[westoque]

I am mostly a one man shop myself but I would encourage everybody to self host their authentication. With so many open source libraries, there’s no good reason why you should use an external provider. In most cases, if the app is relatively successful you will very likely add functionality to your app, and this means you need control of your data and everything else that comes with it.

In the bigger scheme of things, I envision a world where adding auth to your app (or any functionality) is as simple as adding a docker service.

[mhamann]

Thanks for bringing up this point! I think there are definitely times where self-hosting authentication might make sense, but I'll respectfully disagree that most people should do this.

Every component that gets added to your infrastructure is just "another thing" that you have to worry about in terms of uptime, monitoring, security, staying current, and so on. Personally, I'd rather not worry about any of that for something that isn't part of my core competency. Certainly there is a cost/benefit analysis to be made, mostly for larger companies.

I know we won't likely agree on this point, and that's ok! I just wanted to share an alternative perspective. :-)

[Kiro]

That's exactly what I don't want. I don't trust the security of my app to store user credentials.

Another reason: my app has no reason to send emails except for one thing: password resets. I don't want to set up a whole email flow just for that. By using a provider I can offload that at the same time.

[davewasthere]

Firebase, Cognito, Azure B2C?

Yeah, for the same reason I don't want to store credit card details, I don't want to store user credentials.

[littlecranky67]

+1 on those services. I went with AWS Cognito, which gives you permanently 50.000 MAU for free. A big issue with self-hosting is also Email delivery; you'd have to go to some provider to send verification Emails to have a decent inboxing rate.

Only downside is the pretty ugly default login UI of cognito, but you can style it to some extend by adding a logo and custom css.

[rgthelen]

Out sourcing credentials is critical. I'd go a step further, most apps/websites should out-source all of their personal data. Liability around personal data breaches is only increasing.

[rgthelen]

This is a great point.

We (at Rownd) are looking into self-hosted, open-source options as well. What are a few features that are MUST haves?

There are some that are more complex (like SMS auth, email auth, etc). We want to 100% get away from passwords, so passwordless is critical since most passwords are security issues.