Skip to content

Authentication Tools

  • Date: 2024-05-09
  • Author: Ramon Prieto

Decision Summary

  • Title: Authentication and Authorization Provider
  • Description: Evaluate providers as the authentication tool for our web app

Background

Our web app needs to have authentication in place that is user-friendly, scalable, easy to maintain, and allows us to control access permissions at a user level.

Access control needs

  • Users can register and login via magic link
  • Users can have different roles
  • Users can be assigned to organizations
  • User access can be limited to subsets of the organization
  • We can control the CRUD operations that can be performed on resources based on the user's role.

Evaluation Criteria

Functionality

  • Multi-tenancy: Stytch B2B authentication follows an organization-based architecture that would allow us to configure auth at an per client basis and have several users within a single organization. Authress also supports multi-tenancy.
  • Single sign-on: Stytch supports single sign-on (SSO) with Okta, Google, and Microsoft. Authress also supports SSO for most providers.
  • Oauth: Stytch supports Oauth with Google, Microsoft, Hubspot, and Slack. Authress also supports Oauth for most providers.
  • Magic links: Stytch supports magic links for authentication. Each magic link that is sent to the user is one-time-use. Once the user clicks on the magic link and logs in, the embedded token that uniquely identifies the authentication request is “consumed” and cannot be used for subsequent logins. Authress also supports magic links for authentication with the same level of security.
  • MFA: Stytch supports multi-factor authentication (MFA) with SMS and auth apps. Authress also supports MFA + security keys.

  • RBAC: Stytch and Authress both support role-based access control (RBAC) for users. It manages roles through a governing document called the RBAC Policy that stores all access controls. The RBAC Policy is collectively made up of three core concepts:

  • Resources: represents an abstract entity that users interacts with. Typically, resources are modeled after the app's data model.

  • Roles: named collection of permissions. Roles are usually named in a way to represent meaningful personas
  • Actions: usually represents CRUD operations like "create", "read", "update", and "delete" but they can also represent more application-specific tasks like "export".

Stytch does not support programmatically defining RBAC policies but instead you can only define them in the dashboard. Authress does support programmatically defining RBAC policies.

Cost

Stytch:

Stytch offers a free tier that can be used for development and testing but we'll want to go up to the paid plan for production.

Stytch pricing

Authress:

Authress charges $0.0012 by API call. This pricing model is competitive with other Auth providers like Stytch at scale but has the advantage of the monthly cost being proportional to the number of active users, which makes it much cheaper in the early stages.

Simplicity

Stytch:

Stytch has very good documention, it provides mature SDKs for both Nextjs and Python, and it provides an authorization flow that is easy to use and understand. This makes it simple to get started with and maintain. Plus it removes the need to implement our own authorization system.

Authress:

Authress' documentation is less mature than Stytch's. It provides a lot of flexibility in the way you can configure your application but it also means that you have to do a lot of the configuration yourself.

Scalability

Stytch:

Stytch is a SaaS product and is designed to scale automatically.

Authress:

Authress is a SaaS product and is designed to scale automatically.

Support and Maintenance

Stytch:

No maintenance is needed, Stytch handles all the infrastructure for us. Stytch provides email support but provides no SLAs for our plan. There's also community support available through their Slack workspace.

Authress:

Authress provides an SLA of 99.99% uptime and 24h response times for their support. There's also community support available through their Discord workspace where their CTO is available for questions and responsive.

Compliance

Stytch:

Stytch is HIPAA compliant if we go with the Scale plan

Authress:

Authress is HIPAA compliant.

Options Considered

Option 1: Auth0

  • Pros: Cheaper to start with, Authz,
  • Cons: Weaker magic link security, No authentication app support unless we upgrade to Enterprise plan, more complex

Option 2: Firebase + Casbin

  • Pros: Free, GCP ecosystem
  • Cons: Need to implement and maintain authz ourselves, more complex

Option 3: Stytch

  • Pros: Simple, HIPPA compliant, RBAC support
  • Cons: Fixed monthly fee,

Decision

  • Chosen Option: Authress
  • Justification: Authress has a lot of features that we need and it's a SaaS product that is designed to scale automatically. It also has a lot of documentation and a lot of support. It's comparable in cost to Firebase since it is also usage based. Additionally, it provides a robust Authz solution, which we can use to implement access control in our application.

Appendices