https://serverless-stack.com/ logo
#random
Title
# random
t

thdxr

05/19/2022, 1:40 PM
How are people doing auth for their applications (minus cognitio)
d

Devin

05/19/2022, 1:44 PM
Amplify
b

Bjorn Theart

05/19/2022, 1:44 PM
Auth0 JWT
s

Seth Geoghegan

05/19/2022, 2:20 PM
Cognito now, but seriously considering Auth0
t

thdxr

05/19/2022, 2:20 PM
we're figuring out what auth to bundle into the graphql stack out of the box and I really don't want it to be cognito
figuring out if we should use another managed service (https://userfront.com/ is in the lead so far) or using something more application level
auth is always an awkward part of the architecture
b

Bjorn Theart

05/19/2022, 2:22 PM
Userfront has a pretty generous free plan with unlimited logins, and a rich feature set
Haven't heard of it before until now
t

thdxr

05/19/2022, 2:23 PM
yeah I particularly like it because they mention multi-tenancy pretty prominently
b

Bjorn Theart

05/19/2022, 2:24 PM
Oh, yeah, that's nice
d

Damjan

05/19/2022, 2:47 PM
auth0 with JWT. We use jose to validate and pass to context for pothos auth plugin
t

thdxr

05/19/2022, 2:47 PM
d

Damjan

05/19/2022, 2:50 PM
I know of it but for now we only needed basics so didn't go into it
b

Bob Wall

05/19/2022, 4:01 PM
using Auth0 and have been really happy with it. Though, they did try to upsell us from the $23 a month plan to like $12K a year just to be able to get one feature. But overall, their product works really great.
n

Neil Balcombe

05/19/2022, 4:37 PM
@thdxr, out of interest, why don't you want to use cognito? I've been running through all your tutorials using that and it seems to do everything (I think) I need.
a

Alex Price

05/19/2022, 4:54 PM
+1 for auth0
j

Jarod Stewart

05/19/2022, 5:37 PM
Cognito still for me. Typically never need the bells and whistles other services offer and its quite cheap relatively. ;d
g

Gjorgji Kjosev

05/19/2022, 7:12 PM
@thdxr i might be misunderstanding but why not just general JWT support?
t

thdxr

05/19/2022, 7:13 PM
there probably won't be anything built in directly, more around thinking about what examples we document
just thinking through the options
g

Gjorgji Kjosev

05/19/2022, 7:13 PM
👍
i'd personally like to see generic JWT vs cognito + IAM integration pros/cons
t

thdxr

05/19/2022, 7:14 PM
@Neil Balcombe we've so far built things around cognito because it's the AWS option but we haven't been to happy with it as a service, lot of weird constraints that shouldn't exist
a

Athol Birtley

05/19/2022, 11:59 PM
@Neil Balcombe I’d second the dislike of Cognito. It’s a bit of an abandoned child of the AWS ecosystem, and as thdxr said it has so many restraints and limitations that don’t make sense. Just one example: if you’re using cognito user pools, and an authenticated user invokes one of your lambdas, there’s no easy way of telling what their username is. Instead, the
context.identity
contains a cognitoIdentityId (from the corresponding CognitoIdentityPool) which is a UUID, and even though the same user always gets the same cognitoIdentityId (so there is a mapping somewhere behind the scenes) there is no way to map the identityId onto the username (without building your own identity tracking system, which is what we’re trying to avoid!) We’ve been using Cognito in production for 6 years now and it’s caused more headaches than Lambda, DynamoDB, RDS, Cloudfront, S3, Route53, SES, SNS, and SQS combined. It’s also been quite buggy in our experience, with next to zero support or response from AWS (admittedly, on a free-support plan).
s

Seth Geoghegan

05/20/2022, 12:33 AM
I've been following this 5+ year-old thread on the Amplify repo for a while. It's Cognito related, and shows the types of frustrations the community has with Cognito.
a

Athol Birtley

05/20/2022, 12:34 AM
@Seth Geoghegan me too 😂 😢
j

Jarod Stewart

05/20/2022, 12:34 AM
I always use the identity token's sub and have no issues 😅
a

Athol Birtley

05/20/2022, 12:36 AM
To answer the original question, in our new project we’re using Auth0 during prototype stage, but Userfront’s pricing model looks tempting! (And we use JWT validation inside our lambdas)
h

Hitesh Balwani

05/20/2022, 6:18 AM
Custom authoriser with jwt
s

Stan

05/20/2022, 8:01 AM
We use custom authorisers with jwt as well - either on apigw or directly in lambda.
o

Omi Chowdhury

05/20/2022, 3:03 PM
Use auth0 but also have been tempted by stytch. Been looking for a tool that does webauthn + social +MFA really nicely
t

Timothy Farland

05/21/2022, 2:27 AM
I use plain jwt. Found cognito and amplify inflexible