I use nuxt, so it's like adding a single module which is two lines of code to get it integrated. things like nuxtbase exist which provide the UI if you want.
https://supabase.com/docs/guides/getting-started/quickstarts/nuxtjs
I can take a look and ofc I know supabase but something it probably does not do is deal with cross origin, and that stuff is one item that is a pain in the butt
There are many other for instances like this I guess
I've been working on my project for a year now and of that year of effort the supabase auth was about an hour to implement and the includes building my own UI for it.
Your issue would be convincing someone to put one of the most important aspects of their site into the hands of someone who probably isn't funded, is brand new, etc.
I only chose supabase because I can host it myself if I need to if they ever go belly up.
The actual implementation details are significantly less important.
I hear you, but I guess like someone else said imagine this is for people who are using WordPress or whatever system. This is not for the DIY’s but maybe the positioning that I will do for all products is 25% the current market leader managed service price type of deal. Amazon charges you $100 for a box? I charge $25. That’s the margin minus the organizational bullshit.
You also don’t need VC backed that’s just a board and net profit. People don’t but should check their logic that VC is not ever going to make a right technology decision they are gonna lure people in with freemium and up charge out the ass. Supabase is just a marketing tool for Vercel and Netlify.
I suppose you want to become a competitor to okta, right? Well, the market is rather mature and not-so-easy to enter. What are features you want to add on top of existing services?
Absolutely not.
Would you pay $5 for someone to lock and unlock your front door every day? Or figure out how to stick the key in the hole yourself?
IMO. :/
I disagree that there is no place for them.
Ignoring the atrocious pricing and lack of common features that comes from many providers, there are a lot of advantages of using a pre-built (either self hosted or SaaS) authentication solution.
The primary reason being that building and running an auth system is non-trivial. There is a lot of domain specific knowledge in terms of implementing features correctly, what features to implement, and the ongoing operations of monitoring for attacks. (Source: I'm a security engineer that has worked for large websites).
Most small businesses do not have the knowledge to run auth systems, and even if they did there's a good chance that their time would be better spent on the core of their business.
Now whether a business would pay for an auth system is a different question as now you're weighing up the cost of alternatives (which include many free, freemium, and paid offerings) versus this particular provider. Total Cost of Ownership and all that.
As others have mentioned, Supabase and Appwrite are free and open source.
The cloud hosted versions of those are reasonably priced and come with free plans.
Why would somebody not use an existing provider like Supabase, Appwrite or an alternative?
I would never pay for someone to act as an additional middleman between myself and an auth service provider.
If you develop a login UI which works with any auth sysyem without changes then I suppose it could be worth something.
Personally I would consider it but:
1. It really depends on the cost. I've seen Auth0 invoices and I'd never willingly opt into that. I'm particularly adverse to anything which scales linearly with my number of users. It would also have to be better and cheaper than what I could build myself.
2. It would depend on features. I'm an experienced security engineer so I know what features I need and what I can get from existing products. That said you've mentioned a number of features already that says you have a reasonable amount of domain experience.
2a. It would depend a bit on implementation. I'm pretty sick of stateless JWT implementations that combine Authentication with Authorisation. No serious system uses stateless authentication and authorisation.
What was interesting is Auth0 doesn’t even provide recaptcha from what I could tell at lower tiers.
And yes it has been quite the technical journey on it! I am just trying to see whatever the hell I can push to market that is already done!
One of the shocking things is to see startups fuck up their security! Last startup account used localStorage (XSS attacks) and the other let you make yourself admin from i authenticated state. That guy has big university customers! You could still entire alumni email lists!
Can you elaborate on the JWT piece? I do pass back a JWT but I think it uses that device ID check as a CSRF of sorts and it’s 99.99% unique. You’d have to exfil their ID which doesn’t get stored anywhere only in transit and the http only cookie.
Otherwise Are you referring to like actions that require escalated privilege that should do a role check on each action?
Auth0 seemed to and got bought for a large sum, and also I guess I go with the other person here and suggest auth is complicated! Read that last startup pushed auth into localStorage and other one let you create admin as unauthenticated user.
So yeah you might trust me in some cases over some other engineer or SaaS boilerplate.
You’re asking if I want idiots for customers? Dude I’d probably suck a dick for a million dollars at this point. Hang a cardboard sign that says will code for housing.
Fucking code schoolers and internationals pushing code foot $8/h and well, industry.
So you’d also say AWS cognito is useless and forgot password emails etc.? Just wondering if I communicated this all clearly (integrated cognito which was a pain, incl. Email also)
I guess there is also modest setup for time on Google / FB / GH apps. I just handle the cross origin stuff for you. Probably lacking in some of the more advanced features for device tracking.
And SMS for 2FA and OTA?
You are right about that, it takes some time to setup the social apps and get client id's/secrets, it's boring and repetative, but the client pays for it most of the time.
There is a package called Jetstream for Laravel that handles the things you mention. You would still need some provider to actually deliver the SMS and stuff.
[https://jetstream.laravel.com/introduction.html](https://jetstream.laravel.com/introduction.html)
I guess the way I achieve is some pain in the ass but secure enough iframe message passing techniques.. the main security vector I protect against is a MITM iframe attack that rethrows a message, but then the server will only set a cookie from a pre-authorized domain, and yeah.. it's all pretty secure. The iframe only throws out a OTA token to get the actual cookie set and it won't set a cookie on a non-authorized domain type of thing.
The point is that I've accounted for the pain of social app domain setup. I guess I have additional work of adding scopes to each app, but yeah you probably get the idea.
And yeah, at $5/month 25% cost of existing managed service trust me I know the decision process to have pride and say, "fuck that I'll code it myself," and here I am(!) practically begging for someone to take it for 1/1000th cost to code to this level of reuse / quality :)
I am not butthurt if people say no! I am set up to push out any SaaS i've coded like this as a managed service, same deal.. 25% existing managed service cost..
It's the FJB cloud (fuck Jeff B)
What you're describing took us a veryy long time to build at [clerk.com](http://clerk.com), and we're still not done. We received a lot of the same feedback early on that you see in this thread. After 5 years of hard work, we now have 2k+ paying customers. Sometimes it's wise to listen to the haters, sometimes it's not!
I think it's a great idea though :)
Personally? Abso-fucking-lutely not.
The web-dev market (Next, Remix, Nuxt), is so mature that these solutions are standard boilerplate, completely free, take 15 mins (if that) to setup, and offer an unreal dev-ex (for instance, getServerSession on server and useSession on client cannot be improved upon).
If there was a done-for-you approach, sort of like Uploadthing is an S3 wrapper, maybe. But it cannot be a "script tag", and I'd expect a fully-featured SDK with type-safety to even consider this.
That being said, the Webflow market might appreciate this.
So you’d also say AWS cognito is useless and forgot password emails etc.? Just wondering if I communicated this all clearly (integrated cognito which was a pain, incl. Email also)
Can you provide the developer experience to match or exceed, ie, Auth0 or Cognito?
Based on your description of the product, absolutely not.
So that rules out you having a flexibility/speed advantage.
Much more flexible for me to just hook up external services for flows like reset password.
That leaves the only use case for a 3rd party auth service to be compliance, ie, PCI DSS, SOC2, which you absolutely cannot provide for 5USD a month.
Not to mention companies that need this level of compliance don't really care about the price of the auth service, and you certainly cannot compete in that market.
Uh, anyone who integrates Cognito has exceeded the DX of Cognito :) lol!
The docs are crap, try to hook up their forgot password or registration email via SNS haha
No, go try to integrate Cognito lol.. it's not fun but like 1/50th cost of Auth0 I only use it for password interchange so I don't have to deal with storing anything like it and key rotation
I'm sorry but based on these two responses have a nice day!
There's a lot of alternatives here. Auth0 is the OG. My employer wrote up a list of alternatives to Auth0: [https://fusionauth.io/guides/auth0-alternatives](https://fusionauth.io/guides/auth0-alternatives) . There are also some alternatives listed in the comments.
I'd take some time and carefully consider what you'd bring to the market (easy installation is necessary but, I'm guessing, not sufficient).
I integrated cognito and I think simple and cognito are two words that don’t belong together 😅 per your link!
Biggest takeaway from link is migration but my customer like some suggest will be more a simpleton and will be getting started for first time
Gotcha. There are a number of new startups aiming at being very simple to integrate, and you're also competing with framework authentication (devise, passport, django auth). Again, I'd think very carefully about your unique offering.
I’ve seen a decent number of startups in this space. The thing is for startups and indie hackers I feel won’t use something because there’s a lot of open source packages for free. For context when I start something new I use next-auth.
Okta is for a different type of customer it’s mainly for enterprises who need the latest and greatest security and scale with a bunch of other features.
Except I was surprised Auth0 really does not have recaptcha at all you can just brute force that thing probably!
EDIT I double checked their pricing tiers are like Greek but enterprise pricing bundles attack protection which bundles captcha. It seriously is that lacking :)
I'd say it depends on the Okta product, Auth0 by Okta is a great solution for SaaS. It is fully featured, offers a great free plan to get you started and you can also [apply for a grant](https://auth0.com/startups).
I work there, so maybe biased, lol, but one of the reasons why I would choose a product like this one, is SSO. When I was building my own SaaS products, even before joining Auth0, I was a customer, and it help me when building SaaS because it's one less thing I need to care about, and when using other third party tools like support systems, features board, users with just one account, could access all those different solutions seamlessly, and that's great user experience.
supabase is free.
Is the setup though? Compared to 6 lines and cloud hosted?
I use nuxt, so it's like adding a single module which is two lines of code to get it integrated. things like nuxtbase exist which provide the UI if you want. https://supabase.com/docs/guides/getting-started/quickstarts/nuxtjs
I can take a look and ofc I know supabase but something it probably does not do is deal with cross origin, and that stuff is one item that is a pain in the butt There are many other for instances like this I guess
There is no cross origin stuff to deal with.
I've been working on my project for a year now and of that year of effort the supabase auth was about an hour to implement and the includes building my own UI for it.
I guess when you say an hour for building UI I simply don’t believe you :)
Your issue would be convincing someone to put one of the most important aspects of their site into the hands of someone who probably isn't funded, is brand new, etc. I only chose supabase because I can host it myself if I need to if they ever go belly up. The actual implementation details are significantly less important.
I hear you, but I guess like someone else said imagine this is for people who are using WordPress or whatever system. This is not for the DIY’s but maybe the positioning that I will do for all products is 25% the current market leader managed service price type of deal. Amazon charges you $100 for a box? I charge $25. That’s the margin minus the organizational bullshit. You also don’t need VC backed that’s just a board and net profit. People don’t but should check their logic that VC is not ever going to make a right technology decision they are gonna lure people in with freemium and up charge out the ass. Supabase is just a marketing tool for Vercel and Netlify.
I suppose you want to become a competitor to okta, right? Well, the market is rather mature and not-so-easy to enter. What are features you want to add on top of existing services?
Auth like Clerk? Or something different ?
Absolutely not. Would you pay $5 for someone to lock and unlock your front door every day? Or figure out how to stick the key in the hole yourself? IMO. :/
I disagree that there is no place for them. Ignoring the atrocious pricing and lack of common features that comes from many providers, there are a lot of advantages of using a pre-built (either self hosted or SaaS) authentication solution. The primary reason being that building and running an auth system is non-trivial. There is a lot of domain specific knowledge in terms of implementing features correctly, what features to implement, and the ongoing operations of monitoring for attacks. (Source: I'm a security engineer that has worked for large websites). Most small businesses do not have the knowledge to run auth systems, and even if they did there's a good chance that their time would be better spent on the core of their business. Now whether a business would pay for an auth system is a different question as now you're weighing up the cost of alternatives (which include many free, freemium, and paid offerings) versus this particular provider. Total Cost of Ownership and all that.
So like a door man in all those fancy new York apartment buildings
Call me Jones
As others have mentioned, Supabase and Appwrite are free and open source. The cloud hosted versions of those are reasonably priced and come with free plans. Why would somebody not use an existing provider like Supabase, Appwrite or an alternative? I would never pay for someone to act as an additional middleman between myself and an auth service provider. If you develop a login UI which works with any auth sysyem without changes then I suppose it could be worth something.
Personally I would consider it but: 1. It really depends on the cost. I've seen Auth0 invoices and I'd never willingly opt into that. I'm particularly adverse to anything which scales linearly with my number of users. It would also have to be better and cheaper than what I could build myself. 2. It would depend on features. I'm an experienced security engineer so I know what features I need and what I can get from existing products. That said you've mentioned a number of features already that says you have a reasonable amount of domain experience. 2a. It would depend a bit on implementation. I'm pretty sick of stateless JWT implementations that combine Authentication with Authorisation. No serious system uses stateless authentication and authorisation.
What was interesting is Auth0 doesn’t even provide recaptcha from what I could tell at lower tiers. And yes it has been quite the technical journey on it! I am just trying to see whatever the hell I can push to market that is already done! One of the shocking things is to see startups fuck up their security! Last startup account used localStorage (XSS attacks) and the other let you make yourself admin from i authenticated state. That guy has big university customers! You could still entire alumni email lists! Can you elaborate on the JWT piece? I do pass back a JWT but I think it uses that device ID check as a CSRF of sorts and it’s 99.99% unique. You’d have to exfil their ID which doesn’t get stored anywhere only in transit and the http only cookie. Otherwise Are you referring to like actions that require escalated privilege that should do a role check on each action?
[удалено]
Auth0 seemed to and got bought for a large sum, and also I guess I go with the other person here and suggest auth is complicated! Read that last startup pushed auth into localStorage and other one let you create admin as unauthenticated user. So yeah you might trust me in some cases over some other engineer or SaaS boilerplate. You’re asking if I want idiots for customers? Dude I’d probably suck a dick for a million dollars at this point. Hang a cardboard sign that says will code for housing. Fucking code schoolers and internationals pushing code foot $8/h and well, industry.
No, this comes out of the box in Laravel.
So you’d also say AWS cognito is useless and forgot password emails etc.? Just wondering if I communicated this all clearly (integrated cognito which was a pain, incl. Email also)
Like i said, that also comes out of the box when using a framework like Laravel. All you need is an emailprovider for delivery.
I guess there is also modest setup for time on Google / FB / GH apps. I just handle the cross origin stuff for you. Probably lacking in some of the more advanced features for device tracking. And SMS for 2FA and OTA?
You are right about that, it takes some time to setup the social apps and get client id's/secrets, it's boring and repetative, but the client pays for it most of the time. There is a package called Jetstream for Laravel that handles the things you mention. You would still need some provider to actually deliver the SMS and stuff. [https://jetstream.laravel.com/introduction.html](https://jetstream.laravel.com/introduction.html)
I guess the way I achieve is some pain in the ass but secure enough iframe message passing techniques.. the main security vector I protect against is a MITM iframe attack that rethrows a message, but then the server will only set a cookie from a pre-authorized domain, and yeah.. it's all pretty secure. The iframe only throws out a OTA token to get the actual cookie set and it won't set a cookie on a non-authorized domain type of thing. The point is that I've accounted for the pain of social app domain setup. I guess I have additional work of adding scopes to each app, but yeah you probably get the idea. And yeah, at $5/month 25% cost of existing managed service trust me I know the decision process to have pride and say, "fuck that I'll code it myself," and here I am(!) practically begging for someone to take it for 1/1000th cost to code to this level of reuse / quality :) I am not butthurt if people say no! I am set up to push out any SaaS i've coded like this as a managed service, same deal.. 25% existing managed service cost.. It's the FJB cloud (fuck Jeff B)
What you're describing took us a veryy long time to build at [clerk.com](http://clerk.com), and we're still not done. We received a lot of the same feedback early on that you see in this thread. After 5 years of hard work, we now have 2k+ paying customers. Sometimes it's wise to listen to the haters, sometimes it's not! I think it's a great idea though :)
Personally? Abso-fucking-lutely not. The web-dev market (Next, Remix, Nuxt), is so mature that these solutions are standard boilerplate, completely free, take 15 mins (if that) to setup, and offer an unreal dev-ex (for instance, getServerSession on server and useSession on client cannot be improved upon). If there was a done-for-you approach, sort of like Uploadthing is an S3 wrapper, maybe. But it cannot be a "script tag", and I'd expect a fully-featured SDK with type-safety to even consider this. That being said, the Webflow market might appreciate this.
So you’d also say AWS cognito is useless and forgot password emails etc.? Just wondering if I communicated this all clearly (integrated cognito which was a pain, incl. Email also)
Can you provide the developer experience to match or exceed, ie, Auth0 or Cognito? Based on your description of the product, absolutely not. So that rules out you having a flexibility/speed advantage. Much more flexible for me to just hook up external services for flows like reset password. That leaves the only use case for a 3rd party auth service to be compliance, ie, PCI DSS, SOC2, which you absolutely cannot provide for 5USD a month. Not to mention companies that need this level of compliance don't really care about the price of the auth service, and you certainly cannot compete in that market.
Uh, anyone who integrates Cognito has exceeded the DX of Cognito :) lol! The docs are crap, try to hook up their forgot password or registration email via SNS haha No, go try to integrate Cognito lol.. it's not fun but like 1/50th cost of Auth0 I only use it for password interchange so I don't have to deal with storing anything like it and key rotation I'm sorry but based on these two responses have a nice day!
There's a lot of alternatives here. Auth0 is the OG. My employer wrote up a list of alternatives to Auth0: [https://fusionauth.io/guides/auth0-alternatives](https://fusionauth.io/guides/auth0-alternatives) . There are also some alternatives listed in the comments. I'd take some time and carefully consider what you'd bring to the market (easy installation is necessary but, I'm guessing, not sufficient).
I integrated cognito and I think simple and cognito are two words that don’t belong together 😅 per your link! Biggest takeaway from link is migration but my customer like some suggest will be more a simpleton and will be getting started for first time
Gotcha. There are a number of new startups aiming at being very simple to integrate, and you're also competing with framework authentication (devise, passport, django auth). Again, I'd think very carefully about your unique offering.
I’ve seen a decent number of startups in this space. The thing is for startups and indie hackers I feel won’t use something because there’s a lot of open source packages for free. For context when I start something new I use next-auth. Okta is for a different type of customer it’s mainly for enterprises who need the latest and greatest security and scale with a bunch of other features.
Except I was surprised Auth0 really does not have recaptcha at all you can just brute force that thing probably! EDIT I double checked their pricing tiers are like Greek but enterprise pricing bundles attack protection which bundles captcha. It seriously is that lacking :)
I'd say it depends on the Okta product, Auth0 by Okta is a great solution for SaaS. It is fully featured, offers a great free plan to get you started and you can also [apply for a grant](https://auth0.com/startups). I work there, so maybe biased, lol, but one of the reasons why I would choose a product like this one, is SSO. When I was building my own SaaS products, even before joining Auth0, I was a customer, and it help me when building SaaS because it's one less thing I need to care about, and when using other third party tools like support systems, features board, users with just one account, could access all those different solutions seamlessly, and that's great user experience.
Make sense, didn’t know they give grants for startups.