Identity Management, Authentication & Authorization for Lead Engineers

What's the difference anyway? Do companies actually pay for it?

“Nobody cares about authentication, but everybody needs it” - Auth0 CEO Eugenio Pace

In this issue of Lead Engineer we are going to discuss authentication and authorization. We will cover the following topics:

1. Topic Primer. What is authentication/authorization? What do I need to know about it?

2. Build vs Buy. It can be very tempting to build your own auth system and in some situations that makes sense. In this section we will discuss this.

3. What other companies do in this space. An overview of some companies and how they approach what is a very common problem.

4. Product Recommendations. Whether you want to build or buy, we have curated some technologies and companies for you to explore. NOTE: We do not get paid for recommending any of these products, and we simply are sharing our experience, good and bad.

5. Further Reading. We have curated the best posts on this topic to allow you to dive deeper in the most efficient manner.

1.Topic Primer

Authentication

Authentication, Sometimes shortened to AuthN, is the process of proving who you are. A popular means of implementing this is using the OpenID connect protocol.

If you are a Twitter user and you have used either of the following buttons to sign up:

You have used OpenID connect. Google and Apple are what we refer to as identity providers (shortened to IDP). Delegating authentication to an IDP is advantageous for both users of your system and for you as a Lead Engineer because:

• You don’t store passwords in your system. There has been plenty of data breaches where data has been leaked due to incorrectly storing this information (See haveibeenpwned).

• You get to lean on the security controls of the IDP.

• Your users do not need to remember a specific password for your system.

• User’s trust these big companies and recognise the pattern of signing up/ signing in with these parties.

• The Signup process is more seamless.

The OpenID connect protocol is well defined and quite easy to implement. You can read more about it here.

Authorization

Authorization, Sometimes shortened to AuthZ, aims to answer the question: given who you are, what can you do?

• Given you identified yourself as John who is the CEO, you can view all employee information.

• Given you identified yourself as Pam who is in the finance team, you can run payroll.

• Given you identified yourself as Michael, you do not have permission to view that specific page.

// Lead Engineer pro tip: You can get really into the weeds   // with authN & authZ, but we recommend not delving much deeper // until after the build vs buy conversation. If you take your // company needs to one of the buy options, they will provide // you a wealth of information to help you learn more about it // for your specific use case.

Authorization is often implemented using the OAuth 2.0 protocol. OAuth 2.0 decides what a user can do based on Access Tokens. Access Tokens don’t technically have a defined format, but JSON Web Tokens (JWT) are one of the most popular formats.

At some point in your companies lifespan, you are going to get to a point where you need more fine grained access control and users will be looking for flexibility in how they access your application. Your job is to make sure they stay secure. Its time to start looking at auth solutions.

2. Build vs Buy

Instinctively, you may straight away start reading the OpenID connect & OAuth Specifications and begin planning how you might build you system. However, it is worth taking a pause and doing a build vs buy comparison. It is ALWAYS worth doing this before you set out to build a complex system that is not a core competency of your business.

// Lead Engineer Pro Tip: This is a good opportunity to have a // discussion with your team and other Lead Engineers in the  // company. Its a cross-cutting concern and getting a variety // of views is going to be invaluable to winning support for  // your decision from stakeholders.

Questions to ask:

• What is the opportunity cost of building and maintaining our own system vs paying for a SaaS subscription?

• If there was a security defect in the system, do we have the expertise in house to fix it?

• What would be the impact of a data breach?

• Do we intend to go for any industry certifications? How do we build a compliant system?

For different stakeholders, you are going to need to be able to sell your proposal in different ways. For example, the CTO might be interested in the technical benefit to building where as the CEO/CPO might be more interested in what Engineers could spend time building instead.

3. What other companies do in this space

Big Tech & FAANG

It probably will not surprise you that big technology companies have pretty much universally decided that building their own system makes sense. They have the people-power and the expertise to run these complex systems and perhaps more importantly than any cost, it means that a third party system having an outage does not disrupt their users. The larger your company becomes, the more important this becomes vs cost savings. Some of the companies that run their own systems even provide an identity provider to some of the tools mentioned below. These are:

1. Apple

2. Google

3. Twitter

4. Meta

5. Reddit

6. Amazon

to name a few.

Startups

Startups are a bit more tricky to put into a box. Startups on the smaller side may roll their own login system with username and password. This will get you incredibly far, but we certainly do not recommend unless you know what you’re doing.

Others will opt to buy immediately. They might be cash rich but time poor as they look to grow quickly to reach the next valuation. Identity management is a distraction, it just has to work. It’s not a sexy feature and customers just expect it be secure.

If you are at a startup and having these conversations now, based on our experience we recommend buy even time. Nearly all of the Buy options below offer quite a generous free trial and it means you can spend your time building out features to increase your valuation.

4. Product Recommendations

Note: There are hundreds of options here, so we have just highlighted what we believe to be the best, based on the experience we have had. We have of course not used every solution out there and so there might be something better than all the below (but we doubt it ;))

Build

After discussing it with your team and various stakeholders you conclude that you want to build, we recommend looking at the following projects to help you on your way. It of course is going to depend hugely on your technical expertise and your goal, but hopefully one of the below is a match!

Ory/Hydra

https://github.com/ory/hydra

From the README:

Ory Hydra is a hardened, OpenID Certified OAuth 2.0 Server and OpenID Connect Provider optimized for low-latency, high throughput, and low resource consumption. Ory Hydra is not an identity provider (user sign up, user login, password reset flow), but connects to your existing identity provider through a login and consent app. Implementing the login and consent app in a different language is easy, and exemplary consent apps (Node) and SDKs for common languages are provided.

Our experience with running Hydra has been positive and makes it easy to recommend. The documentation is excellent and not only does it inform you of how to run Hydra, it teaches you about OpenID connect and OAuth too. For the Kubernetes users amongst you, they provide a helm chart here.

As a company, Ory has invested heavily in this space and whilst writing this article we discovered that they offer a Cloud solution now too. You can find that here but we have not used it.

Keycloak

https://www.keycloak.org

Before Hydra entered the scene, Keycloak was the de-facto standard in this space. Keycloak is incredibly powerful and has the entire feature set of pretty much all the tools you can buy.

We have experience with Keycloak for numerous years and can’t recall any major issues with it. Our SRE team said it takes some Java experience to run well, and Hydra seems more popular amongst the Ops folks we asked due to it being written in Go and therefore being very easy to run.

Buy

If you landed on buy, there are unsurprisingly a lot of options available to you (including the Cloud offering of ORY already mentioned). Whichever you decide, here are our tips to get the most bang for your buck.

• Unless you are a company without any customer’s yet, don’t ever just accept the “default” pricing. Always reach out to the enterprise team.

• Never accept the first price. Ever. Negotiate hard and don’t be afraid to speak to multiple vendors and play them off against each other.

• If you are a resource strapped startup, ask if the Vendor can throw in implementation support. In our experience you can get the some of the below Vendor’s to write quite a lot of code/do a lot of configuration to get you running.

• Sometimes the best discounts come with multi-year agreements. Your auth solution should be a long term investment so this is an option work exploring.

Auth0

https://auth0.com

Auth0 have done a great job of content marketing. Its near enough impossible to do a search for Authentication/Authorization without coming across a blog post from Auth0. This really helps sell them as an authority on the space.

In our experience, Auth0 was usually cheaper than Okta for smaller companies. They also were much slicker in the sales and implementation process. This is reasonable as Auth0 position themselves as “the Stripe of auth”; focusing on the developer experience and allowing you to get started fast.

It has all the features you’d expect, plus it is easy to configure extras such as 2 Factor Authentication and anomalous login detection. You can also write plugins using Javascript to run custom rules when a user authenticates which made configuring it for your specific need easy.

We did have some issues using Auth0 for our mobile application. At the time we implemented it, it did not have a native SDK and login had to happen inside of a web view. This is not the experience we wanted for our users, but we had no choice. This felt a little bit like the tail wagging the dog in terms of technical limitations overcame product requirements. However, the web views were fully customisable so we made it work.

Note: Auth0 was bought by Okta in May 2021. You can read more about that here. This was quite surprising as they were competitors. They promise to continue to operate independently so it is still worth talking to both. However, it makes negotiations a little harder as these were the classic two to play off against each other.

Okta

https://www.okta.com

Okta positions themselves as for "Enterprise”. For this reason they are usually more expensive than Auth0. In our experience, Okta is a much better choice for internal IAM, i.e for building out Single sign on access for employees. This is because it comes with a bunch of pre-built integration tools for things like G-suite, Zendesk and various HR systems. We wouldn’t recommend it for customer facing applications (mostly due to cost).

Amazon Cognito

Cognito is included here because if you are running most of your stack in AWS, Cognito can be an effective option from a pricing perspective. In our experience though, it lacks documentation, and some oddities involved in implementation. However, if you have an AWS account manager (which most companies of a certain size will have), this is kind of a moot point, and it could be worth considering.

Cognito allows you 50k monthly active users for free. This is an incredibly offering considering Auth0 considers >10k users enterprise and you have to get in touch with them.

The one thing we really want to highlight here is Cognitio does feel like a bit of an after thought from AWS and doesn’t get a lot of love. If you don’t run in AWS and have picked this to keep cost down OR you do run in AWS but don’t have a account manager, you might just shift the monthly cost to your engineering team who will take longer to implement it as they battle the bad documentation.

5.Further Reading

If you want to dive deeper into learning about some of the topics discussed here, then we recommend the following articles and blogs.

Auth

• Cloudflare- AuthN vs authZ: How are they different?

• Microsoft - authentication vs. authorisation

• Ory Hydra docs. Even if you do not use Hydra, the docs are a goldmine.

Build vs Buy

• Windward Studios - Build vs. Buy - A Decison-Making Framework for Software Development

• Stream Director of Product, Ben Golden - Webinar: Build vs Buy? Why It's Usually "Buy”

Opportunity Cost

• Brex - Evaluating opportunity cost

I hope you enjoyed this article by Lead Engineer. If you want to support in-depth write ups on topics like this going forward, please consider subscribing to to the newsletter. 👇