#IAM or self made auth

so i've tried making my own auth with where i had access and refresh tokens, but now i dont know how safe or scalable from my end this can be, i've noticed that different solutions like keycloack, cognito o auth0 exists that can provide an IAM solution

now my question is: should i move on to IAM or keep doing my own auth? so far seems easier and better to go for a IAM

So, depends on your needs. "Making my own auth", doesn't explain much of what is required. Will your users need SSO for multiple apps, for instance? If yes, then for sure using a finished product for IAM will go a long way to saving you (some) time. I added "some" there, because, for instance, just learning Keycloak is a hurdle and will be time consuming. Just redesigning the login templates in Keycloak can take days. You'll also end up rewriting your Auth code to work with Keycloak's OIDC processes. So, it boils down to what you need.

But at the end of day that 'some' work can translate to knowledge isnt? I mean seems like keycloack or iams in general are a more robust move for us developers to deliver better apps

Honestly i dont feel like very confident with my autorizations skills in terms of best practices, and from what i've seen usin iam solutions help you with the safety of the data from your users, at least up to a centain amount, but very likely could be better than running my own auth

I know theres some learning involves into those iam solutions but i have a feeling that on the long run it will pay off

Would you agree on this?

I mean seems like keycloack or iams in general are a more robust move for us developers to deliver better apps

Oh. Absolutely. If you aren't really, really well versed in auth mechnisms, standards and processes, doing it all on your own will be very hard. IAM providers are really well versed in these things, so you can count on them getting IAM right. Still, it boils down to your needs. If you only need auth for your own app, you just need a registration, a login and a session storage process, which isn't that hard to do.

If you need to offer federation of users across apps or you know you need SSO, then you need a whole slew of new processes, like OAuth and OIDC affords (they call them flows). This can get very tricky very fast and IAM providers take care of the server end of the IAM processes. You still have to use the flows to lock down your apps and services and that in turn is even more complicated than what you'd need to know for just putting up an auth wall in your app.

So again, it depends on what you need.

If it is just learning you are after, then for sure, trying to get an IAM like Keycloak running and using it properly will offer you tons of learning matter (and frustration 😛 ). I've gone down that rabbit hole and I'm still to this day uncertain about how to use all of Keycloak's features. It's very powerful software.

As for using a service like Auth0, you avoid the "how to run the software" learning curve. The rest is still valid.

Sounds good scott, thanks for the feedback

I might start with auth0 as ive seen that it has a very good free plan, and once i know a bit im pretty sure ill go full keycloack

At the end of the day what im looking for its a reliable way of doing auth which i can set it up as simple as possible and if needed make it as complex as need based on requirements of course

@copper jungle - I'd suggest understanding your requirements much better first. You might be going down rabbit holes for no real or clear purpose and without real purpose, you'll more than likely give up on the work, before you finish it.

Yes sir, ill kepp that in mind always

Also, the best way to understanding your requirements and getting through hard terrain (as in new tech) is to have a real world problem to solve. At least I know that helps me a lot, because I know I've learned something, once I've solved the problem. 🙂