[aleyan]

Is it worthwhile to do authentication via SaaS instead of a local library?

For password use case, it seems nice that you don't have to store client secrets (eg encrypted salted passwords) on your own infra. However now instead of authentication happening between your own servers and the users browser, there is an additional hop to the SaaS and now you need to learn about JWT etc. At my previous company, moving a Django monolith to do authentication via auth0 was a multi month project and a multi thousand line increase in code/complexity. And we weren't storing passwords to begin with because we were using onetime login emails links.

Maybe SaaS platforms are worth it for social login? I haven't tried that, but I am not convinced that auth0 or some one else can help me connect with facebook/twitter/google better than a library can.

[TameAntelope]

It's terrifying to store credentials. I'll take 4 hours of downtime once in a blue moon over lost nights of sleep over potential security breaches.

I just can't even imagine why you would these days, there are even "local" options that act as "local 3rd party auth providers".

[steve_taylor]

It’s only terrifying if you believe Auth0’s FUD.

[rozenmd]

100% - for OnlineOrNot (https://onlineornot.com) I only use passwordless auth (enter your email, get a magic link emailed) and Google via OAuth for this reason.

Screw losing sleep over whether you're storing credentials correctly.

[1cvmask]

What happens when the emails fail (like spam folder)? I remeber a thread here on HN on a number of projects where they dumped email link sending as a login method for various reasons and complications. Have you face any challenges as well? If not what's your secret sauce? A better email provider? Would love to know.

[rozenmd]

Email Provider is a big one - particularly following best practices like DKIM.

Use a large managed service like Postmark or Mailgun. Use AWS SES/roll your own at your own peril.

Worst case, the user doesn't get the email, and uses OAuth (majority of my target audience - agencies - use GSuite).

[jjeaff]

Use a properly maintained library to salt and hash your passwords and the credentials will be the absolute least of your worries if your database is breached.

[temikus]

Generally it’s not the auth itself that is the problem but RBAC, multi-factor auth, integrations, etc.

We’ve looked at Auth0 and Okta because we wanted to see if we can save some dev time devising RBAC and supporting a lot of different auth integrations. Ended up doing it in house since the quote was unacceptable (essentially a mid-level dev salary per year)