search

supertokens / docs

SuperTokens documentation
38 stars 66 forks source link

Us vs Auth0 #25

Open rishabhpoddar opened 3 years ago

rishabhpoddar commented 3 years ago

Questions

rishabhpoddar commented 3 years ago

See the answers for SuperTokens here

Describe the dev setup experience (how many steps and what are they + time overall)

Basic setup for Frontend

Basic Setup for backend

Documentation review

Auth0's documentation is really good. whenever you start an app and choose your techstack, you get a curated quick setup guide taking you through the setup process. Each section in the dashboard gives information on how that section works One place that can be hard to navigate is the management API docs.

Can you easily add a custom social provider?

Auth0 allows you to easily add custom oauth service providers through their dashboard. The setup form asks you to enter the authorization URL, token URL, scope, client id, client secret and a fetch user profile script(queries the OAuth2 API with the accessToken).

Auth0 allows users to use their databases populated with pre-existing users(usernames, password hashes etc). How does this work?(callbacks used, how are transactions implemented)

Auth0

How can we go about customising the UI? From colours to full customisation

Auth0's dashboard allows you to customize certain aspects of the long screen:

Social account consolidation?

How do we do things like handle sign up success?

The Auth0 actions can involve calling your API endpoint if you want to add user details to your db as well. However, during dev, if your endpoints are on localhost that causes an issue since auth0 cannot call localhost. So you might have to do some tricky tunneling..

If one needs to do something like paginating across all users in the app in their API, how can they do that?

How would adding custom sign up fields work?

How would adding custom sign up validators work?

Auth0 allows you to add custom sign up fields,

How to go about customising the email design and or the sender's domain?

Auth0 allows for complete customization of all emails(Welcome, password reset, email verification, change password etc...) The sender's domain, Subject and message contents can be completely changed from the dashboard. The message HTML can be completely changed

How to implement sign out functionality?

if you want to add a password strength meter to registration, how does it work

In Auth0's dashboard you can choose to customize he HTML code of the login widget. This allows you to change the config of lock widget to add additional fields, change styling etc. Adding custom elements in their editor does not seem to be something they encourage though.

Auth0 has a password strength meter built into its lock UI. The password policy has a set of rules with a slider to customize how many rules to enforce This can be modified from the database password policy tab The rules are :

Email verification with Social providers, how does it work

Changing Email for social provider, how it works

For social account consolidation, how does changing the email work.

Email is not verified but password reset is done, does that verify email?

If a session expires is there a pop-up? does the user have to handle it.

RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.

Roles in auth0 is just a method to group together permissions.

what are the supported databases

Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?

Auth0 provides a HOC withAuthenticationRequired which can be used for protecting routes. ex. Create a component that uses withAuthenticationRequired `` const ProtectedRoute = ({ component, ...args }) => ( <Route component={withAuthenticationRequired(component)} {...args} /> );

``

in your router set the path and the component to be protected using the new component

``

``

Auth0 mobile implementation, IOS and Android

Auth0 provides SDK's for both android and ios and have good quick start guides for setup

What are features that they provide that we don't?

  • SSO
  • Greater custom DB support through custom scripts (only for enterprise)
  • MFA
  • User management through the dashboard
  • RBAC
  • Passwordless/Magic links

If someone wants to tweak the sign up / sign in APIs, how can they do that?

Auth0 provides some extensibility points for customizing the apis but they do not cover every scenario(they don't have pre and post customization for every API). The user can call the apis from the backend to allow for complete customization pre and post API calls but they would have to the frontend themselves as the lock widget does not allow you to change the endpoints for its actions.

Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)

  • Auth0 has 3 methods of customizing auth flows

  • Rules

  • Auth0 hooks

  • Auth0 actions

    • Rules

    • Rules are js functions that are executed during user authentication.

    • They run after the main authentication flow is completed, i.e. just before the response is submitted to the user.

    • The ID Token and/or Access Token passed to the Rules pipeline and then sent to the app.

    • Rules can be created from the dashboard, or they can be added through the management api.

    • Uses

      • They can be used for adding more data to the user object
      • Normalizing data
      • Sending notifications that authentication just occured
      • Creating a whitelist
      • modifying the access token scopes

    • Auth0 hooks

      • Info can be found in question about post sign up callback

    • Actions

  • In case of password validation, auth0 has a special place in the dashboard for setting up password strength. This change is propagated through any flow that requires the user to enter the password

How does revoking a session between your frontend and backend work

How to implement revoking a user's session functionality?

User has multiple sessions, only want to revoke a couple of them, how does that work

  • Auth0 does not seem to supply methods in their sdk for revoking sessions. From what i have seen the only way to invalidate the session is to clear the cookies on the frontend and call then revoke the refresh token from the server using Auth0's management API.

What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?

Auth0 allows you to embed login into your website. They allow to use their login widget sdk in your app or just use the auth0 sdk to query the auth endpoints.

Will their solution work with serverless env like in nextjs or netlify?

Auth0 provides a nextjs sdk. Setup:

  • Create a auth0 app from the dashboard
  • add the configuration keys to your next app, in .env.local
  • Add an api route handler to your next app with handleAuth from the auth0 next package
  • this will add the routes for login, logout and callback URLs.
  • wrap pages/_app.js with the UserProvider component to get the user details on the frontend

implementation with ssr

Pre and Post Action scripts?

  • Limited extensibility points. no extensibility point for pre and post login

Execute Auth0's default functionality inside action script?

  • As soon as you enable custom databases auth0's default store is disabled, default functionality cannot be used. All action scripts(login, verify, change password etc..) have to be defined

If a session expires is there a pop-up? does the user have to handle it?

  • When a user session expires there is no popup, user is redirected to login screen

sharing session across sub domains

  • Test:
    • using ngrok to have two domains localhost:3000 and the ngrok domain
    • logged in on localhost
    • switched URL to the ngrok URL
    • I was redirected to the login in page
    • onclicking login was signed in without having to enter details

How do go about sending emails yourself if you want to?

Auth0's inbuilt test smtp mail server cannot be used in production and requires the user to setup smtp.

  • In the dashboard users can select from a list of supported smtp providers.
  • These are
    • Amazon SES
    • Mandrill
    • SendGrid
    • SparkPost
    • Mailgun
  • Auh0 allows you to set a custom email provider and set the requires smtp provider settings

How well do they support various platforms and SDKs?

  • Auth0 supports the following SDK's with good documentation, quickstarts and sample apps:
    • Frontend
    • Angular
    • JavaScript
    • React
    • Vue
    • Backend
    • Laravel API
    • Node (Express) API
    • PHP API
    • Python API
    • Ruby On Rails API
    • Native and Mobile
    • Android
    • Cordova
    • iOS Swift
    • React Native
    • Windows Universal App C#WPF / Winforms
    • Xamarin

Can sessions be used with httpOnly cookies?

  • According to this discussion it is possible

API customizability

Auth0 allows you to query its API's from the backend and also perform management tasks(user management and tenant configuration) through its management API.

How to disallow sign up and only have sign in?

In Auth0's dashboard under the database option, you can choose to disable signups.

Can you make the provider's frontend talk to your API instead of theirs? And then your APIs talk to their API.

Going through auth0's lock(their frontend widget) configuration there are no options to set endpoints for actions like signup/signin.

Setting up for the two use cases of multi tenancy?

Auth0's Multi tenancy page in their docs mention a couple of ways to handle multi-tenant apps

  • Multiple connections:
    • If you have multiple database connections enabled you can choose which user pool to access by configuring the connection on the frontend, For enterprise customers, auth0 provides the ability to use email domains as a way of routing authentication requests
  • Identify tenants by application
    • You can specify which auth0 app to use. More control over connections and configurations.
  • Store tenant details in app_metadata
    • Store tenant details in the user metadata, an identifier can be stored which will be used to redirect users
  • Separate Auth0 tenants for each customer
    • create a new Auth0 tenant for each of your application's tenants
    • Should only be done when you want to share the auth0 dashboard with the customer
    • Lost of configuration and setup(setup apps and db connections for each auth0 tenant)

Does it provide Email OTP as a feature?

  • Auth0 allows for passwordless login with and OTP sent by email

Can a user be re-authenticated when visiting a protected route?

This can be done as seen in this discussion by setting the max_age param and checking the auth_time

Auth0 Marketplace

  • The marketplace is a hub in auth0's dashboard which allows users to find and integrate third-party solutions. The idea behind the marketplace is that say you want to add github as a login provider, instead of googling the steps and trying to find out what the steps are, you have an official integration guide endorsed by auth0 with clear setup steps and troubleshooting guides
rishabhpoddar commented 1 year ago

About account linking:

Auth0 has proper automatic account linking. There are a few UX / security issues (but they are nothing major):