Why Use a Third-Party Auth Provider?
Ryan Chenkie: [0:00] It turns out that building the features for user authentication and authorization gets to be pretty tedious because it's required in pretty much every application we build. At least four applications that aren't just public and accessible to everyone that might come to it, we really need to have some user authentication and authorization in place.
[0:19] If we have to build those same features from one product to the next, that gets to be a big drain on time. Especially because it's largely the same from one product to the next. Really, it's just small changes that need to be put in place.
[0:32] Now, the need for user authentication is definitely not new. What's fairly new, at least in the last 10 years, is this slew of companies that now exist, which help to make that process easier.
[0:43] Companies like we see here, Auth0, Okta, and another one called Ping Identity, these companies all offer products which help to smooth over the process of building authentication for our apps. The bet that these companies have made is that authentication and authorization are going to be needed in most nontrivial applications.
[1:03] The code that goes into making those features happen can largely be generalized. A company like Auth0 can build a platform that gives us user authentication through usernames and passwords or gives us access to third-party authentication providers like Facebook, Google, Twitter, etc.
[1:20] They can wrap all of that up into a nice product that gives us things like a login box that just comes out of the box with Auth0. We can take that and drop it into our application.
[1:31] This is quite nice. It means that we don't have to spend time doing all of this ourselves. Whereas it used to take days or weeks to build all of the different pieces for authentication, it's now simple.
[1:43] We can just sign up for an account with Auth0, download some code, drop it into our application, and we're pretty much good to go. Now to get everything fully working in the application there is a bit of work. There's a bit of complexity that we've got to deal with. We're going to see how to do all of that in this module.
[1:58] Now, the top players in this space being Auth0 and Okta, and then other companies like Ping Identity, they all offer a similar product in some ways. There's a bunch of differences between them, but they all pretty much give us a way to build authentication and authorization in our apps.
[2:14] Okta is seen as an enterprise-focused company. They deal a lot with identity for large enterprises. Auth0 is considered an enterprise platform as well. Most of their business is with large companies, large enterprise companies.
[2:29] However, Auth0 is also known as being friendly to developers. They give a great developer platform. It's easy as a solo developer to use their self-service option. Overall, they provide a good product for developers.
[2:42] I actually used to work at Auth0 from 2015 until late 2017. For just over two and a half years, I worked at Auth0. That's actually where I learned most of the security stuff that I know, which I'm now teaching to you. When I was working at Auth0, I got to see what it was about the product that various companies liked, and what the reasons were that they wanted to use Auth0.
[3:04] For a lot of organizations, especially a lot of larger ones, they really liked the single sign-on features that Auth0 provides. If you work at a large company and you have many different internal applications, for example, you don't want to have separate user bases and separate login flows for each of those applications.
[3:22] Instead, you want a way to have one centralized login. Then, every internal application in the company can just be easily accessed by an employee without the need to login to each one.
[3:33] Single sign-on was popular amongst customers. This is something that can take a long time to develop in-house. There's definitely a lot of time savings if you use something like Auth0. Some other features that a lot of developers and a lot of companies like include things like multi-factor authentication.
[3:50] Whereas you might have to build your own MFA solution all by yourself, if you're using Auth0 you can literally just flip a switch and it will be turned on. Beyond that, if you use something like Auth0, you've now got a company that specializes in security, taking care of all of the security details that go into authentication.
[4:08] Instead of you needing to worry about whether or not your implementation is secure, whether or not you are correctly storing passwords, whether you're verifying users correctly, instead of you having to do any of that, Auth0 takes care of it. There's definitely a lot to be liked about companies such as Auth0, and Okta, and others like Ping Identity as well.
[4:28] In this module, we're going to take a look at Auth0. We'll see how to implement in the Orbit application that we've got. We'll effectively shift the burden of authentication from ourselves onto a third-party.
[4:39] This is something that I generally recommend to people who need to include authentication and authorization in their applications. My recommendation is to use a third-party. The reasons for that stem from the things that we've talked about.
[4:51] Building out our own authentication takes time, takes effort. That effort would probably be better served building out features of our application. Also, it's nice to not need to worry about all of the complexities and vulnerabilities that might be present if we were to build our own solution.
[5:07] To sum it up, one of the tag lines that Auth0 has used before is, "You wouldn't build your own database engine, so why would you build your own authentication." I think there's a lot of merit to that.
[5:17] Let's get started on Auth0 now. We'll see how to sign up for an Auth0 account and then get it working in our application.