I’ve looked at various ways of logging in users and I’m wondering if I should write my own.
There are a lot of third party solutions that make it easy and cheap to get started, like Amazon Cognito and Auth0. But as easy as it is to get started, they all lock you in, make you reliant on their solutions and have terribly one sided user agreements (in their favor).
There are a some open source solutions that offer a complete experience out of the box, like Keycloak. It works but it’s highly opinionated about flows like email verification and its freemarker templates would take a major effort to style as we want. ORY Kratos also comes to mind, but it’s in the early stages and I don’t want to rely on a project they I don’t know at this point if it will be around in a few years. I hope it will because it looks promising.
Spring Security used to be an option but unfortunately their current solution is deprecated.
So… should I roll my own?
It seems like bad practice, but I find it difficult to find concrete arguments. If I google the question, I find arguments against in house authentication solutions like having to hash passwords and having to write features like email verification and password reset. However, all of these would be easy to implement, so these particular examples aren’t convincing reasons not to create an in house solution.
But maybe there are a lot of unknown unknowns that I should worry about?
For instance, OAuth / OIDC + PKCE have some complex flows that I can’t claim to understand. Maybe these are all things we need, or maybe they’re not.
What are your thoughts? Is an in house authentication solution feasible? Or should I forget about it, bite the bullet and put an Amazon/Auth0 snare around my neck? Other solutions?