This is Why You Don't Roll Your Own Auth

Рет қаралды 15,145

Күн бұрын

Пікірлер: 51

@joeferreti9442 Ай бұрын

It's important to note that there is a very big difference between developing or implementing own cryptographic building blocks and just hosting your own authentication service. The first is a big No-No (unless you are a group of renowned and proven security experts) while the latter can be doable (although you have to be careful).

@undefined69695 Ай бұрын

As an identity management expert I can’t agree more. Use whatever library you want and customize it within spec but never ever try to implement your own cryptography.

@nickwoodward819 Ай бұрын

assume then that Passportjs or Lucia (well Oslo helper methods) = good, trying to write Passportjs/Oslo = bad. always thought that 'roll your own' was kept intentionally vague.

@someguyO2W Ай бұрын

This video mixes up Authentication, Authorization, Auditing and many other security processes, then recommends using a single point of failure as a solution.

@undefined69695 Ай бұрын

Yeah like rate limiting has nothing to do with auth you would do that with a gateway

@flixfixonyt Ай бұрын

Welcome to youtube tech influencing. Those who can can, those who can't teach.

@michal4561 Ай бұрын

big talk, show us what u got

@nickwoodward819 Ай бұрын

No MFA under $240 / month kills Auth0 for me.

@emmanuelgoldstein3682 Ай бұрын

MFA through SMS or email is on the $35 plan. I've been using it for years. Authenticators like Google Authenticator require the Professional plan, which is actually fairly priced if you're big enough to need it.

@nickwoodward819 Ай бұрын

Could be wrong on this one, but it always looks like a large amount of the complexity comes from shoe-horning JWTs into Auth?

@ndzumamalate Ай бұрын

Exactly, makes everything 30x harder

@joshr96 Ай бұрын

"please let this not be a prelude to some auth sponsor... please... he wouldn't do that right... please no..." TODAY"S VIDEO IS SPONSORED BY.... 😞 Like I get it you have chickens to feed and bills to pay, but I do think its a bit dirty to primarily focus on the downsides and barely touch on the pros of rolling your own auth solution. Instead the video is filled with a lot of scary stories, how million user platforms got sued 😱 and all of this can be avoided if you used XYZ solution. And how DARE you remind me I have to log back into my netflix on my TV whenever I travel good sir! At least they haven't added ads yet.... oh wait. Anyway Forrest I will still watch your content cause I still enjoy it. I just had to cry out my heart here in this comment section. I don't wish you to pull this video, stop taking sponsors, or change in anyway for any viewer here. I just ask you remain fair and honest to your audience many of them new to this industry and look to you for ideas. You had one very valid point... you should roll your own if at the very least to learn something. But I think there is many other reasons too but due to conflict of interests I understand why you didn't.

Ай бұрын

I implemented oauth2.1 and oidc protocols from scratch last month, and switched to a oidc library later(for better edge case handling, nothing else). I have gotta say, if i didn't implemeted the protocols beforehand, i wouldn't have any idea on the internal state of the program, and it would just be a blackbox.

@NostraDavid2 Ай бұрын

Those protocols are pretty damn complex due to the amount of options you have available - that's what I recall from a year ago anyway. Maybe my memory is crap though.

Ай бұрын

@@NostraDavid2 nope, you are correct. These protocols have tons of options, cause they cover a wide range of scenarios

@AdithaPathiraja Ай бұрын

isn't auth service provider become a single point of failure for all their customers if they ever got hacked? If big companies like facebook got hacked what's the guarantee that your auth provider won't fail at somepoint. Honestly, all auth fails mentioned here seems like stupid mistakes that could've avoided if they had better process to enforce good standards.

@sortof3337 Ай бұрын

yea. it is. the video is basically ad. never trust tech tubers. no diss here. i appreciate all working people getting the bag and would've done the same thing. smartest people in tech aren't making videos. they are making products or enjoying life or being tiny little fascists. Auth0/Okta also has had its own fair share of security incidents.

@someguyO2W Ай бұрын

It's a bad take. Don't roll your own auth. Use established libraries.

@someguyO2W Ай бұрын

Auth0 recently had an issue IIRC

@dan110024 22 күн бұрын

What's the alternative to using an auth service provider though, if you're not qualified to be doing auth yourself?

@sortof3337 22 күн бұрын

@@dan110024 self host casdoor. its very easy. if that's too hard, you can use auth0 or vercels auth.

@craigreustle2192 Ай бұрын

Auth0 sounds awesome. As a beginner trying to build an app with users i got way in over my head coding it myself.

@Refresh5406 Ай бұрын

Auth0 is horribly priced, there are a million other comparable services out there that actually scale and are affordable

@craigreustle2192 Ай бұрын

@Refresh5406 Okay but for my purposes free sounds good.

@nickwoodward819 Ай бұрын

@@craigreustle2192 No MFA sounds terrible

@martinblasko5795 Ай бұрын

Where I can find that Auth System Decisions diagram? It looks really comprehensive!

@fknight Ай бұрын

The mindmap? I just made it in Mermaid Chart. The MMD code will render in any platform that supports Markdown: mindmap root((Auth SystemDecisions)) Session Management Password Changes ::icon(fa fa-key) Invalidate all sessions? Keep some sessions active? Session Duration ::icon(fa fa-clock) Remember me functionality Re-authentication intervals Token rotation frequency Concurrent Sessions ::icon(fa fa-users) Number allowed Device limits Household restrictions Session Control ::icon(fa fa-cogs) View active sessions Revoke specific sessions Force logout all devices Route Protection Rate Limiting ::icon(fa fa-shield) Per IP limits Per user limits Per action limits Security Checks ::icon(fa fa-lock) Token validation CSRF protection Session fingerprinting Monitoring ::icon(fa fa-eye) Suspicious activity detection Security logging GDPR/SOC2 compliance Implementation Choice ::icon(fa fa-code) Custom Implementation Research security best practices Handle salt/pepper generation Manage token creation/validation Auth Library Configure security settings Use proven implementations Regular security updates

@martinblasko5795 Ай бұрын

@fknight Sweet, thanks! We're currently struggling with, ehm.. rolling our own auth after failing miserably with Ory and Zitadel. There's always something missing or one thing nobody thinks about until we need it pops up from nowhere. Your mind map seems pretty comprehensive, thanks a bunch

@GarrethandPipa 19 күн бұрын

Back when the internet was new we quickly learned that you can have a near perfect implementation of the current specification and if the server had shitty security say a windows server your wasting your time. None of these pieces are hard to code if you spent the first 10 years of your professional career reinventing this wheel. The reality nothing is truly secure... it just takes one new hire to bring it all down.

@Charlesfrostman Ай бұрын

My only recommendation for this vid is to target FE devs with this advice. For the “things you need to consider…” section, this is all standard stuff for an experienced backend engineer. Auth (incl. rate limiting, gateways etc) for a Java/Spring Framework engineer is like forms mgmt for a JS/Angular dev. The mental overhead to sufficiently implement both sides of the stack is heavy, as both have great complexities.

@raughboy188 Ай бұрын

Are you trying to tell: Roll your own Auth for yourself only.

@4sxS307cAW Ай бұрын

I think this is an "it depends" scenario. Most of the time, it's better not to build your own authentication system because companies typically prioritize creating features that deliver business value. Developing your own auth system can be a bad move since you'd then need to integrate and maintain it to meet all the necessary authentication requirements. This effort can consume a significant portion of your time, leaving less room for delivering value-adding features. On paper, it ends up looking inefficient and negatively impacting your KPIs.