It's important to note that there is a very big difference between developing or implementing own cryptographic building blocks and just hosting your own authentication service. The first is a big No-No (unless you are a group of renowned and proven security experts) while the latter can be doable (although you have to be careful).
As an identity management expert I can’t agree more. Use whatever library you want and customize it within spec but never ever try to implement your own cryptography.
assume then that Passportjs or Lucia (well Oslo helper methods) = good, trying to write Passportjs/Oslo = bad. always thought that 'roll your own' was kept intentionally vague.
This video mixes up Authentication, Authorization, Auditing and many other security processes, then recommends using a single point of failure as a solution.
MFA through SMS or email is on the $35 plan. I've been using it for years. Authenticators like Google Authenticator require the Professional plan, which is actually fairly priced if you're big enough to need it.
"please let this not be a prelude to some auth sponsor... please... he wouldn't do that right... please no..." TODAY"S VIDEO IS SPONSORED BY.... 😞 Like I get it you have chickens to feed and bills to pay, but I do think its a bit dirty to primarily focus on the downsides and barely touch on the pros of rolling your own auth solution. Instead the video is filled with a lot of scary stories, how million user platforms got sued 😱 and all of this can be avoided if you used XYZ solution. And how DARE you remind me I have to log back into my netflix on my TV whenever I travel good sir! At least they haven't added ads yet.... oh wait. Anyway Forrest I will still watch your content cause I still enjoy it. I just had to cry out my heart here in this comment section. I don't wish you to pull this video, stop taking sponsors, or change in anyway for any viewer here. I just ask you remain fair and honest to your audience many of them new to this industry and look to you for ideas. You had one very valid point... you should roll your own if at the very least to learn something. But I think there is many other reasons too but due to conflict of interests I understand why you didn't.
22 ชั่วโมงที่ผ่านมา
I implemented oauth2.1 and oidc protocols from scratch last month, and switched to a oidc library later(for better edge case handling, nothing else). I have gotta say, if i didn't implemeted the protocols beforehand, i wouldn't have any idea on the internal state of the program, and it would just be a blackbox.
isn't auth service provider become a single point of failure for all their customers if they ever got hacked? If big companies like facebook got hacked what's the guarantee that your auth provider won't fail at somepoint. Honestly, all auth fails mentioned here seems like stupid mistakes that could've avoided if they had better process to enforce good standards.
yea. it is. the video is basically ad. never trust tech tubers. no diss here. i appreciate all working people getting the bag and would've done the same thing. smartest people in tech aren't making videos. they are making products or enjoying life or being tiny little fascists. Auth0/Okta also has had its own fair share of security incidents.
My only recommendation for this vid is to target FE devs with this advice. For the “things you need to consider…” section, this is all standard stuff for an experienced backend engineer. Auth (incl. rate limiting, gateways etc) for a Java/Spring Framework engineer is like forms mgmt for a JS/Angular dev. The mental overhead to sufficiently implement both sides of the stack is heavy, as both have great complexities.
I think this is an "it depends" scenario. Most of the time, it's better not to build your own authentication system because companies typically prioritize creating features that deliver business value. Developing your own auth system can be a bad move since you'd then need to integrate and maintain it to meet all the necessary authentication requirements. This effort can consume a significant portion of your time, leaving less room for delivering value-adding features. On paper, it ends up looking inefficient and negatively impacting your KPIs.
![[#2024MAMA] ROSÉ (로제), Bruno Mars - APT. | Mnet 241122 방송](http://i.ytimg.com/vi/dgGqD28J6aQ/mqdefault.jpg)
It's important to note that there is a very big difference between developing or implementing own cryptographic building blocks and just hosting your own authentication service. The first is a big No-No (unless you are a group of renowned and proven security experts) while the latter can be doable (although you have to be careful).
As an identity management expert I can’t agree more. Use whatever library you want and customize it within spec but never ever try to implement your own cryptography.
assume then that Passportjs or Lucia (well Oslo helper methods) = good, trying to write Passportjs/Oslo = bad.
always thought that 'roll your own' was kept intentionally vague.
This video mixes up Authentication, Authorization, Auditing and many other security processes, then recommends using a single point of failure as a solution.
Yeah like rate limiting has nothing to do with auth you would do that with a gateway
No MFA under $240 / month kills Auth0 for me.
MFA through SMS or email is on the $35 plan. I've been using it for years. Authenticators like Google Authenticator require the Professional plan, which is actually fairly priced if you're big enough to need it.
Could be wrong on this one, but it always looks like a large amount of the complexity comes from shoe-horning JWTs into Auth?
Exactly, makes everything 30x harder
"please let this not be a prelude to some auth sponsor... please... he wouldn't do that right... please no..." TODAY"S VIDEO IS SPONSORED BY.... 😞
Like I get it you have chickens to feed and bills to pay, but I do think its a bit dirty to primarily focus on the downsides and barely touch on the pros of rolling your own auth solution. Instead the video is filled with a lot of scary stories, how million user platforms got sued 😱 and all of this can be avoided if you used XYZ solution.
And how DARE you remind me I have to log back into my netflix on my TV whenever I travel good sir! At least they haven't added ads yet.... oh wait.
Anyway Forrest I will still watch your content cause I still enjoy it. I just had to cry out my heart here in this comment section. I don't wish you to pull this video, stop taking sponsors, or change in anyway for any viewer here. I just ask you remain fair and honest to your audience many of them new to this industry and look to you for ideas. You had one very valid point... you should roll your own if at the very least to learn something. But I think there is many other reasons too but due to conflict of interests I understand why you didn't.
I implemented oauth2.1 and oidc protocols from scratch last month, and switched to a oidc library later(for better edge case handling, nothing else). I have gotta say, if i didn't implemeted the protocols beforehand, i wouldn't have any idea on the internal state of the program, and it would just be a blackbox.
isn't auth service provider become a single point of failure for all their customers if they ever got hacked? If big companies like facebook got hacked what's the guarantee that your auth provider won't fail at somepoint. Honestly, all auth fails mentioned here seems like stupid mistakes that could've avoided if they had better process to enforce good standards.
yea. it is. the video is basically ad. never trust tech tubers. no diss here. i appreciate all working people getting the bag and would've done the same thing. smartest people in tech aren't making videos. they are making products or enjoying life or being tiny little fascists. Auth0/Okta also has had its own fair share of security incidents.
It's a bad take. Don't roll your own auth. Use established libraries.
Auth0 recently had an issue IIRC
My only recommendation for this vid is to target FE devs with this advice.
For the “things you need to consider…” section, this is all standard stuff for an experienced backend engineer. Auth (incl. rate limiting, gateways etc) for a Java/Spring Framework engineer is like forms mgmt for a JS/Angular dev.
The mental overhead to sufficiently implement both sides of the stack is heavy, as both have great complexities.
What keyboard is that? Looks sick
I think this is an "it depends" scenario. Most of the time, it's better not to build your own authentication system because companies typically prioritize creating features that deliver business value. Developing your own auth system can be a bad move since you'd then need to integrate and maintain it to meet all the necessary authentication requirements. This effort can consume a significant portion of your time, leaving less room for delivering value-adding features. On paper, it ends up looking inefficient and negatively impacting your KPIs.
Auth0 sounds awesome. As a beginner trying to build an app with users i got way in over my head coding it myself.
Auth0 is horribly priced, there are a million other comparable services out there that actually scale and are affordable
@Refresh5406 Okay but for my purposes free sounds good.
@@craigreustle2192 No MFA sounds terrible
Where do I find that graph for auth decisions?
Are you trying to tell: Roll your own Auth for yourself only.
2:51 what's the name of this type of diagram?
Sequence Diagram
@@piotr_sss awesome, thanks! 😁
Hmm
Don't roll your own auth....
Just don’t deploy it 😂
Nice