Us vs Auth0

[rishabhpoddar]

Questions

• Can you easily add a custom social provider?
• How well do they support various platforms and SDKs?
• How can we go about customising the UI? From colours to full customisation
• How do we do things like handle sign up success?
• Social account consolidation?
• Can sessions be used with httpOnly cookies?
• Setting up for the two use cases of multi tenancy?
• If one needs to do something like paginating across all users in the app in their API, how can they do that?
• If someone wants to tweak the sign up / sign in APIs, how can they do that?
• How would adding custom sign up fields work?
• How would adding custom sign up validators work?
• Describe the dev setup experience (how many steps and what are they + time overall)
• How do go about sending emails yourself if you want to?
• How to go about customising the email design and or the sender's domain?
• How to implement sign out functionality?
• How to implement revoking a user's session functionality?
• What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?
• What are features that they provide that we don't?
• Will their solution work with serverless env like in nextjs or netlify?
• Email verification with Social providers, how does it work
• Changing Email for social provider, how it works
• if you want to add a password strength meter to registration, how does it work
• For social account consolidation, how does changing the email work.
• Multi tenancy, properly how it works, redirection works with the frontend
• RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.
• Documentation review
• Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)
• what are the supported databases
• Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?
• If a session expires is there a pop-up? does the user have to handle it?
• mobile implementation, IOS and Android
• Email is not verified but password reset is done, does that verify email?
• implementation with ssr
• Migration to and away
• API customisability
• sharing session across sub domains
• Can you make the provider's frontend talk to your API instead of theirs? And then your APIs talk to their API.
• How to disallow sign up and only have sign in?
• Is it dev friendly?
• Anything about monetization and model?
• Would it be used by startups / developers or by mid stage companies / upmarket customers
• How does their session management work?
• Does it provide Email OTP as a feature?
• Can a user be re-authenticated when visiting a protected route?

[rishabhpoddar]

See the answers for SuperTokens here

Describe the dev setup experience (how many steps and what are they + time overall)

Basic setup for Frontend

• After signing the getting started page lists how you can configure Auth0 and set it up in your app
• These steps are
  • Previewing and Customizing the Auth screen
  • Integrating auth0 into your app
  • Adding social providers
  • Adding additional security features
• The integrating auth0 with your app guide is as follows
  • Create an app from their dashboard, it can be of the following types
  • Native apps
  • SPA
  • Regular web apps
  • CLI apps
• For the React app setup was fast and straightforward
• When creating my application on the dashboard it asks you to choose the type of app. For SPA the options were
  • Angular
  • React
  • Javascript
  • Vue
• The react guide gives you a sample demo and a step by step process of integrating auth0 with your frontend
• I was able to set up Auth0 add login, logout, and profile functionality to my frontend within 15-20 mins
• The process requires you to add an auth0 provided wrapper around your root in your react app
• You can then use the auth0 useAuth0 hook in your components to get functions to check if the user is authenticated, login, logout, get user information etc...

Basic Setup for backend

• Auth0 provides a guide for setting up your backend
• Installing the express-jwt and jwks-rsa dependencies
• After configuration, the above-mentioned libraries will be used as middleware for express and will check if the jwt exists in the incoming request and it has the correct params.
• The routes you choose to protect can be customized by adding the unprotected routes to a list.

Documentation review

Auth0's documentation is really good. whenever you start an app and choose your techstack, you get a curated quick setup guide taking you through the setup process.
Each section in the dashboard gives information on how that section works
One place that can be hard to navigate is the management API docs.

Can you easily add a custom social provider?

Auth0 allows you to easily add custom oauth service providers through their dashboard. The setup form asks you to enter the authorization URL, token URL, scope, client id, client secret and a fetch user profile script(queries the OAuth2 API with the accessToken).

Auth0 allows users to use their databases populated with pre-existing users(usernames, password hashes etc). How does this work?(callbacks used, how are transactions implemented)

Auth0

• Allows you to use your own custom database with users on the enterprise plan

• When using a custom database you have to configure action scripts that will define how the authentication works with your database.

• The scripts can be written or you can use the templates provided by auth0 and modify them

• By default the only required script to be written is the login script

• The actions scripts are

  • Login
    • Executes each time a user attempts to log in
    • Params: email, password
  • Create
    • Executes when a user signs up.
    • Params: user.email, user.password
  • Verify
    • Executes after a user follows the verification link.
    • Params: email
  • Change password
    • Executes when a user clicks on the confirmation link after a reset password request.
    • Params: email, newPassword
  • Get User
    • Retrieves a user profile from your database without authenticating the user.
    • Params: email
  • Delete
    • Executes when a user is deleted using the API or Auth0 Dashboard.
    • Params: id
  • Change email
    • Executes when a change in the email address, or the email address status, for a user occurs.
    • Params: email, newEmail, verified, callback

• Steps taken for custom database setup(MongoDB)

  • Enable custom database
  • Setup database with mongodb atalas
  • Add mongodb template for Create action script in auth0 dashboard
  • Add the connection string
  • Can test out the functionality in ui

How can we go about customising the UI? From colours to full customisation

Auth0's dashboard allows you to customize certain aspects of the long screen:

• Basic customization
  • Change logo with a URL
  • Change button colors
  • Change background colours

Social account consolidation?

• Tested out the default behavior
  • Signing up with social login google
  • signing up with gmail id
  • Two separate users are created
• Auth0's default behavior results in new users being created even if the same email is used.(login via gmail, login via google)
• Auth0 supports account linking but it is a paid feature that has to be implemented by the user. This includes building your own UI, flow and calling the API for account linking.
  • The suggested flow is:
  • User logs into his primary account
  • provide UI to link secondary account
  • on clicking the button user is directed to the universal login screen and logs in with his secondary account
  • user gets a token on successful authentication which can be used to call an API to link the account

How do we do things like handle sign up success?

• Auth0 has a number of Extensibility Points, these are places in Auth0's flow where users can define nodejs based scripts that will run. These are called auth0 hooks.
  The available extensibility points are
• Client Credentials Exchange
  • You can modify the scopes and add custom claims to the tokens issued by the Auth0 API
• Post change password
  • Executed after a successful user password change
• Post User Registration (Action)
  • Executed after a new user is created
• Pre User Registration (action)
  • Executed before user registration, can prevent user creation or add custom metadata.
• Send Phone Message
• allows you to customize your SMS provider for multifactor authentication.

The Auth0 actions can involve calling your API endpoint if you want to add user details to your db as well. However, during dev, if your endpoints are on localhost that causes an issue since auth0 cannot call localhost. So you might have to do some tricky tunneling..

If one needs to do something like paginating across all users in the app in their API, how can they do that?

• Auth0 provides an API for querying user information. It provides a number of options to filter data. The API takes attributes like page (index of the results to return), per page(the number of results per page)...
• Sample response
  [ { "user_id": "auth0|507f1f77bcf86cd799439020", "email": "[email protected]", "email_verified": false, "username": "johndoe", "phone_number": "+199999999999999", "phone_verified": false, "created_at": "", "updated_at": "", "identities": [ { "connection": "Initial-Connection", "user_id": "507f1f77bcf86cd799439020", "provider": "auth0", "isSocial": false } ], "app_metadata": {}, "user_metadata": {}, "picture": "", "name": "", "nickname": "", "multifactor": [ "" ], "last_ip": "", "last_login": "", "logins_count": 0, "blocked": false, "given_name": "", "family_name": "" } ]

How would adding custom sign up fields work?

How would adding custom sign up validators work?

Auth0 allows you to add custom sign up fields,

• In the dashboard navigate to the branding/Universal Login section
• The dashboard allows you to customize the HTML of the login
• In the script section the config's additionalSignUpFields attribute is used to add additional fields.
  • The additionalSIgnUpFields attribute takes the following params
    • name: string
    • placeholder: string
    • validator: function
      There are also a number of additional params that can be set like a logo can be set using the icon param, also the type of input can be modified.
      ex.
• The custom field type can be modified using the type param
• When the type param is set to select, you can provide users with a number of options
  ex. additionalSignUpFields: [{ type: "select", name: "location", placeholder: "choose your location", options: [ {value: "us", label: "United States"}, {value: "fr", label: "France"}, {value: "ar", label: "Argentina"} ], // The following properties are optional icon: "https://example.com/assests/location_icon.png", prefill: "us" }]
  an icon and prefill param can also be set
  other type options include a checkbox field and a hidden field

How to go about customising the email design and or the sender's domain?

Auth0 allows for complete customization of all emails(Welcome, password reset, email verification, change password etc...)
The sender's domain, Subject and message contents can be completely changed from the dashboard.
The message HTML can be completely changed

How to implement sign out functionality?

• The useAuth0 hook provides a logout function. The function redirects the user to auth0's logout endpoint before redirecting back to the app. This will clear the auth0 sso cookies. It can be configured to even logout the user from the identity provider they logged in from(ex. if user used google to log into auth0, the logout will logout them out from both the app and google)

if you want to add a password strength meter to registration, how does it work

In Auth0's dashboard you can choose to customize he HTML code of the login widget. This allows you to change the config of lock widget to add additional fields, change styling etc. Adding custom elements in their editor does not seem to be something they encourage though.

Auth0 has a password strength meter built into its lock UI. The password policy has a set of rules with a slider to customize how many rules to enforce
This can be modified from the database password policy tab
The rules are :

• No more than 2 identical characters in a row
• Special characters (!@#$%^&*)
• Lower case (a-z), upper case (A-Z) and numbers (0-9)
• Must have '' characters in length
• Non-empty password required

Email verification with Social providers, how does it work

• Email verification is turned on by default.
• Email verification is not enforced by default, user gets access to app immediately on signup.
• To enforce email verification a custom rule has to be created.

Changing Email for social provider, how it works

• According to the forums changing the password for social providers is not supported.

For social account consolidation, how does changing the email work.

• account created by social providers cannot have their emails changed. Also for regular accounts changing the email doesn't seem to be a built in feature in auth0, they have a management API which can be used to change emails.

Email is not verified but password reset is done, does that verify email?

• Email does get verified.
  • Tested:
  • Signup
  • Check that user is unverified
  • reset password
  • Email associated with the user is now verified.

If a session expires is there a pop-up? does the user have to handle it.

• Tested setting the id token and refresh token expiration to be very low.
• On expiry there is no pop-up.
• Currently using the isAuthenticated function from the useAuth0 hook to display information. On session expiry this is false.

RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.

Roles in auth0 is just a method to group together permissions.

• In Auth0 a permission, is the ability to perform an action on a resource. ex. read:data can be defined as a permission.

• After creating a permission, it can then be assigned to a role.

• Roles can then be assigned to a user.

• The role assigned to a user can be found in the accesstoken jwt after authentication under the permission attrubute

• On the backend the 'express-jwt-authz' can be used to create a middleware to check if the user has the required permission

• Roles can be created from the dashboard.

• Roles have a name, description, permissions and users associated with them

• Roles can be created using the Auth0 management API and can be assigned to a user.

• Multiple roles can be assigned to a single user

what are the supported databases

• Using a custom database with auth0 is only available for the enterprise tier
• They allow you to connect to any database with custom scripts and provide templates for most popular databases.

Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?

Auth0 provides a HOC withAuthenticationRequired which can be used for protecting routes.
ex.
Create a component that uses withAuthenticationRequired
``
const ProtectedRoute = ({ component, ...args }) => (
<Route component={withAuthenticationRequired(component)} {...args} />
);

``

in your router set the path and the component to be protected using the new component

<ProtectedRoute path="/profile" component={Profile} />

Auth0 mobile implementation, IOS and Android

Auth0 provides SDK's for both android and ios and have good quick start guides for setup

What are features that they provide that we don't?

• SSO
• Greater custom DB support through custom scripts (only for enterprise)
• MFA
• User management through the dashboard
• RBAC
• Passwordless/Magic links

If someone wants to tweak the sign up / sign in APIs, how can they do that?

Auth0 provides some extensibility points for customizing the apis but they do not cover every scenario(they don't have pre and post customization for every API). The user can call the apis from the backend to allow for complete customization pre and post API calls but they would have to the frontend themselves as the lock widget does not allow you to change the endpoints for its actions.

Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)

• Auth0 has 3 methods of customizing auth flows

• Rules

• Auth0 hooks

• Auth0 actions

  • Rules

    • Rules are js functions that are executed during user authentication.
    • They run after the main authentication flow is completed, i.e. just before the response is submitted to the user.
    • The ID Token and/or Access Token passed to the Rules pipeline and then sent to the app.
    • Rules can be created from the dashboard, or they can be added through the management api.
    • Uses
      • They can be used for adding more data to the user object
      • Normalizing data
      • Sending notifications that authentication just occured
      • Creating a whitelist
      • modifying the access token scopes

  • Auth0 hooks

    • Info can be found in question about post sign up callback

  • Actions

• In case of password validation, auth0 has a special place in the dashboard for setting up password strength. This change is propagated through any flow that requires the user to enter the password

How does revoking a session between your frontend and backend work

How to implement revoking a user's session functionality?

User has multiple sessions, only want to revoke a couple of them, how does that work

• Auth0 does not seem to supply methods in their sdk for revoking sessions. From what i have seen the only way to invalidate the session is to clear the cookies on the frontend and call then revoke the refresh token from the server using Auth0's management API.

What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?

Auth0 allows you to embed login into your website. They allow to use their login widget sdk in your app or just use the auth0 sdk to query the auth endpoints.

Will their solution work with serverless env like in nextjs or netlify?

Auth0 provides a nextjs sdk.
Setup:

• Create a auth0 app from the dashboard
• add the configuration keys to your next app, in .env.local
• Add an api route handler to your next app with handleAuth from the auth0 next package
• this will add the routes for login, logout and callback URLs.
• wrap pages/_app.js with the UserProvider component to get the user details on the frontend

implementation with ssr

Pre and Post Action scripts?

• Limited extensibility points. no extensibility point for pre and post login

Execute Auth0's default functionality inside action script?

• As soon as you enable custom databases auth0's default store is disabled, default functionality cannot be used. All action scripts(login, verify, change password etc..) have to be defined

If a session expires is there a pop-up? does the user have to handle it?

• When a user session expires there is no popup, user is redirected to login screen

sharing session across sub domains

• Test:
  • using ngrok to have two domains localhost:3000 and the ngrok domain
  • logged in on localhost
  • switched URL to the ngrok URL
  • I was redirected to the login in page
  • onclicking login was signed in without having to enter details

How do go about sending emails yourself if you want to?

Auth0's inbuilt test smtp mail server cannot be used in production and requires the user to setup smtp.

• In the dashboard users can select from a list of supported smtp providers.
• These are
  • Amazon SES
  • Mandrill
  • SendGrid
  • SparkPost
  • Mailgun
• Auh0 allows you to set a custom email provider and set the requires smtp provider settings

How well do they support various platforms and SDKs?

• Auth0 supports the following SDK's with good documentation, quickstarts and sample apps:
  • Frontend
    • Angular
    • JavaScript
    • React
    • Vue
  • Backend
    • Laravel API
    • Node (Express) API
    • PHP API
    • Python API
    • Ruby On Rails API
  • Native and Mobile
    • Android
    • Cordova
    • iOS Swift
    • React Native
    • Windows Universal App C#WPF / Winforms
    • Xamarin

Can sessions be used with httpOnly cookies?

• According to this discussion it is possible

API customizability

Auth0 allows you to query its API's from the backend and also perform management tasks(user management and tenant configuration) through its management API.

How to disallow sign up and only have sign in?

In Auth0's dashboard under the database option, you can choose to disable signups.

Can you make the provider's frontend talk to your API instead of theirs? And then your APIs talk to their API.

Going through auth0's lock(their frontend widget) configuration there are no options to set endpoints for actions like signup/signin.

Setting up for the two use cases of multi tenancy?

Auth0's Multi tenancy page in their docs mention a couple of ways to handle multi-tenant apps

• Multiple connections:
  • If you have multiple database connections enabled you can choose which user pool to access by configuring the connection on the frontend, For enterprise customers, auth0 provides the ability to use email domains as a way of routing authentication requests
• Identify tenants by application
  • You can specify which auth0 app to use. More control over connections and configurations.
• Store tenant details in app_metadata
  • Store tenant details in the user metadata, an identifier can be stored which will be used to redirect users
• Separate Auth0 tenants for each customer
• create a new Auth0 tenant for each of your application's tenants
• Should only be done when you want to share the auth0 dashboard with the customer
• Lost of configuration and setup(setup apps and db connections for each auth0 tenant)

Does it provide Email OTP as a feature?

• Auth0 allows for passwordless login with and OTP sent by email

Can a user be re-authenticated when visiting a protected route?

This can be done as seen in this discussion by setting the max_age param and checking the auth_time

Auth0 Marketplace

• The marketplace is a hub in auth0's dashboard which allows users to find and integrate third-party solutions. The idea behind the marketplace is that say you want to add github as a login provider, instead of googling the steps and trying to find out what the steps are, you have an official integration guide endorsed by auth0 with clear setup steps and troubleshooting guides

[rishabhpoddar]

About account linking:

Auth0 has proper automatic account linking. There are a few UX / security issues (but they are nothing major):

• UX issue 1: If the user does email password sign up first, and then does Gmail logn the second time, they are redirected back to the login UI with no message. This can be confusing. In the background though, auth0 sends an email verification email, and once the user sees that and clicks on it, then when they relogin with Gmail, they the accounts are linked.

• UX issue 2: If the user signed up with gmail, and then next time signs up with email password (cause they think forgot that they have an account), then they are redirected to the gmail UI after email password account creation. After clicking on the right gmail user, their accounts are linked. This can be confusing for certain users.

• UX issue 3: If the user signed up with gmail, and then nexttime tries to login with email password, they see a wrong credentials error (as expected). But then if they go through the password reset route (cause they thought they had previously signed up with email password), then there is no password reset email sent. They have to click on sign up with email password, or then login with gmail. There is no indication in the UI for this.

• Security issue: If an attacker previously created an email password user with the victim’s email (and not verified it), then when the victim signs up with google, Auth0 sends an email verification email. The victim might think to click it (cause they just signed up), but this causes linking of the email password account as well - giving the attacker access to the account via email password login. That being said, during Gmail sign up, Auth0 does prompt the user they they are about to link accounts, but certain users might just click on continue without understanding what’s about to happen.

• No account linking for passwordless or SAML login users.