| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by mooreds 1093 days ago

Disclosure: I work at FusionAuth.

Heya, it depends!

I think if you have one app and don't plan to have any others, it can make sense to use an open source library like Devise/Omniauth (Rails) or Spring Security (Spring/Java). Passport.js is pretty good for javascript. You can also use some of the simpler SaaS options like Supertokens or Clerk.

If you plan to have more than one app, especially if you want commercial off the shelf software to hang off it, then you should start looking at auth servers (Keycloak and FusionAuth are both such servers, as are others mentioned in sibling threads).

Then the choice becomes SaaS or self hosted. If you are looking for ease of use, SaaS is where it's at. Most every auth server has a hosted version; Auth0 is the most popular one but I believe the free tier is 7k users and MFA options are limited. FusionAuth doesn't have a free SaaS option, but if you stand it up in EC2 or some other provider, we offer TOTP MFA, unlimited SAML, OIDC and social connections, and unlimited users and clients (we call them Applications). But of course you run it yourself, which is not free.

Anyway, lots of options out there. Based on the little I've seen here, I'd probably recommend an auth server (because you have many apps). Self-hosted or SaaS probably depends on your appetite for running an auth server; I don't have context to recommend one way or another.

1 comments

joshgermon 1093 days ago

Hey really appreciate this advice! It's quite refreshing to here someone who works at an Auth provider not understating the usability of some of these libraries and frameworks.

FusionAuth seems really great too, in my journey down this path I've come across quite a few people using your hosted service on very large apps who have nothing but praise, so kudos!

One question I have is, when you say multiple apps, are you speaking in a sense of they are at all related? Or every small app/project you have related or not?

mooreds 1093 days ago

> One question I have is, when you say multiple apps, are you speaking in a sense of they are at all related? Or every small app/project you have related or not?

If you think that people will want to subscribe to more than one app, or if you think you'll want to be able to have a single view of customers/users across multiple apps, that's when I'd extract auth to an auth server. You can use a dedicated auth server or have other apps rely on one app which uses a library/framework.

Think of it as normalizing user profile info. Just like when you normalize data, you get wins (one place to change things, consistent data structure) and you lose things (more complex, have to do joins across tables [or in the auth case, use tokens]).

If you don't ever forsee the need to look across all your users, or for users to log into multiple apps, and you don't need some of the isolation and features an auth server can offer, then it makes sense to continue to silo each set of user data in each app.

You can always make the investment to migrate to an auth server later. Of course, the longer you wait, the more hairy it will be.

Hope that helps, and thanks for the shout out to FusionAuth. If you want to download the free Community version to kick the tires for your own needs, here's the link: https://fusionauth.io/download