Sick of spending time on Auth, we built an open source 'Stripe for Auth'

545 points by advaitruia ↗ HN
We (my cofounder and I) have built several startups previously and spent an unnecessary amount of effort on auth. This led us to build an open source alternative to Auth0 and AWS Cognito, that’s called SuperTokens. We’ve spoken to 100s of developers and startups to understand the pain points with current services and we hope you find this useful!

Why did we build this? To be able to control our user data and have it stored in our own database. Have certain customisations that other identity providers do not offer We couldn’t afford to pay It took too long to understand the documentation of alternate service providers

How are we any easier? We think that Auth0, Firebase etc are great services but auth is complex. There are many different use cases for different types of apps. Since services have to cater to each of these, they tend to become complex in their implementation (due to no fault of their own).

SuperTokens takes a modular approach - making it possible to pick only the features you need for your use case. This means you need not worry about complications associated with other features (eg: SSO and OAuth if you don’t need it) and this in turn makes it easier to implement and manage SuperTokens.

We are still early in the journey and working hard on building more functionality.

Please see our website: https://supertokens.io/ Our GitHub: https://github.com/supertokens/supertokens-core

Do let us know what you think - specifically whether you would consider SuperTokens for your app. Why or why not? What can we change or offer?

PS: We did a "Launch HN" post earlier when our product was only for securely managing session tokens (https://news.ycombinator.com/item?id=24306572). We realized we need to build more of the auth stack (signup / signin, social login etc) and hence we're excited to announce that we've built basic login functionality.

347 comments

[ 5.1 ms ] story [ 286 ms ] thread
(comment deleted)
I would absolutely consider this once email verification exists for new accounts. But not until then.

It looks like a good feature set and yes, I would love to use a solution from someone who focuses on auth vs. rolling my own.

I do think your documentation could be expanded. You have some examples of how to use it with Netlify, but I'd love to see example apps for other cloud providers as well (Heroku, in my case.) Similarly for the react-auth documentation - the basic syntax of how to use it is a good start, but a full working app demonstrating its use with role-based authorizations would put it over the top to prove to me it could meet my needs.

Thanks for the valuable suggestions! Email verification is next on our list of features. We plan on providing an "active" method which requires you to verify the email to sign up, and one "passive" method which reminds you to verify the email from time to time post sign up (similar to many social networking sites).
For what it's worth I think email verification functionality would make me more keen to use a service like this!
Thats worth a lot! Would you mind sharing your email ID or ping me on: advait at supertokens [dot] io? I'll drop you an email as soon as we have it built
If email (or another mode of ) verification was added I'd be entirely on board for my next project (still in planning stage)
Thank you MH15! Its clearly top of the list for many people and it will be out before you need to build auth for your next project :)
Do you have a uservoice page or issues on github where we could vote in support of a feature like this?

I know "me too" comments might not be the most helpful but... this sounds like the only blocker for me too!

We don't have that unfortunately. However, a quick hack is to upvote an issue related to the feature you like the most, or create an issue in case it does not exist.

But thanks for the idea! It's a great one.. will have a look at it.

Firebase Auth. One and done.
Can confirm. Just built out a little react MVP using firebase. Auth took mere minutes.
Authentication is a solved problem; authorization is not. External authentication makes your system brittle, so I'm glad to see you can self-host SuperTokens for free.

I've been working on Enterprise Access Control (EACL) in my spare time, an embedded Datalog-based library with a uniform declarative Clojure API that lets you write grant/deny ACL rules in the shape: Who, What, Why, When, Where & How that goes a little further than Role & Attribute. Link: https://github.com/theronic/eacl

Will do a Show HN when I fix all the bugs and get it fast enough.

Tokens are an interesting approach to future-proof a young application against having to rebuild auth internally. I like your up-front Pricing Philosophy section.

Worth to mention in the same area regarding authorization engine with APIs is OPA [1] which is relying on a Datalog inspired language: Rego.

I agree with you that authorization is lacking a set of standards allowing interoperability. The only known practical one XACML, has not seen wide adoption. OPA through its design and API allow useful feature for Enterprise use cases for which Styra [2] (founder of OPA) is selling a solution based on those APIs.

Note: I am not affiliated with Styra in any way.

[1] https://www.openpolicyagent.org

[2] https://www.styra.com/

> is a solved problem

This expression is idly thrown about nowadays. It implies that a solution exists and can't be further improved upon. Just because a solution exists, or is the current fashion, doesn't mean it's a 'solved problem'. Beer brewing is a 'solved problem'.. yet there are some brews you couldn't pay me to drink. Interesting problems are never fully solved, they are simply iterated on over and over. Payment processing was a 'solved problem' until Stripe came along. Assembly line manufacturing of cars was a 'solved problem' until Toyota showed Ford how it could be done better.

Cue Zed Shaw and "The ACL Is Dead"...

I once worked on a project for flexible authorization called "SecureKit" which attempted to be a common criteria evaluated system for any kind of authorization. It quickly became apparent that it would pretty much have to be Turing complete to satisfy the general case.

For example, some systems anyone can authenticate when a fire is occurring in some other areas, but normally only a certain set of people can have access to it.

Yes, this is what I realized too. It is why EACL is embedded in the application layer instead of trying to run in a layer above it. To do authorization properly, rules need to be embedded alongside the secured data and decision code needs to run next to application code.
Authentication is not a solved problem. Every ecommerce website out there rolls their own, usually with obvious flaws. Some major banks too.
Sick of spending your time on auth, you decided to spend all your time on it?
Haha we both did laugh at this one.

I mean we were sick of doing it when we trying to build a product whos core value prop was different because auth was a distraction. We wanted to focus. Now that we're focussing ON auth, we are happy to do it cause it is the core product

If a thing annoys you it'll probably annoy a lot of people that are probably willing to pay to solve the problem.
It annoys me for sure and which it were simpler. What I found when integrating SAML is you have to work with whatever login code you already have which will build in assumptions across your app.
It's a pain point. It's always a good place to plant your flag.
This is a good idea. But I think a lot of your potential customers will struggle until you get OAuth2/SAML options, so they use you can offer premium auth options for their enterprise customers.
We’re using Keycloak.org which is a great product, easy to use, a lot of functionality (if you want to), deplorable “on-premise” and does offer everything what you expect from modern user authentication and management system. You should check that out, user auth is indeed a solved problem.
Keycloak is a worthy alternative, no doubt. There are a few reasons we built SuperTokens - despite knowing about Keycloak:

We've taken a modular approach which is different from most. This enables you to only pick the features you want for your use case and not worry about unnecessarily complexity.

We provide far more flexibility and options on the frontend as well

KeyCloak is a small part of the Redhat (and even less significant for IBM, the owner of Redhat). For us, our team and company is 100% dedicated to building auth. Its do or die for us. While this may not sound tangible, we'll constantly be innovating (and hopefully out executing keycloak).

Keycloak does not offer a hosted version of the offering. In our opinion, a hosted open source product is still quite distinct from a proprietary SaaS product.

We provide the most robust solution for managing session tokens. We mitigate against all types of attacks and detect token theft using rotating refresh tokens. One of our libraries to solve for edge cases (browser tabs lock) is actually used by Auth0 as well and has 250K weekly downloads on npm.

Finally - in general, we've had feedback from Keycloak users that they've had a poor experience deploying and managing Keycloak and would switch to a good alternative, if there was one. I understand that this was not true for you.

If you do get the opportunity and decide to try out supertokens, we'd love to hear about how your experience compares between the two.

How about keycloak-gatekeeper? Do you offer something similar?
Is SuperTokens multitenant capable? My understanding is that keycloak suffers in a multitenant enviroment with a sufficiently high number of tenants.
To an extent, yes: https://supertokens.io/docs/emailpassword/common-customizati...

Typical multi tenancy implies that the auth experience and data is isolated per tenant. However, often b2b companies simply want to provide an auth experience to their client within a specific subdomain. They do not mind the auth data be stored in the same db tables as other clients. If this is the use case, then we do support it. If you want strict isolation of auth per tenant, then you will have to deploy multiple instances of the SuperTokens core (as of today).

I'm also curious about multi-tenancy.

Can I store users in per-tenant databases? Maybe if I forked the stroage plugin and modified it to do that?

(comment deleted)
I cannot imagine building auth into a system now without using Keycloak.

It's a comprehensive platform for sure, which makes for some pretty intense concepts and documentation.

But once you lay your hands on a suitable tutorial it's dead easy to get running, and you'll never find yourself stuck when some PHB asks you about your password rotation policies, 2 factor auth, SAML, SSO etc. etc. Keycloak does everything you could ever want for auth.

I think Keycloak is very complicated. Lots of things to learn. It is like a space shuttle with lots of settings.
Keycloak is great software, and I am thankful to Redhat for keeping it open source and maintaining it. But I do not believe that a production deployment of keycloak with HA, backups, customization, integrations, upgrades etc. is easy at all. It takes time and planning to get it right. Depending on the constraints, it isn't obvious to me why it would win by default over SaaS alternatives, or simpler on-premises alternatives like OP's.
> HA, backups, customization, integrations, upgrades etc

I confirm that, we had a bunch of problems with upgrades in one product. In long term keycloak introduced more headaches for ops than we devs had implementing integrations with auth0 or okta. That was before KC10.

Curious what sorts of headaches there were in this. We're currently in the process of implementing KC12 using the docker image, a User Storage SPI (our users exist in our legacy master database which is synced from an external billing system), and it's looking so far like it'll be a fairly simple setup. This is basically just acting as a OAuth shim between our primary database and an external service provider in our case, which I imagine keeps the complexity down. But I'm wondering what you might have run into that we haven't yet. Thanks!
Keycloak feels a bit like a nuclear power plant control panel to me, so I'm happy to see an alternative like this pop up.
> a lot of functionality (if you want to), deplorable “on-premise” and does offer everything what you expect

Baseod on the rest of your comment, I think maybe deplorable was not the word you intended to use there?

Keycloak is not my favorite thing - it's unnecessarily esoteric and complicated IMO - but I agree it does do pretty much what this is listening.
On a technical level how does this compare to Mozilla Persona?

Still sad that Persona died before it could gain some traction.

I did find amusing that one of the talking point is to not have to trust AWS with your auth, but you offer a SaaS.

(I haven't read details of the SaaS, maybe all data is still hosted outside of your service, but I would doubt it.)

Not a problem, but a bit of a contradiction. OTOH, SaaS does alleviate some pain.

Yea for those that do not trust a third party, we also offer a self hosted version in which all the data is stored in your own db.
A lot of companies would rather not send their user data to a 3rd party. For those, we offer the option of self hosting. The ones that you do not mind using a 3rd party, we also offer a SaaS version of our product.

And yes, indeed. We will add the option where our SaaS will also write to your own DB as opposed to ours.

Is it fair to categorize the pitch here as "a simpler AWS Cognito"?
Don't forget that you can self host as well. That, for some use cases, is a simply killer feature.
I got experience mainly with firebase and identity server. What is the usecase for supertoken instead something like identity server for .net, whatever Java spring uses or something like django or flasks authentication?

I’m far from an expert, but in past startups I’ve been scrambling to get SSO working for b2b saas, they bluntly said. Without sso we don’t want to use your service. So that was moved up our roadmap.

Even something like e-mail verification is something I will not go without anymore. It’s mandatory in some countries.

Honestly, next service that I will build will just be federated or magic email link if I can get away with it.

From the frontpage I cannot understand yet what makes this easier then the options above. Is this something you would use for your first 3000 customers? Imagine being the cto, when would I feel confident going for something like supertoken?

Also, it’s easy to ask questions like this, less so than building amazing things, so definitely Congratulations on the announcement!

Thanks for your comment :)

> What is the usecase for supertoken instead something like identity server for .net, whatever Java spring uses or something like django or flasks authentication?

We plan on building a much more feature rich auth solution in a modular way - providing passwordless, 2fa, social, email / password login (exists already) + very secure session management using rotating refresh tokens (exists already). Being "modular" will enable users to only pick what they care about making it easy for them to implement. So we differentiate in terms of features and simplicity of use.

> Even something like e-mail verification is something I will not go without anymore. Makes sense! Next on our feature list

> Is this something you would use for your first 3000 customers? We aim that this would scale to a very large number of users - so you can implement it once, and then spend minimal time on it after.

+1 for SAML 2.0 SSO support. I see this gap a lot in early SaaS products, it's a must if your product wants to onboard enterprise customers.
Congratulations on the launch! Innovation in the Auth* space is really necessary. How do you plan on differentiating from other open source solutions, such as https://github.com/ory/kratos or https://github.com/keycloak/keycloak?
Thank you! I answered a similar comment which it seems like you've seen. Not sure I understood your response on that one. Why was the tone deplorable?
I think you confused the threads :)
Oops, yes I did - haha.

But I hope it answered your question?

Also, when you say innovation is neccessary - what makes you say that? In the sense that do you have any specific pain points or innovation in mind?

Sounds like this may pair with something like OSO for Python (osohq.com), thanks! Do you plan to directly support language specific client libraries or are you looking for community support of that work?
Yea! Integrations with OSO makes sense! We do have plans to support language specific client libraries.
Interesting idea! I did a quick look through your site and have a few issues:

1. What MFA methods do you support? TOTP? App based auth? U2F? FIDO2? (FIDO2 USB? BLE? Platform authenticators?) Smart cards (especially for enterprise)? Backup OTP's? New device detection?

2. Your docs mention not playing nice with password manager autofill by default. Are there plans to address this?

3. Password reset emails come from @supertokens.io, which specifically raises phishing red flags when you get a password reset email from a domain that is not the one you're logging into. How would an integrator go about addressing this?

1. Right now, we only support email + password login. But plan on supporting MFA soon. The exact supported methods are TBD.

2. The reason that happens is because we do not use iframes for the login UI. We provide a React component instead. The issue with that is that there might be CSS clashes and to prevent that, we use shadow-root (HTML feature). On certain browsers, password managers do not work with a shadow-root. So we provide a config that the user can set to disable the use of shadow-root. This would solve the password manager problem, but the developer will have to make sure that CSS does not clash.

3. This behaviour is the default one to quickly get started. We provide callbacks on the backend SDK that devs can override to send a password reset email using their own email ID domain.

> On certain browsers, password managers do not work with a shadow-root.

Eek. Worse than that, certain browsers (e.g. IE11) don't support Shadow DOM at all! You may wish to consider widening your browser support.

Oh! Thanks for the heads up! I have created an issue about this on our github, referencing this comment.
I second this! Please prioritize TOTP / U2F over social logins.

I might be off base here, but does anyone really leverage social logins anymore? Seems like it's the worst case scenario for auth in the case that a customer can no longer access the associated social account? Basically in every case you'd have to provide an antiquated flow for them to "re" sign-up with an email. I'm genuinely curious of the value add here, outside of using Sign In With Apple (since it parlays nicely into Apple Pay integrations).

> I might be off base here, but does anyone really leverage social logins anymore?

I'm sure there are on tiktok and other popular social apps.

I always use social logins if I can, much easier for me and no password to remember (even if I use password manager). I think most people (non techie) use social login.
From our conversations with developers, a surprisingly large number of their users use social login - even when the site provides alternatives. Many have categorically said that they cant use any solution without social login. And we've seen this generally be true across many use cases
We've been working on a project similar as supertokens, but does not mess with password manager and with TOTP and WebauthN support (Yubikey is tested).

The project really needs a great frontend. Right now it's mostly just a an API with all these features. It's also MIT licensed:

https://github.com/curveball/a12n-server

Note that WebAuthn (the standardized replacement for U2F, you should not deploy U2F today) is deliberately designed to authenticate to the site you're actually visiting. It is possible (but not necessarily in all browsers) to override this and authenticate to an iframe for example to allow a third party to authenticate but this creates yet a further problem to deal with:

Now you've got WebAuthn's anti-phishing protection for the actual login, but that protection extends no further. As the native authentication of a site (e.g. Google, GitHub, Facebook) that's fine. But for a third party helper that's a problem.

Say I intend to visit my hypothetical WebAuthn enabled bank. If I go to https://fake-bank.example/convincing-phishing-page/ there is no way for them to get my real-bank.example credentials. The browser vendor is responsible for making sure this is true.

But now suppose they use "Super Tokens" instead, and I protect my "Super Tokens" with WebAuthn. I go to https://fake-bank.example/convincing-phishing-page/ and the bad guys who run it only need to fool "Super Tokens" into giving them a working token for my real bank. I authenticate with WebAuthn to Super Tokens and so that's working fine, but any flaws in the Super Tokens backend or implementation, out of my control, put me at risk. Not great news.

And this has already happened (as proof of concept anyway), to existing players in the space. It's categorically less safe to do this.

This would only be a threat if you're using the SaaS, right? If you self-host the user is still authenticating directly with your services, it's just that your services run a pre-made solution on the backend.
Thank you for working on such a horrible problem for developers. Looks amazing tbh. Will definitely try this out on a future project.

Edit: open source part = huge. Great work

Thank you for your kind words - its really encouraging! Please do let us know when you are trying it out, we'd be happy to help and hear your feedback. You can join our discord (https://supertokens.io/discord) or email me at advait at supertokens [dot] io
I'm really happy to see a service like this and I wish you the best of successes. BUT :) If you're going to call yourself the "Stripe of X", please work on reaching the bar they've set for documentation.
Thank you so much! Appreciate it.

Also, we agree - we have a lot to do before earn it (but also a fair comparison would be to Stripe's docs when they were new as opposed to today).

For anyone else wondering: the frontend depends on NodeJS and the backend is Java.

Ooof.

I came here to question exactly that.

> Note: Login is currently available only for Nodejs. Other tech stacks will be supported soon

That's a very very odd combination.

We have SDKs for other backend frameworks as well (like golang, laravel...). But those only have a session feature, and not login. Hope this provides some clarification.
I was mostly confused that you would write something in Java that doesn't target Java.

I'm writing stuff in Java (and Kotlin and Clojure) and, even though it looks cool, won't look too closely unless it supports Java.

Yup. This. Give us an embedded library that will work with my Java app. JAX RS or or at least callable from within my JAX RS resource. Spring would be nice, too.
Do you have a ETA for flask login support? I literally just rolled my own but I'll want to switch it over at some point.
We expect to have Flask login ready sometime early next year. If you could drop me an email on advait at supertokens.io - I'll let you know when its released!
So the core is written in Java. The core is a http microservice that contains the main auth logic + interacts with the database.

The backend API queries the core for sign in / sign up / sessions etc... This can be in any framework, and we decided to choose NodeJS first. Here, the user does not have to interact with Java at all.. just simply use our NodeJS SDK that internally calls the core's APIs

The SuperTokens microservice is in Java. The backend can be in anything (like nodejs) - for which we have an SDK that developers interact with.
How does this differ from something like Gluu?
How does this compare to something like Dex or Ory?
feedback after 30s of looking into this - i'm not understanding what this is without email verification and social login
For now, it's just email, password login, with forgot password flow and secure sessions. Email verification is next followed by social login :)

Thanks for your feedback

I'm just in the process of setting up our Auth system now with cognito. It sure is painful! Looks like you guys have everything I need except social login.
We're building email verification and social login at the moment and would love to have it ready in time for you. When do you plan to launch your product by?
Hoping to launch in January
Do you mind sharing your email ID or dropping me an email at advait at supertokens.io? We should have it ready by Jan (and hopefully in time for you)
This is an idea that I briefly pursued for the same reasons you list, namely that it's a ubiquitous problem which needs to be solved repeatedly.

But in a rough design sketch as to how I would create a generic solution, I made the auth service a proxy for the main app. So user data would be verified and decoded in the proxy, and the app could trust the passed token. This removes the need for a back end driver.

I'm curious about why you didn't choose this approach, and instead made the auth service callable from the app?

This is a complicated decision to have made and perhaps a blog post is needed for this. But here is an attempt to answer it:

A complex enough app will require modifications to the auth flow. Most services achieve that via webhooks or by forcing devs to write code in their "dashboard". This code would then live outside the main codebase which is annoying. So we thought that if someone was making their own auth, they would want to have all their code in their backend API itself. The best way to allow that was to hide the auth server behind their API server (which is a proxy to the auth server for certain APIs like sign up / sign in etc..)

I suppose another upside is that you can do token validation in the app and not need to have proxy communication on every request.
Would love to see some code examples on the homepage.

When I did find some code, using "recipe" and "recipeList" in your packages and examples was confusing. At first I thought the example code was a recipe app as the hello world.

What exactly is a "recipe" in the context of supertokens?

I understand your confusion. You are right, we need to improve our explanation.

A recipe is essentially an auth experience. So auth with email + password (with forgot password & email verification) is a recipe.

Social login is another recipe. This recipe is independent to the one mentioned above.

There will also be a recipe that has both, social login and email password (like other auth providers).

The idea behind recipe is to allow devs to pick only what they want and not have to think about anything else - making development easier for them.

Am I the only one weirded out by this page using the word "auth" exclusively? Like is this some kind of slang now?
It's a nice shorthand for authorization, authentication and user management. I use it myself.