> People keep telling me that writing auth myself is a bad idea, and creating truly secure auth is really hard.
Yes the problem these days is a lot of commercial providers want this to become "common knowledge" and for it to be "best practice" to use their systems. But what happens if Okta has a data breach and you don't even know if your users were affected? (This happened)
I strongly believe in rolling your own auth:
1. It keeps it simple
2. You control the data that's a critical part of your system
3. Okta and Auth0 are giant targets because they have so many peoples' creds - you aren't
4. Even if you do use something like Auth0, you still need to implement authorization somehow. Of course, there are people who want to sell you solutions for that too...
Use libraries for the underlying primitives like bcrypt and JWT's. Do the rest yourself. Keep it simple.
Oh, and keep it simple.
The one good reason I've seen recently to use third party auth services is because they often support MFA. But how many companies actually need that? I've worked for a bunch of companies over my career and the amount of times I've had to implement/add MFA is 0.
I'd also argue that adding MFA with TOTP really isn't _that_ hard either. There's a bit of setup work to be sure, but it's a feature just like any other that has a pretty easy to grasp flow once you do a bit of reading.
Don't do your own cryptography (just use bcrypt or if you're confident you won't mess it up, libsodium), but authN/Z is entirely within the realm of "roll-your-own" and should be table stakes for most businesses these days.
Even adding SAML or OIDC support really isn't that hard.
Yes the problem these days is a lot of commercial providers want this to become "common knowledge" and for it to be "best practice" to use their systems. But what happens if Okta has a data breach and you don't even know if your users were affected? (This happened)
I strongly believe in rolling your own auth:
1. It keeps it simple
2. You control the data that's a critical part of your system
3. Okta and Auth0 are giant targets because they have so many peoples' creds - you aren't
4. Even if you do use something like Auth0, you still need to implement authorization somehow. Of course, there are people who want to sell you solutions for that too...
Use libraries for the underlying primitives like bcrypt and JWT's. Do the rest yourself. Keep it simple.
Oh, and keep it simple.
The one good reason I've seen recently to use third party auth services is because they often support MFA. But how many companies actually need that? I've worked for a bunch of companies over my career and the amount of times I've had to implement/add MFA is 0.