 software. I suppose it does not matter since I use it at my risk anyway. But still I'm putting a LOT of trust in something that is not even version 1 yet.

    • @bawad
      @bawad  5 років тому +4

      tbh I've never looked at the version, just at the popularity

  • @chrisvouga8832
    @chrisvouga8832 4 роки тому +8

    What do you guys think about firebase auth?

    • @beginadobe
      @beginadobe 3 роки тому

      it's amazing and completely free

  • @isurumaldeniya9536
    @isurumaldeniya9536 4 роки тому +22

    Well, thank you. I am currently building an authentication system xd

    • @v01d_r34l1ty
      @v01d_r34l1ty 3 роки тому +2

      it's been 10 months have you finished your authentication system yet?

    • @isurumaldeniya9536
      @isurumaldeniya9536 3 роки тому +4

      @@v01d_r34l1ty ya finished it a log time ago. Almost 10 months :D

    • @v01d_r34l1ty
      @v01d_r34l1ty 3 роки тому +3

      @@isurumaldeniya9536 Lol nice, more productive than me!

  • @yomaru_1999
    @yomaru_1999 4 роки тому +1

    I really like your videos because you always help me clarify some concepts.

  • @road2nohand
    @road2nohand 3 роки тому

    Just heard a presentation at university and this simple video is like 10x better hahahaha
    Help studying computer science is just not gripping

  • @NicholasGriffintn
    @NicholasGriffintn 3 роки тому +1

    cognito is a bit different, its secondary use case is authentication directly to aws for your users.

  • @theonewhowil
    @theonewhowil 3 роки тому +5

    This video popped up the moment I was complementing how to use auth.

    • @praveen25
      @praveen25 3 роки тому +4

      I suppose this video will really contemplate your knowledge of auth

  • @rotselserv
    @rotselserv 4 роки тому +15

    All this "if you're a front end dev" or a "backend dev" but in the end we forget it's far more convenient for the user to have all accounts linked in one place.

  • @Cenot4ph
    @Cenot4ph 5 років тому +4

    Cognito makes a lot of sense when you're in the AWS ecosystem. The IAM role integration alone is very useful in combination with API gateway. In those cases I wouldn't bother with your own authentication solution, it's too much work and you won't do a better job than Amazon.

    • @iandaley2295
      @iandaley2295 5 років тому

      totally agree with this take. It was a bit annoying to figure out, but I actually have been able to use Cognito/ID pools pretty much a la carte even when the project is otherwise outside the AWS ecosystem.

    • @vinzer72frie
      @vinzer72frie 4 роки тому

      Its not that hard to make your own auth and cognito has a lot of flaws its still kinda new

    • @vinzer72frie
      @vinzer72frie 4 роки тому

      "You won't do a better job than amazon" this is actually wrong lol, one time we were testing cognito turns out you can't do certain amount of tokens per second and it blocks your account lmao we had to call amazon by phone it was a really annoying experience

    • @phamtuan1840
      @phamtuan1840 2 роки тому

      @@vinzer72frie it's not hard to implement out own auth, the hard part is maintenance.

  • @ayeshaiftikhar338
    @ayeshaiftikhar338 3 роки тому +2

    Hey Ben! Can you also talk about how to share the authentication between different web applications

  • @carlosjosejimenezbermudez9255
    @carlosjosejimenezbermudez9255 3 роки тому +1

    You missed Azure Active Directory. Okta is very good and not as well known as it should be as well. OpenID Connect is hard, using a service that implements proper security is definitely worth the time and money (unless it's Auth0, that thing is too expensive).

  • @DanteS7
    @DanteS7 5 років тому +8

    what's your take on Passport.js?

    • @bawad
      @bawad  5 років тому +9

      I like it, especially for social logins

    • @juancamiloq1
      @juancamiloq1 5 років тому +2

      Came through this blog after watching this video. Please take a look of how to implement passport with your current stack. jkettmann.com/authentication-and-authorization-with-graphql-and-passport/

    • @ThatGuyAnonymous
      @ThatGuyAnonymous 4 роки тому

      @@juancamiloq1 Hey thanks for the link, it was very helpful.

  • @willcalltickets
    @willcalltickets 5 років тому +1

    I haven't fooled around with in a few years now, but Auth0 was a complete PITA. Api changes, scattered, incomplete (or very hard to navigate) documentation, etc, were some of the difficulties I encountered. Then they raised their pricing and it looks like they have continued to do so. Also, they had several examples, but my use cases never seemed to parallel what they offered and all of the implementations had to cover too many edge cases that required re-writing their wheel.
    I would be very interested in a revisit to this video after you have tried some implementations :)
    Also - have you tried dryer sheets for the mosquitos?

  • @elie2222
    @elie2222 4 роки тому +1

    Client wants to use Cognito on an upcoming project. I’m not against it. Will be used with a GraphQL api but I don’t want to use amplify or appsync. Every mention I see of cognito graphql refers to those two. Do you think there’ll be any issues integrating into Apollo server backed by mongo?

    • @bawad
      @bawad  4 роки тому +1

      I think it should be doable but you might have to use examples in REST and apply them to GraphQL

    • @cyrilgeorge7818
      @cyrilgeorge7818 4 роки тому

      Currently working in similar architecture, If you can share your experience on how the appsync was setup .for me logic of some resolvers where bit complicated and ended up using lambda functions. Now thinking if it could have been better with a normal nodejs apollo server in fargate. Love to know your thoughts on the same.

    • @elie2222
      @elie2222 4 роки тому +2

      @@cyrilgeorge7818 i ended up going with auth0 instead of cognito for that project. Was a headache to get working. If you use Amplify it works out the box though

  • @sineadward5225
    @sineadward5225 4 роки тому +2

    Why are Keycloak and Ory Hydra more private for developers?

    • @dejfcold
      @dejfcold 4 роки тому

      Not sure about Ory, but with keycloak, you have to deploy it on your server and it uses your DB for storage.

  • @SamarthCat
    @SamarthCat 3 роки тому +1

    I'm more of a front end developer, but setting up an api in PHP for a mysql database is easier and cheaper

  • @cunningham.s_law
    @cunningham.s_law 5 років тому +2

    can you make a video on setting up a hydra container and connecting it to a regular crud app without auth

    • @bawad
      @bawad  5 років тому +1

      when I try hydra, sure

    • @DarkoLuketic
      @DarkoLuketic 4 роки тому +2

      Can't recommend Hydra. It's not very well documented and the maintainer is getting ahead of himself in asking for money in a way that if you ask him a question and don't understand what he wrote and ask a followup question he responds with something like "pay me". So keycloak it was. And you can see that the people who wrote and are writing keycloak know what is needed and what's good. It's written by people in the thick of the business and you can see that. Multiple realms, roles, role by client, groups, custom login flows. Good stuff. But Hydra is a bait and switch offer.

    • @pilathraj5714
      @pilathraj5714 3 роки тому

      Did you find the hydra container and connecting it to a regular crud app without auth?

  • @edwardhoffenheim3249
    @edwardhoffenheim3249 2 роки тому

    So after working with cognito and hearing about Auth0's prices I'd just rather do it myself. I don't have much experience as a dev in that regard but the impression they've left with me is they're not worth the effort. Cognito is very inflexible, poorly documented and kinda hard to use. Basic auth is fine. But the difficulty disproportionately grows faster than the complexity of what you wanna do. Worst part is what you're trying to do may genuinely be impossible.
    With your own auth you can put pieces together as you need

  • @webgooniedotcom
    @webgooniedotcom Рік тому

    Amen! My Brother.

  • @grechuli
    @grechuli 3 роки тому +1

    How about FusionAuth, on your own server?

  • @JFKTLA
    @JFKTLA Рік тому

    this was a great straight forward video

  • @edwardgyampo
    @edwardgyampo 3 роки тому

    Thank you! That smile though😁.

  • @PriyankBolia
    @PriyankBolia 4 роки тому

    I agree with own authentication and again Auth0 is very too pricey at least for me, also never used. But you are missing the most important thing about Cognito and its like, that is not just managing user email and password or just security. But they provide full customizable workflow for sign up, login, password reset, with their trusted email networks, spam and fraud filters. So yes its worth to consider them, instead of writing from scratch. However if you have enough experience with writing your own solution, that is a different thing. I won't use some node package to do such things, either I wrote my own or use Cognito.

  • @Smurfis
    @Smurfis Рік тому

    Could you show a tutorial on making authentication?

  • @mac10046
    @mac10046 4 роки тому +6

    AWS cognito, you can't export or backup your system users data ... : Yuck

    • @locksmith6096
      @locksmith6096 4 роки тому

      Really? that is fucked up

    • @mg-by7uu
      @mg-by7uu 4 роки тому +3

      Yeah so in their pricing model it should say: "THIS IS A LIFETIME CONTRACT"

    • @CanosieLabs
      @CanosieLabs 4 роки тому

      That's the problem with these systems. You get vendor locked once you integrate with them!

    • @mg-by7uu
      @mg-by7uu 4 роки тому +1

      @@CanosieLabs Exactly. When choosing any framework or library you have to be very careful because it's basically a marriage. Marry the wrong cloud service and you could lose millions and need one hell of a divorce team

    • @Darklor_WCF
      @Darklor_WCF 4 роки тому

      That is exactly what AOL did with email contacts. I made a lot of money doing manual contact transfers for my customers, but felt dirty doing it.

  • @IvanRandomDude
    @IvanRandomDude 3 роки тому

    Any open source IAM that is certified by OpenId Connect is good alternative. You don't need to pay for auth0

  • @isaacimaobongsamuel8839
    @isaacimaobongsamuel8839 3 місяці тому

    you should probably make videos on authentication and authorization so we can learn from you.

  • @frankyb702
    @frankyb702 5 років тому +106

    Auth0 sucks, Costs a lot! Huge target for hackers and storing user data you know they sell

    • @andresmontoya7852
      @andresmontoya7852 5 років тому

      What do you think about Netlify Identity, is it more expencive than auth0 or is better?

    • @frankyb702
      @frankyb702 5 років тому +11

      Take the time to roll your own. Its worth the control and easy to do using frameworks / open source. Im a msft.net guy and even Microsoft does a great job with identity services boilerplates. Auth0 is for the wannabe CTO who wants to brag about security riding their coattails. Services like this are too expensive when you actually have traction. Whats the point of building a profitable app, just to give away a share of revenue?
      Only way i would use Auth0 or any other identity service is if forced into it by management.

    • @fronix5060
      @fronix5060 4 роки тому +5

      Not to be that guy but do you have _any_ proof they sell userdata?

    • @connorbrereton9016
      @connorbrereton9016 4 роки тому +14

      I work at Auth0. I was a developer for 5 years before going the sales route. We absolutely do not sell user data. We’re not cheap but with the SLA and features we provide we’re absolutely worth the money. As for hackers we’ve never been hacked and are fully compliant with every certification on the market with the exception of FEDRAMP which we’re in the process of getting.
      I’m more than happy to chat developer to developer sometime about how we could improve. Please let me know!

    • @jemma2607
      @jemma2607 4 роки тому +4

      @@connorbrereton9016 I hate your documentation so fucking much.

  • @codelucky
    @codelucky Рік тому

    What about Clerkdev? Do you support that?

  • @rickharold7884
    @rickharold7884 2 роки тому

    Right on ! Easy to do yourself.

  • @piby1802
    @piby1802 4 роки тому +1

    I use django-registration/django allauth with DRF. Authentication is just one import away for me. All my auth needs are fulfilled by this library

    • @adonis__simo
      @adonis__simo 3 роки тому

      yeah i do the same, but it also depends on the context like he said, if you are targeting mainly enterprise clients for example their might ask you something like LDAP, OAuth, SSO auth with their existing identity management solution, and there you have the choice either to build and engine for that from django-registration (by extending it) or to use some existing package (maintained by others folks) or use something like Cognito or Firebase or anyother stuff (self hosted or not).
      Those tools sometimes have so many different features like Passwordless auth by default, SAML support, Brute Force monitoring etc... i am currently checking fusionauth.io

  • @zehijean8817
    @zehijean8817 5 років тому +5

    IAM still going to write my own auth stuff I'm into Enterprise stuff like building my own Enterprise so details id like to control them...still great video as always brother

    • @MrSilvo34
      @MrSilvo34 3 роки тому +4

      Haha he said IAM

  • @SanjayChakrapani
    @SanjayChakrapani 3 роки тому

    Nice video bro, can you suggest any sources to set up our own auth2 server

  • @tehscanny
    @tehscanny 5 років тому +3

    Do you recommend using passport with JWT?

    • @bawad
      @bawad  5 років тому +5

      sure

  • @gouldbenney2943
    @gouldbenney2943 4 роки тому +1

    Hi. I'm a beginner in web development. Can you kindly explain to me what Authentication in react is?

    • @longisland1131
      @longisland1131 2 роки тому

      do you still need an answer?

    • @gouldbenney2943
      @gouldbenney2943 2 роки тому

      @@longisland1131 Thanks but I do 't code anymore.

    • @ahurein1641
      @ahurein1641 2 роки тому

      @@gouldbenney2943 I'm curious to know why you don't code anymore

  • @sergejskozlovics9667
    @sergejskozlovics9667 4 роки тому

    What do you think about Apple ID? They hide the user's e-mail. From the end user's point of view, it is more convenient to use just one Apple password instead of remembering/storing 100 passwords for all websites implementing auth on their own.

  • @ajhalili2006
    @ajhalili2006 3 роки тому

    What about 2FA (without SMS/voice call) and WebAuthn?

  • @willd4686
    @willd4686 3 роки тому

    Shooting outside for the light?

  • @prerakhere
    @prerakhere 5 років тому +2

    Hey ben, those were some precious points.
    Btw, from where do i learn a solid authentication in node?

    • @bawad
      @bawad  5 років тому +1

      ua-cam.com/video/25GS0MLT8JU/v-deo.html

  • @jasontruter4981
    @jasontruter4981 3 роки тому

    I use Ory Kratos which is open source.

  • @thecashewtrader3328
    @thecashewtrader3328 3 роки тому

    2:29 an*
    incentive starts with a vowel

  • @ultiumlabs4899
    @ultiumlabs4899 3 роки тому

    I think using third party open source library is the answer if we need to build for million of users, or amazon cognito if hundred thousands of users is considered big. auth0 seems like too pricey

  • @markpolak9175
    @markpolak9175 4 роки тому

    Or a self hosted service like Identity Server?

  • @arturfil
    @arturfil 4 роки тому +1

    If you are an aspiring backend developer or a fullstack developer the anser is no, not worth going with auth0

  • @fredbluntstoned
    @fredbluntstoned 5 років тому +2

    The saying is "Don't roll your own crypto!" It's about not trying to create your own custom cryptography.
    Authentication should be done by the service creator, not by a third party, unless security is not really a concern, E.G. No personal details are stored and it's just supplying public information that are non legally binding materials.

  • @staplepin8099
    @staplepin8099 3 роки тому

    Isn’t firebase google auth just free ?

  • @duechilidance5388
    @duechilidance5388 4 роки тому

    Great overview, thanks

  • @igordumencic1427
    @igordumencic1427 4 роки тому +1

    0:49 yup..... -.-

  • @blazi_0
    @blazi_0 3 роки тому

    im front end and i dont need a backend for database and even auth for my web app !!

    • @blazi_0
      @blazi_0 2 роки тому +1

      ups i was wrong . what a noob i was🤣

  • @HiImKyle
    @HiImKyle 2 роки тому

    I hate it when people recommend Auth0 without realising how expensive it is if you have a large user base.. You could probably build your own for less..

  • @thedeveloper4207
    @thedeveloper4207 5 років тому +4

    You cannot unsee the 3 mosquitoes on his neck.... Poor man 👨

    • @bawad
      @bawad  5 років тому +3

      I can't unfeel them :(

  • @Scott-zi7xv
    @Scott-zi7xv 3 роки тому +2

    So any of you here that can tell me HOW to build your own secure authentication?

    • @msolano00
      @msolano00 3 роки тому +1

      Everyone here are security experts now, including Ben hahaha

  • @markodivji
    @markodivji 5 років тому

    What do you suggest for Enterprise solutions? Should someone do it by himself? Would be nice to hear your opinion on this one also.

    • @bawad
      @bawad  5 років тому

      idk I guess it depends on the requirements

    • @DarkoLuketic
      @DarkoLuketic 4 роки тому

      red hat's ... aw man what is it called again... FreeIPA is a lot more than just oidc but is also using oidc.

    • @dejfcold
      @dejfcold 4 роки тому

      @@DarkoLuketic Wow that just got more complicated than I thought it was.
      FreeIPA upstream for Red Hat Identity Management
      Keycloak upstream for Red Hat Single Sign-On
      So ... FreeIPA is like Kerberos implementation?

  • @Huholoman
    @Huholoman 2 роки тому

    Yeah, Ory is awesme.

  • @st_bakerino
    @st_bakerino 8 місяців тому

    Do you have still the same opinion about it?

    • @alimahdi1012
      @alimahdi1012 5 місяців тому +1

      He just uploaded a video 2 days ago regarding the same.

  • @Kenbomp
    @Kenbomp 2 роки тому

    What happened to php auth?

  • @codercod4679
    @codercod4679 4 роки тому

    OAuth is an authorization method

  • @forresthopkinsa
    @forresthopkinsa 2 роки тому

    There are mosquitos on your face!?! I can't hear what you're saying while watching bugs landing on your head (eg 1:43), how does it not drive you crazy?

  • @Zetrick
    @Zetrick Рік тому

    Great video, but, I can't help but notice the mosquito that is draining your life force from 1:57 to 3:04...

  • @krim2829
    @krim2829 4 роки тому

    But what about netlify i think its good

  • @delarammajestic2502
    @delarammajestic2502 3 роки тому

    is there any one out there that could guide me on how to implement my own authentication flow from scratch ?😃

  • @dane2565
    @dane2565 2 роки тому

    How are just just sitting there getting completely devoured?

  • @abeplus7352
    @abeplus7352 4 роки тому +2

    why is it complicated lmao . I hate those companies . like literally it's hash password , compare password , send jwt or session in cookie. Done ... it's an easy concept nothing complicated . yes there's more to it in some cases if you want to do something fancy like 2fa and such , but for most smes that's all it needs to be .
    Also just IMO , you can't call yourself a back-end developer if you can't write a simple login system. This is kind of why I'm not a big person on frameworks and things that do alot of magic for me (spring boot) .

    • @davidlebrun6123
      @davidlebrun6123 3 роки тому

      "Done"... until you need to implement more auth flows and greater security-and there are tons of auth flows and security requirements that can come into play and should be applied. Even not supporting 2FA because the system was self-rolled and you don't have the resources to support an MFA integration to a home solution can be seen as a big security issue-users are left less secure because of the limitations of the approach originally taken and the limited resources you might have. Then you have Account Takeover/login attack prevention, CAPTCHA/Throttling/Account lockout, compromised-user-password detection, etc. etc.... the list goes on, and the more "home baked" you are, the more resources you need to expend to build the BE, UX, and FE for those features. It's a balance-customizing those same flows as they are supported by a 3p or open-source framework to fit your own app might require a lot of resources itself-but it behooves everyone to consider the features they give up (without extensive resources to support) when choosing to roll their own auth.

  • @JamesQQuick
    @JamesQQuick 4 роки тому +2

    Auth0 for the win. The name is definitely confused with OAuth though!! haha

  • @makhosi6
    @makhosi6 4 роки тому

    OAuth vs auth0, whats what.

  • @zayn2476
    @zayn2476 3 роки тому

    Just implement an open source authentication?? Like OAuth2, its so easy why wouldn’t you?

    • @zayn2476
      @zayn2476 3 роки тому

      Would rather pay a freelance backend developer to implement this than pay Auth0 or AWS lol

  • @j.a.1776
    @j.a.1776 3 роки тому

    I-I'm not insecure right now, you are.

  • @jemail8746
    @jemail8746 5 років тому +7

    who hires a developer just only for handling authentication?

    • @connorbrereton9016
      @connorbrereton9016 4 роки тому

      You wouldn’t believe how many companies spend millions each year on hiring developers for maintaining identification systems. It’s crazy. I’d love to share some data with you. Btw I work at Auth0

    • @jemail8746
      @jemail8746 4 роки тому

      @@connorbrereton9016 that would be really great, I have used passport to implement authentication before and it didn't seem that difficult, hence the comment

    • @connorbrereton9016
      @connorbrereton9016 4 роки тому

      @@jemail8746 What's the best email to reach you on?

    • @jemail8746
      @jemail8746 4 роки тому

      @@connorbrereton9016 jemailesmail@gmail.com

  • @programmerrdai
    @programmerrdai 4 роки тому +1

    If you make your own api you can do almost everything no problem.

  • @PratikMota
    @PratikMota 2 роки тому

    mosquito is biting you on your neck.. tack care bro. Good information

  • @chris.w391
    @chris.w391 4 роки тому

    7:00 Wait for it