It's important to note that there is a very big difference between developing or implementing own cryptographic building blocks and just hosting your own authentication service. The first is a big No-No (unless you are a group of renowned and proven security experts) while the latter can be doable (although you have to be careful).
As an identity management expert I can’t agree more. Use whatever library you want and customize it within spec but never ever try to implement your own cryptography.
assume then that Passportjs or Lucia (well Oslo helper methods) = good, trying to write Passportjs/Oslo = bad. always thought that 'roll your own' was kept intentionally vague.
This video mixes up Authentication, Authorization, Auditing and many other security processes, then recommends using a single point of failure as a solution.
MFA through SMS or email is on the $35 plan. I've been using it for years. Authenticators like Google Authenticator require the Professional plan, which is actually fairly priced if you're big enough to need it.
"please let this not be a prelude to some auth sponsor... please... he wouldn't do that right... please no..." TODAY"S VIDEO IS SPONSORED BY.... 😞 Like I get it you have chickens to feed and bills to pay, but I do think its a bit dirty to primarily focus on the downsides and barely touch on the pros of rolling your own auth solution. Instead the video is filled with a lot of scary stories, how million user platforms got sued 😱 and all of this can be avoided if you used XYZ solution. And how DARE you remind me I have to log back into my netflix on my TV whenever I travel good sir! At least they haven't added ads yet.... oh wait. Anyway Forrest I will still watch your content cause I still enjoy it. I just had to cry out my heart here in this comment section. I don't wish you to pull this video, stop taking sponsors, or change in anyway for any viewer here. I just ask you remain fair and honest to your audience many of them new to this industry and look to you for ideas. You had one very valid point... you should roll your own if at the very least to learn something. But I think there is many other reasons too but due to conflict of interests I understand why you didn't.
Місяць тому+3
I implemented oauth2.1 and oidc protocols from scratch last month, and switched to a oidc library later(for better edge case handling, nothing else). I have gotta say, if i didn't implemeted the protocols beforehand, i wouldn't have any idea on the internal state of the program, and it would just be a blackbox.
Those protocols are pretty damn complex due to the amount of options you have available - that's what I recall from a year ago anyway. Maybe my memory is crap though.
Місяць тому
@@NostraDavid2 nope, you are correct. These protocols have tons of options, cause they cover a wide range of scenarios
isn't auth service provider become a single point of failure for all their customers if they ever got hacked? If big companies like facebook got hacked what's the guarantee that your auth provider won't fail at somepoint. Honestly, all auth fails mentioned here seems like stupid mistakes that could've avoided if they had better process to enforce good standards.
yea. it is. the video is basically ad. never trust tech tubers. no diss here. i appreciate all working people getting the bag and would've done the same thing. smartest people in tech aren't making videos. they are making products or enjoying life or being tiny little fascists. Auth0/Okta also has had its own fair share of security incidents.
My only recommendation for this vid is to target FE devs with this advice. For the “things you need to consider…” section, this is all standard stuff for an experienced backend engineer. Auth (incl. rate limiting, gateways etc) for a Java/Spring Framework engineer is like forms mgmt for a JS/Angular dev. The mental overhead to sufficiently implement both sides of the stack is heavy, as both have great complexities.
I think this is an "it depends" scenario. Most of the time, it's better not to build your own authentication system because companies typically prioritize creating features that deliver business value. Developing your own auth system can be a bad move since you'd then need to integrate and maintain it to meet all the necessary authentication requirements. This effort can consume a significant portion of your time, leaving less room for delivering value-adding features. On paper, it ends up looking inefficient and negatively impacting your KPIs.
Back when the internet was new we quickly learned that you can have a near perfect implementation of the current specification and if the server had shitty security say a windows server your wasting your time. None of these pieces are hard to code if you spent the first 10 years of your professional career reinventing this wheel. The reality nothing is truly secure... it just takes one new hire to bring it all down.
The mindmap? I just made it in Mermaid Chart. The MMD code will render in any platform that supports Markdown: mindmap root((Auth SystemDecisions)) Session Management Password Changes ::icon(fa fa-key) Invalidate all sessions? Keep some sessions active? Session Duration ::icon(fa fa-clock) Remember me functionality Re-authentication intervals Token rotation frequency Concurrent Sessions ::icon(fa fa-users) Number allowed Device limits Household restrictions Session Control ::icon(fa fa-cogs) View active sessions Revoke specific sessions Force logout all devices Route Protection Rate Limiting ::icon(fa fa-shield) Per IP limits Per user limits Per action limits Security Checks ::icon(fa fa-lock) Token validation CSRF protection Session fingerprinting Monitoring ::icon(fa fa-eye) Suspicious activity detection Security logging GDPR/SOC2 compliance Implementation Choice ::icon(fa fa-code) Custom Implementation Research security best practices Handle salt/pepper generation Manage token creation/validation Auth Library Configure security settings Use proven implementations Regular security updates
@fknight Sweet, thanks! We're currently struggling with, ehm.. rolling our own auth after failing miserably with Ory and Zitadel. There's always something missing or one thing nobody thinks about until we need it pops up from nowhere. Your mind map seems pretty comprehensive, thanks a bunch
It's important to note that there is a very big difference between developing or implementing own cryptographic building blocks and just hosting your own authentication service. The first is a big No-No (unless you are a group of renowned and proven security experts) while the latter can be doable (although you have to be careful).
As an identity management expert I can’t agree more. Use whatever library you want and customize it within spec but never ever try to implement your own cryptography.
assume then that Passportjs or Lucia (well Oslo helper methods) = good, trying to write Passportjs/Oslo = bad.
always thought that 'roll your own' was kept intentionally vague.
This video mixes up Authentication, Authorization, Auditing and many other security processes, then recommends using a single point of failure as a solution.
Yeah like rate limiting has nothing to do with auth you would do that with a gateway
Welcome to youtube tech influencing. Those who can can, those who can't teach.
big talk, show us what u got
No MFA under $240 / month kills Auth0 for me.
MFA through SMS or email is on the $35 plan. I've been using it for years. Authenticators like Google Authenticator require the Professional plan, which is actually fairly priced if you're big enough to need it.
Could be wrong on this one, but it always looks like a large amount of the complexity comes from shoe-horning JWTs into Auth?
Exactly, makes everything 30x harder
"please let this not be a prelude to some auth sponsor... please... he wouldn't do that right... please no..." TODAY"S VIDEO IS SPONSORED BY.... 😞
Like I get it you have chickens to feed and bills to pay, but I do think its a bit dirty to primarily focus on the downsides and barely touch on the pros of rolling your own auth solution. Instead the video is filled with a lot of scary stories, how million user platforms got sued 😱 and all of this can be avoided if you used XYZ solution.
And how DARE you remind me I have to log back into my netflix on my TV whenever I travel good sir! At least they haven't added ads yet.... oh wait.
Anyway Forrest I will still watch your content cause I still enjoy it. I just had to cry out my heart here in this comment section. I don't wish you to pull this video, stop taking sponsors, or change in anyway for any viewer here. I just ask you remain fair and honest to your audience many of them new to this industry and look to you for ideas. You had one very valid point... you should roll your own if at the very least to learn something. But I think there is many other reasons too but due to conflict of interests I understand why you didn't.
I implemented oauth2.1 and oidc protocols from scratch last month, and switched to a oidc library later(for better edge case handling, nothing else). I have gotta say, if i didn't implemeted the protocols beforehand, i wouldn't have any idea on the internal state of the program, and it would just be a blackbox.
Those protocols are pretty damn complex due to the amount of options you have available - that's what I recall from a year ago anyway. Maybe my memory is crap though.
@@NostraDavid2 nope, you are correct. These protocols have tons of options, cause they cover a wide range of scenarios
Are you trying to tell: Roll your own Auth for yourself only.
isn't auth service provider become a single point of failure for all their customers if they ever got hacked? If big companies like facebook got hacked what's the guarantee that your auth provider won't fail at somepoint. Honestly, all auth fails mentioned here seems like stupid mistakes that could've avoided if they had better process to enforce good standards.
yea. it is. the video is basically ad. never trust tech tubers. no diss here. i appreciate all working people getting the bag and would've done the same thing. smartest people in tech aren't making videos. they are making products or enjoying life or being tiny little fascists. Auth0/Okta also has had its own fair share of security incidents.
It's a bad take. Don't roll your own auth. Use established libraries.
Auth0 recently had an issue IIRC
What's the alternative to using an auth service provider though, if you're not qualified to be doing auth yourself?
@@dan110024 self host casdoor. its very easy. if that's too hard, you can use auth0 or vercels auth.
My only recommendation for this vid is to target FE devs with this advice.
For the “things you need to consider…” section, this is all standard stuff for an experienced backend engineer. Auth (incl. rate limiting, gateways etc) for a Java/Spring Framework engineer is like forms mgmt for a JS/Angular dev.
The mental overhead to sufficiently implement both sides of the stack is heavy, as both have great complexities.
I think this is an "it depends" scenario. Most of the time, it's better not to build your own authentication system because companies typically prioritize creating features that deliver business value. Developing your own auth system can be a bad move since you'd then need to integrate and maintain it to meet all the necessary authentication requirements. This effort can consume a significant portion of your time, leaving less room for delivering value-adding features. On paper, it ends up looking inefficient and negatively impacting your KPIs.
Back when the internet was new we quickly learned that you can have a near perfect implementation of the current specification and if the server had shitty security say a windows server your wasting your time. None of these pieces are hard to code if you spent the first 10 years of your professional career reinventing this wheel. The reality nothing is truly secure... it just takes one new hire to bring it all down.
Where I can find that Auth System Decisions diagram? It looks really comprehensive!
The mindmap? I just made it in Mermaid Chart. The MMD code will render in any platform that supports Markdown:
mindmap
root((Auth SystemDecisions))
Session Management
Password Changes
::icon(fa fa-key)
Invalidate all sessions?
Keep some sessions active?
Session Duration
::icon(fa fa-clock)
Remember me functionality
Re-authentication intervals
Token rotation frequency
Concurrent Sessions
::icon(fa fa-users)
Number allowed
Device limits
Household restrictions
Session Control
::icon(fa fa-cogs)
View active sessions
Revoke specific sessions
Force logout all devices
Route Protection
Rate Limiting
::icon(fa fa-shield)
Per IP limits
Per user limits
Per action limits
Security Checks
::icon(fa fa-lock)
Token validation
CSRF protection
Session fingerprinting
Monitoring
::icon(fa fa-eye)
Suspicious activity detection
Security logging
GDPR/SOC2 compliance
Implementation Choice
::icon(fa fa-code)
Custom Implementation
Research security best practices
Handle salt/pepper generation
Manage token creation/validation
Auth Library
Configure security settings
Use proven implementations
Regular security updates
@fknight Sweet, thanks! We're currently struggling with, ehm.. rolling our own auth after failing miserably with Ory and Zitadel. There's always something missing or one thing nobody thinks about until we need it pops up from nowhere. Your mind map seems pretty comprehensive, thanks a bunch
Auth0 sounds awesome. As a beginner trying to build an app with users i got way in over my head coding it myself.
Auth0 is horribly priced, there are a million other comparable services out there that actually scale and are affordable
@Refresh5406 Okay but for my purposes free sounds good.
@@craigreustle2192 No MFA sounds terrible
2:51 what's the name of this type of diagram?
Sequence Diagram
@@piotr_sss awesome, thanks! 😁
The maintainence burden of own auth increases for permission management and scaling the app
Where do I find that graph for auth decisions?
What keyboard is that? Looks sick
Looks like an apology video
i'm sorry. i'll never roll my own auth again.
edit: can't spell, had to fix
Don't roll your own auth....
Can you please tell me where that shirt is from, PLEASSEEEE!
Hmm
Just don’t deploy it 😂
Nice