Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you’re building a new SaaS today would you simply implement this natively in your stack or go with a vendor like auth0?


I hve just implemented this after we moved away from SuperTokens. My takeaway is that its easier than you'd think (there are libraries that do interaction with the SSO provider for you) and you can fine tune it to your liking (for example, more involved account linking).

If you're starting out though, probably go for a SaaS in the beginning. But be sure to have monitoring for pricing and an option to close account creation, these things can become expensive fast.


I am curious what your issue with Supertokens was?


Many. We used the NodeJS Version of it, which has pretty poor error handling. When it breaks, it breaks hard (runtime errors with no message or stack trace)

Security. You can not deactivate certain unsave mechanisms. For example, if you send it an ID token, it will not verify the aid claim, allowing Anny valid token from the same SSO provider.

API stability. We're consuming their API from a mobile app. But every major version (about five a year) changed the REST API without backward compatibility or versioning. Its fine if you use their lib and keep parity, but that's really only possible on the web.

All of this was with their self hosted offering, I haven't tried their hosted one.


My opinion, as someone who works for a company with both a free and paid auth software option: it depends.

If you only need minimal auth functionality and you have one app, go with a built-in library (devise for rails, etc etc).

If you need other features:

- MFA

- other OAuth grants for API authentication

- SSO like SAML and OIDC

or you have more than one application, then the effort you put into using a SaaS service or standing up an independent identity server (depending on your needs and budget) is a better solution.

Worth acknowledging that auth is pretty sticky, so whatever solution you pick is one that you'll be using for a while (assuming the SaaS is successful).

Auth0 as a choice is good for some scenarios (their free plan covers 7k MAUs which is a lot for a hobby project), but understand the limits and consider alternatives. Here is a page from my employer with alternatives to consider: https://fusionauth.io/guides/auth0-alternatives


Stack Auth is trying to solve exactly this — open-source, developer-friendly, and reasonably priced managed auth. That way, you don't have to worry about OAuth but still aren't locked into a specific vendor.

The downside is that we only support Next.js for now (unless you're fine with using the REST API), but we're gonna change that soon.


If you aren't in a rush, it's worth learning and the implementation won't be too big.


You could use something like https://docs.allauth.org/en/latest/

auth0 is too expensive for new SaaS imho


Or https://zitadel.com/


Build it yourself. Then throw away your implementation and use a battle-tested library.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: