top | item 39905596

Ask HN: Which Authentication provider to use?

6 points| nik2303 | 1 year ago

So I am building an application that I would sell as SaaS in future. A web app for one set of users. A mobile app for another set of users. For web-app I would like to have email/password, phone(totp based) login. For mobile app, just phone (totp based) login.

I've been looking at several authentication providers: - Supabase Auth - Zitadel - Supertokens - Ory

Self-hosted vs Cloud based: I would like to select something that I can self-host (or run locally on docker for development). However, some years ahead, I might move to the cloud (depends on the revenue).

Does anyone have experience with the above mentioned services? If yes, could you please provide your experiences with it.

Or if there's any better service that I missed looking into?

3 comments

PaulHoule|1 year ago

I would reject anything that isn't self-hosted out of hand because: (a) you never know if that kind of company is going to go out of business or get bought and get shut down or change for the worse and (b) your relationship with your customer is the most important thing.

There is no problem moving a self-hosted auth system into the cloud as you can move it there the same way you move the rest of your application.

Circa 2001 I built a "user management" library in PHP which was inspired by this

https://philip.greenspun.com/doc/index

that depended on an "auth module" that was maybe 50-100 lines of code in most programming languages so there were some screens for logging in, email verification, changing your passwords, etc. and also an administrative interface and system for sending both transactional emails and marketing blasts, it all worked pretty well for 350,000+ users. The rest of the application could be written in Perl, Java, ColdFusion, ASP, WiTango or any other system that supports cookies and mysql database access. The vision was that one could build a "portal" by modifying best-of-breed blog, forum, and other software to use my auth module.

I used it for quite a few sites but never got any uptake on the open source project, I think people just didn't agree with the vision.

I didn't see anything similar come along until 2013 a bunch of "me too" companies came out with user management systems that worked as a SaaS which struck me as absolutely insane because of what I said the in the first paragraph but these had a huge amount of uptake for reasons that baffle me completely. I guess some people don't find business interesting enough unless it has an element of Russian Roulette.

mffap|1 year ago

ZITADEL would be a good choice if you have multiple tenants and want delegate things like access management and configuring auth per tenant in self-service - that part comes out of the box with ZITADEL and could save you quite some development. I wanted to throw that in, because for the authentication part most solutions would match your requirements, but keep also authorization and auditability in mind.

That being said with ZITADEL you can also move between self-hosted and cloud: https://zitadel.com/docs/guides/migrate/sources/zitadel

ps: I'm biased (see bio).

nik2303|1 year ago

I played around with Zitadel. It looked a bit too confusing with too many UI options in it. My tech stack is this: React on frontend, NestJs on backend, React Native for mobile app (this is currently not in scope, so my playground at the moment is web app and backend).

Then I went to structure the Zitadel like this: 1 Organization has -> 1 Project has -> 2 Application.

Applications: - 1 User Agent (this I use on React side, I guess?) - 1 Web app (this I use in NestJs, I guess?)

And both applications have PKCE flow as Authentication Method. Then I check the API for application type and it has only Private JWT authentication method.

Can I have then 1 Web App/User Agent and 1 API application? or 1 Web App and 1 User Agent?

And if I use API application with private key JWT, what should be the auth method for other application?