
Ask HN: What are problems with implementing authentication and authorization? - aichbauer
Hey y&#x27;all,<p>I would like to hear strange problems you encountered while working on authentication and authorization (when you work on a mobile app, or web app, etc...)? What are things you did not think of before implementing your system. How would you avoid such problems?<p>If you are using Identity and User Management Services (or probably you work there) like Auth0 (or others), why are you using it and what are you missing?
======
photonios
Auth0 solves pretty much every problem I've encountered. Which is admittedly,
not a whole lot. It's not that these are super hard problems, it's just that
it often seems like a waste of time. Instead of working on authentication and
authorization, I'd much rather focus on the actual functionality.

Problems I encountered:

* Normalized user profile using data from various identity providers [1].

* Passwordless login [2].

* Using custom SMS gateway for passwordless login or 2FA [3]

There are not a stable, polished, feature rich alternatives to Auth0 that are
affordable. I know that's a lot to ask for, but since you're asking. Auth0 is
very nice, but prohibitively expensive. There are also not a lot of maintained
and stable alternatives. Pretty much the only one I am aware of is Keycloak.

[1]
[https://auth0.com/docs/users/normalized/auth0](https://auth0.com/docs/users/normalized/auth0)

[2] [https://auth0.com/passwordless](https://auth0.com/passwordless)

[3]
[https://auth0.com/docs/connections/passwordless/guides/use-s...](https://auth0.com/docs/connections/passwordless/guides/use-
sms-gateway-passwordless)

~~~
aichbauer
Thank you for your answer. Yeah, I encountered the same problem. When you want
to start to work on a new project you do not want to waste time on
authentication and authorization. Thanks for the links, you provided. I will
take a look at closer look at Keycloak.

Yeah, the problem with having 100 different user information and not one
standardized way, is a big problem, do you think Auth0 and Keycloak(if they
normalize) solve this problem in the best possible way?

Passwordless logins and 2FA are a good thing to point out. I will take a
closer look at these "problems"/"solutions".

------
shynrou
The browser can have to cookies with the same name, and variations in path or
domain, but still transmit both in a http request. This causes most cookie
parsers to make mistakes since they expect only one.

Also on the note of cookies, modern browser do not delete session or stale
cookies if the browser was not closed properly, eg. the user just shutdown the
system without closing the browser.

~~~
aichbauer
I did not know that before. I mean of course you can differentiate between
them because of the path and domain, but still this can cause problems. Do you
have an example of when you would like to have the same cookie for different
domains or paths? Is it most likely a problem that occurs when programmers
create cookies for the wrong path or domain. Or would you say there is a use
case for that?

~~~
shynrou
The server does not receive the path and domain infos so you cant
differentiate at that point.

Jeah, domain wise if you have a cookie set for example.com and
test.example.com, if the user is on the later it would send both cookies. This
may be wanted for a common login system. In general yes it can be avoided if
potential conflicting apps use different cookie names by default.

