Ask HN: What are problems with implementing authentication and authorization?
5 comments
Auth0 solves pretty much every problem I've encountered. Which is admittedly, not a whole lot. It's not that these are super hard problems, it's just that it often seems like a waste of time. Instead of working on authentication and authorization, I'd much rather focus on the actual functionality.
Problems I encountered:
* Normalized user profile using data from various identity providers [1].
* Passwordless login [2].
* Using custom SMS gateway for passwordless login or 2FA [3]
There are not a stable, polished, feature rich alternatives to Auth0 that are affordable. I know that's a lot to ask for, but since you're asking. Auth0 is very nice, but prohibitively expensive. There are also not a lot of maintained and stable alternatives. Pretty much the only one I am aware of is Keycloak.
[1] https://auth0.com/docs/users/normalized/auth0
[2] https://auth0.com/passwordless
[3] https://auth0.com/docs/connections/passwordless/guides/use-s...
Problems I encountered:
* Normalized user profile using data from various identity providers [1].
* Passwordless login [2].
* Using custom SMS gateway for passwordless login or 2FA [3]
There are not a stable, polished, feature rich alternatives to Auth0 that are affordable. I know that's a lot to ask for, but since you're asking. Auth0 is very nice, but prohibitively expensive. There are also not a lot of maintained and stable alternatives. Pretty much the only one I am aware of is Keycloak.
[1] https://auth0.com/docs/users/normalized/auth0
[2] https://auth0.com/passwordless
[3] https://auth0.com/docs/connections/passwordless/guides/use-s...
Thank you for your answer. Yeah, I encountered the same problem. When you want to start to work on a new project you do not want to waste time on authentication and authorization. Thanks for the links, you provided. I will take a look at closer look at Keycloak.
Yeah, the problem with having 100 different user information and not one standardized way, is a big problem, do you think Auth0 and Keycloak(if they normalize) solve this problem in the best possible way?
Passwordless logins and 2FA are a good thing to point out. I will take a closer look at these "problems"/"solutions".
Yeah, the problem with having 100 different user information and not one standardized way, is a big problem, do you think Auth0 and Keycloak(if they normalize) solve this problem in the best possible way?
Passwordless logins and 2FA are a good thing to point out. I will take a closer look at these "problems"/"solutions".
The browser can have to cookies with the same name, and variations in path or domain, but still transmit both in a http request.
This causes most cookie parsers to make mistakes since they expect only one.
Also on the note of cookies, modern browser do not delete session or stale cookies if the browser was not closed properly, eg. the user just shutdown the system without closing the browser.
Also on the note of cookies, modern browser do not delete session or stale cookies if the browser was not closed properly, eg. the user just shutdown the system without closing the browser.
I did not know that before. I mean of course you can differentiate between them because of the path and domain, but still this can cause problems. Do you have an example of when you would like to have the same cookie for different domains or paths? Is it most likely a problem that occurs when programmers create cookies for the wrong path or domain. Or would you say there is a use case for that?
The server does not receive the path and domain infos so you cant differentiate at that point.
Jeah, domain wise if you have a cookie set for example.com and test.example.com, if the user is on the later it would send both cookies. This may be wanted for a common login system. In general yes it can be avoided if potential conflicting apps use different cookie names by default.
Jeah, domain wise if you have a cookie set for example.com and test.example.com, if the user is on the later it would send both cookies. This may be wanted for a common login system. In general yes it can be avoided if potential conflicting apps use different cookie names by default.
I would like to hear strange problems you encountered while working on authentication and authorization (when you work on a mobile app, or web app, etc...)? What are things you did not think of before implementing your system. How would you avoid such problems?
If you are using Identity and User Management Services (or probably you work there) like Auth0 (or others), why are you using it and what are you missing?