I've been planning a startup project for months now. Then, what was a supposedly simple quest of finding out whether session-based or token-based authentication is better, has become a question of whether I should setup my own OpenID Connect (IODC) auth server or stick to simpler methods.

I've already spent almost a week learning OAuth2 and OIDC, and I can't tell whether this route is an overkill for my usecase. (Or that I just don't want to admit I'm falling into the shiny tech trap.)

How about you guys, how would you approach authentication? JWT/JWE? Sessions?

  • 1
    Set up okta. By the time you exceed the base user count, you should be making enough money to afford it and have enough data to determine if it's worth your time to do so.

    If you just want to learn OIDC, you can implement your own, but in general it's not a valuable exercise.
  • 1
    Research about Auth0, I've implemented their authentication on my own project and seems very legit, you just have to read through the docs and it's relatively easy to implement
  • 0
    @SortOfTested Thanks! I'll definitely look into Okta. But why do you think it's not a valuable experience to implement my own? Is it because it isn't in-demand in the industry?
  • 0
    It's been done so many times, in so many ways there's no need to reinvent the wheel. All you need to understand are the surrounding concepts like grants, claims, scopes, flows, clients, etc.
  • 1
    @specialCardinal I think it's a more easy and secure way to implement it and you don't have to worry about scalability. big companies such as Atlassian rely on the Auth0 authentication service
  • 0
    @SortOfTested Ah yes, what I meant by implementing my own auth server is by using an OIDC-certified provider library, not actually programming everything up from ground up.

    @juanchdzl Auth0 looks similar to service provided by Okta. I'll look into it as well, thanks!
Add Comment