How are people doing auth for their applications (minus cognitio)

Amplify

Auth0 JWT

Cognito now, but seriously considering Auth0

we're figuring out what auth to bundle into the graphql stack out of the box and I really don't want it to be cognito

Userfront has a pretty generous free plan with unlimited logins, and a rich feature set

yeah I particularly like it because they mention multi-tenancy pretty prominently

Oh, yeah, that's nice

auth0 with JWT. We use jose to validate and pass to context for pothos auth plugin

did you checkout https://www.envelop.dev/docs/guides/securing-your-graphql-api

I know of it but for now we only needed basics so didn't go into it

using Auth0 and have been really happy with it. Though, they did try to upsell us from the $23 a month plan to like $12K a year just to be able to get one feature. But overall, their product works really great.

@thdxr, out of interest, why don't you want to use cognito? I've been running through all your tutorials using that and it seems to do everything (I think) I need.

+1 for auth0

Cognito still for me. Typically never need the bells and whistles other services offer and its quite cheap relatively. ;d

@thdxr i might be misunderstanding but why not just general JWT support?

there probably won't be anything built in directly, more around thinking about what examples we document

👍

@Neil Balcombe we've so far built things around cognito because it's the AWS option but we haven't been to happy with it as a service, lot of weird constraints that shouldn't exist

@Neil Balcombe I’d second the dislike of Cognito. It’s a bit of an abandoned child of the AWS ecosystem, and as thdxr said it has so many restraints and limitations that don’t make sense. Just one example: if you’re using cognito user pools, and an authenticated user invokes one of your lambdas, there’s no easy way of telling what their username is. Instead, the

context.identity

contains a cognitoIdentityId (from the corresponding CognitoIdentityPool) which is a UUID, and even though the same user always gets the same cognitoIdentityId (so there is a mapping somewhere behind the scenes) there is no way to map the identityId onto the username (without building your own identity tracking system, which is what we’re trying to avoid!) We’ve been using Cognito in production for 6 years now and it’s caused more headaches than Lambda, DynamoDB, RDS, Cloudfront, S3, Route53, SES, SNS, and SQS combined. It’s also been quite buggy in our experience, with next to zero support or response from AWS (admittedly, on a free-support plan).

I've been following this 5+ year-old thread on the Amplify repo for a while. It's Cognito related, and shows the types of frustrations the community has with Cognito.

@Seth Geoghegan me too 😂 😢

I always use the identity token's sub and have no issues 😅

To answer the original question, in our new project we’re using Auth0 during prototype stage, but Userfront’s pricing model looks tempting! (And we use JWT validation inside our lambdas)

Custom authoriser with jwt

We use custom authorisers with jwt as well - either on apigw or directly in lambda.

Use auth0 but also have been tempted by stytch. Been looking for a tool that does webauthn + social +MFA really nicely

I use plain jwt. Found cognito and amplify inflexible