Ideal Authentication in your JavaScript Application Meme-driven knowledge sharing. Volodymyr Rudyi Almost 

ABOUT ME CEO of AgileVision.io and CTO of Agile Cashflow. Professionally developing software for the last 7 years. Designing architectures for SaaS solutions. AWS-Certified Solutions Architect. Creates SaaS Products Is a SaaS Product 

Authentication — a process of verifying the identity. Air Force Photo/Paul Zadach 

Authorization — a process of defining access policy for some resource. 

Authentication Most likely You are doing it wrong 

Even if not anyway... You may be in danger 

Before you can authenticate you need to implement 1. Registration flow. 2. Password reset flow. 3. Credentials Validation 4. Error Handling 5. Error Messages 6. Localization 7. Brute-force attacks protection 8. Email templates 

After user authenticates, you need to think about 1. “Remember me” feature 2. Deleting or blocking/suspending users 3. Event log 4. Anomaly Detection 5. MFA 6. Global logout 7. Scaling 

Implementation Approaches Let’s see... I will write it myself 

Pros ● Flexible Cons ● Huge effort ● Difficult to maintain ● Requires “low-level” testing ● Insecure in many cases ● Not reusable Public domain image from Wikimedia.org DIY Approach Closer Look 

Popular Tools to Create Custom Authentication Passport.js 

Implementation Approaches Let’s see... Pre-Packaged Platform 

Third-party, self-hosted Pros ● Flexible, especially if open-source ● Moderate implementation effort ● Many of bugs made suffer other users (Maybe those will be fixed) 

Third-party, self-hosted Cons ● Learning curve may be steep ● Proprietary self-hosted solutions can be expensive ● Maintenance required ● Vendor lock-in 

Popular self-hosted authentication providers Open-source Proprietary 

Implementation Approaches Let’s see... AaaS Solution* 

Authentication as a Service Pros ● Almost zero time-to-market ● Per-user pricing ● Low implementation costs ● Low maintenance ● Tight integration with PaaS where applicable ● Often compliant with many regulations, even local ones 

Authentication as a Service Cons ● Vendor lock-in ● Per-user pricing ● Availability is not under control ● A gap in support between you and your users. Anything that happens on AaaS side can’t be resolved by anyone but the owner ● Limited customization 

Popular Authentication Services 

What you should take into account? ● Platforms support ● Migration path ● Backup options ● Compliance ● Implementation cost ● License/subscription cost ● Implementation timeline, including security audits (Hello, Google!) ● Availability, especially past incidents ● Support 

How to think? 1. Prefer Authentication as a Service over anything else. 2. Prefer open-source over proprietary self-hosted. 3. Do custom implementation only if there is no other choice or it’s for testing/PoC 

Authentication Service Market Overview 

Auth0 Overview ● Provided by a company, focused on the authentication and authorization service ● Integrates well with different platforms and languages ● Provides Hosted UI ● Client-side and server-side SDKs ● MFA Support ● Passwordless/OTP sign-in ● Self-hosted enterprise version for setups with such requirements 

Auth0 Weaknesses ● Standalone product, thus requires additional integration to your infrastructure ● Not so fast support for lower tier subscriptions ● Powerful, but somewhat complicated ● HIPAA and other compliance is available only for enterprise license tier 

AWS Cognito Overview ● Provided as a part of the Amazon Web Services(AWS) Platform ● Supports OIDC and SAML Federation ● Supports web, iOS and Android clients ● Provides client-side and server-side SDKs ● Deeply integrated with AWS services and can issue tokens to access ● Supports Hosted UI ● Supports MFA ● HIPAA, PCI DSS compliant out of the box ● OIDC and SAML Support 

AWS Cognito Weaknesses ● Hosted UI is not very customizable. Only logo and several colors can be changed ● There is no such thing as action email/action link, besides the standard registration/reset flow. Invitation emails are not first class citizens ● API is very slow ● Default API rate limits are low ● Search API is not usable, unless you are happy with basic search capabilities by name and email ● Too few “ready-to-use” integrations for external systems 

Firebase Overview ● Integrates well with the Firebase(obviously) ● Provides SDKs for many platforms, including C++ and Unity ● Flexible email configuration and email actions 

Firebase Weaknesses ● HIPAA Compliance (there are workaro ● No SAML support out-of-the-box 

Live coding session Almost 

Flutter and Svelte Auth0 Example 

Flutter Example from https://github.com/devdennysegura/flutter-auth0 

Vue App 

Public domain image from Wikimedia.org Bonus Slide Pricing Comparison. Rough Estimates Auth0 AWS Cognito Okta Firebase 1K $23/mo $0/mo $0/mo Free* 10K $228/mo $0/mo $200/mo Free* 50K $1140/mo $0/mo $1000/m o Free* 

Questions? 

Thanks! [email protected] https://agilevision.io