It’s just a few fields until it’s not.
SSO, SAML, SCIM, OIDC, OAuth, 2FA, passwordless auth, verification tokens, etc etc, And, variations of each for wildly popular systems you’ll be expected to integrate with but don’t support the exact spec.
For a while at my company, half our support engineers time went to handling random SSO issues that came up in our home built auth system.
I don’t know when we became this lazy. Auth is hard, sure, but putting your users table and sessions behind a vendor API is not something cool. Tell me one feature that is not supported by libraries like OpenIddict (You can build around) or Keycloak?
If you're a SaaS vendor, you want to make onboarding and logging in as easy as possible and being able to do things like add a "login with google/apple" button or other third party SAML/SSO tooling is one way to do that. Supporting that workflow sucks as it can involve very finicky integrations involving certificate trusts, etc.
I think the main argument usually is time savings. Personally I just always do E-Mail and password auth, yea its old and not the shiny new thing, but it doesn't require me to integrate 200 different ways of doing auth.
We should be able to demand users remembering their passwords, I dont like to cater towards users who simply dont want to put in the work to use my product.
Will I lose potential users over this? Yes. Does it feel bad knowing I am in control and wont have to offload to 3rd party vendors? Hell no.
Same here, Just email + password, no google dependency initially. If more users ask we will think of it. but again you don't need a cloud vendor for all this.
That's great for B2C, but B2B demands SSO.
Not really, we do B2B. E-mail & password is good enough for our customers. They really really dont care about what kinda auth we use.
Great for you but that's not the case for a lot of B2B contracts we have. A lot of them require integrating with their SSO, not just for login but for permissions too
Well the disadvantage is that you're responsible for your companies keycloak.
Exactly. Do you want to become ops? Because that's how you become an ops team.
"home built auth system" is bound to have "random SSO issues". You fix them, that's how things mature.
Supabase's auth is MIT licensed and OSS, is it not?
https://github.com/supabase/auth/blob/master/LICENSE
Supabase is OSS but it's a real pain to actually self host it
Couldn’t you get Claude to go into Supabase’s auth code and make your custom like their’s but adapted to your stack?
"Claude, make my custom like their's but adapted to my stack. Make no mistakes"
You’ll have to drive the agent to do it, not a one-shot task. It’ll also require you to understand your codebase.
This is not funny because people are doing that for real.
Exhibit A, mi.
And don’t hallucinate.
Yep, it’s just a drag. It’s not our core product value so any effort we put into it is a drag.
Rather than just use an email solution Google built GMail into a massive email solution despite it not being a core product
Sometimes that's just an opportunity
> ... not being a core product
Technically true, because Google's core product is ads. Also fundamentally wrong, because Gmail serves as a massive source of ad targeting information, in addition to being a high-engagement canvas to display those ads.
Google has not been scanning gmail mails for ad targeting since 2017. I think after 9 years we can finally let that one go.
Ad display I'll still grant you of course.
I don't think we can let that one go so easily, since they might not be scanning for ad targeting (pinky promise?) - but they most certainly will slurp everything up for their AI stuff: https://blog.google/products-and-platforms/products/gmail/gm...
I'm guessing they simply didnt want to spend the time and money doing that
Possibly didn’t want to accept the additional risk that comes with rolling your own auth as well.
> For a while at my company, half our support engineers time went to handling random SSO issues that came up in our home built auth system.
fwiw, we also have entire staff dealing with SSO issues among our employees and users, despite relying on external services to handle auth.
A problem domain as complex as authentication is bound to habe issues of some sort. But I am not sure if I would be so fond of „outsourcing“ something as integral to my services as the access to these services
There is a trust component for sure, but a business requires assessing the value of time against revenue. I can say for our org that using an off the shelf solution like Clerk saves us time and money and we believe the risk is very small relative to the savings. Maybe the cost for you is not large right now, but when you've got 20 enterprise customers all asking for specific OIDC integrations configured with Private Link, custom domains, and private clusters, an auth solution starts looking mighty fine.
Is this perhaps a reason to have a Users table that is separate from the table of data on how you authenticate that user?
Just use Ory Kratos and self host it.
That’s when you install Keycloak.
is it just me? who just uses magic links delivered via email or telegram as backup?
Personally I hate magic links via email with a passion and will actively avoid products that have this as the only authentication method
Majority of apps are B2C apps, they don't need any of this.
All you need is Apple and Google Oauth.
If you are just starting out its probably a good idea. Think about the use case when google bans either your app or bans your app user?
Then your business is entirely screwed anyway because you've just lost half the market
At least to me it sounded very much like they were talking about mobile.
It depends on your use case.
If you are a B2C app, you are probably more concerned about:
- social providers (Apple and Google being the big ones, but others could play a role--FB or Tiktok for example)
- easy registration (but not too easy, you want to avoid bot spam)
- self-service account management (updating profile fields, consents [CCPA, GDPR, others], resetting passwords
- single sign-on between your apps (if you have multiple)
- language support (for your backend, and mobile/web front end)
- cost
- possibly MFA, possibly passkeys