Is it worthwhile to do authentication via SaaS instead of a local library?
For password use case, it seems nice that you don't have to store client secrets (eg encrypted salted passwords) on your own infra. However now instead of authentication happening between your own servers and the users browser, there is an additional hop to the SaaS and now you need to learn about JWT etc. At my previous company, moving a Django monolith to do authentication via auth0 was a multi month project and a multi thousand line increase in code/complexity. And we weren't storing passwords to begin with because we were using onetime login emails links.
Maybe SaaS platforms are worth it for social login? I haven't tried that, but I am not convinced that auth0 or some one else can help me connect with facebook/twitter/google better than a library can.
100% - for OnlineOrNot (https://onlineornot.com) I only use passwordless auth (enter your email, get a magic link emailed) and Google via OAuth for this reason.
Screw losing sleep over whether you're storing credentials correctly.
What happens when the emails fail (like spam folder)?
I remeber a thread here on HN on a number of projects where they dumped email link sending as a login method for various reasons and complications. Have you face any challenges as well? If not what's your secret sauce? A better email provider? Would love to know.
Use a properly maintained library to salt and hash your passwords and the credentials will be the absolute least of your worries if your database is breached.
Generally it’s not the auth itself that is the problem but RBAC, multi-factor auth, integrations, etc.
We’ve looked at Auth0 and Okta because we wanted to see if we can save some dev time devising RBAC and supporting a lot of different auth integrations. Ended up doing it in house since the quote was unacceptable (essentially a mid-level dev salary per year)
For password use case, it seems nice that you don't have to store client secrets (eg encrypted salted passwords) on your own infra. However now instead of authentication happening between your own servers and the users browser, there is an additional hop to the SaaS and now you need to learn about JWT etc. At my previous company, moving a Django monolith to do authentication via auth0 was a multi month project and a multi thousand line increase in code/complexity. And we weren't storing passwords to begin with because we were using onetime login emails links.
Maybe SaaS platforms are worth it for social login? I haven't tried that, but I am not convinced that auth0 or some one else can help me connect with facebook/twitter/google better than a library can.