I’m working at an early pre seed startup and building out the product. Every time I visit implementing Identity, I struggle with a good solution. Building it in house is costly and fraught with potential errors, but platforms like Auth0 charge an exorbitant amount per user that’s difficult to do at an early stage of a company. I’m curious to what other people are using in their products.
Currently using Firebase Auth, which was fairly easy to implement and is free/cheap at high user counts, so is an option for a B2C application, unlike most commercial solutions I ran across.<p>Cons: difficult (sometimes impossible) to customize, password complexity can't be set (6-letter passwords allowed, wtf), and worst of all - it's Google, so expect appropriate level of care from the company (read: none). Definitely planning to switch out when/if there is traction, but for an early MVP I found it to be quite decent.
Is it a B2B or B2C product that you're building? What are the authentication methods you want to support? Do you only require authentication or also authorization or session management?<p>I think answering these questions first will help you to find a suitable solution in this space, as each provider has different strengths and weaknesses depending on your use case.
I would suggest setting up your own hosted auth provider (via e.g. IdentityServer 4) to retain ownership of identity secrets, then use SAML, OIDC, etc. to perform federated authentication with third party authentication and identity providers (e.g. google login, apple login, etc.)<p>This is more complicated yes, however you are less likely to end up in a situation where a core identity provider unreasonably raising their rates results in either a significantly higher cost-per-user or significant user attrition during provider account migration.<p>Or if you’re less risk averse just pick a major identity provider such as Auth0 and use their free plan for getting started easily. Many major providers offer “easy” migration away from their competitors and provide extensive documentation for how to integrate with their platform.
For a B2B service, I use Auth0. It does cost $20 or so per month for the lowest tier, but when I need to enable enterprise login mechanisms for a single customer, it will be worth every penny to have that be a simple thing to enable versus a whole engineering project.
Keycloak is top notch in this sense. Really the best you can get. Oh and it’s open source, sonyou can self host it. We used to support ~2k daily users with an ha keycloak (running as three pods on kubernetes, with 2gb ram per pod).
there are solutions out there like auth0 okta supertokens keycloak openpolicyagent but they all got their own learning curves<p>personally i would revisit the problem first if my current market really needs a full blown solution or i can get away with simple postgres backend with simple users table and rbac implementation (sometimes it's even just a roles array in server side)<p>much of it though is addressable once theres a real business need to it, hiring a dev that really knows hows to roll it out is worth the money, or even a consultanf that can guide you through it