2022-08-28 @Gao Sun

Intro

https://embed.notionlytics.com/wt/ZXlKd1lXZGxTV1FpT2lKaFl6SXlZelJtTVRGaFpqZzBZekppWVdZeU9XUTFOVEZtWVRjek1UbGhOU0lzSW5kdmNtdHpjR0ZqWlZSeVlXTnJaWEpKWkNJNklrWlhXbHBOVjAxeU0yVTBZV1ZZYkZJd1UybE1JbjA9

How do you build the end user sign-in experience in your apps? Going back to 20 years ago, I believe the answer would be “do it from scratch”. Things were simple:

• Use FrontPage 2000 to draw username and password input controls; then a submit button.
• Use the built-in session utility to store user sessions in memory.
• About security? MD5 is the answer.

Didn’t hear anything above? Then it’s sad that you missed the “good time” of software development. Nowadays, developers need to face a series of challenges when building sign-in / up:

Twenty years ago v.s. Now (a small part of our Figma design files)

User interface

• Username + Password
• Phone number passwordless
• Email passwordless
• Social sign-in with Facebook, Google, GitHub, etc.
• Forget password flow

Cross-platform

• Desktop web
• Mobile web
• iOS
• Android

Identity service

• Sign-in / up APIs that support multiple sign-in methods
• Set up social sign-in one by one
  • Read identity provider docs
  • Integration and testing
• Single source of truth to collect and map all identity sources to a specific user

Security

• API protection
• Attack prevention: XSS, CSRF, etc.
• JWT / JWS / JWK
• OAuth 2.0 / OpenID Connect
  • Authorization Code Flow, Client Credentials Flow, Device Authorization Flow, PKCE, etc.

🤦 Hold on, hold on. All of these are only about user sign-in / up? Without them, I cannot even start my “real business”? Do I need PMs and designers for this since the UI logic looks complex? Easy, the answer is: yes and no. Let me explain this:

• Yes because:
  • You’re going to build not only a “sign-in UI”, but also a unified user identity system that supports multiple sign-in methods and identity sources.
  • When you or your company grows or want a decent and secure user experience about identity, you’ll find these things are mandatory and fundamental. You’ll appreciate it if they were built (or regret not to build) from day one.
• No since they’ll be months of work in real life, and you usually don’t need all of them in the beginning. E.g., we start with a single platform app, and social sign-in is the sole sign-in method. But it’ll be a huge pain to refactor when:
  • Your app got plenty of user data.
  • You are going to develop a new app and want to reuse the same user system.

Say you are building an all-in-one workspace app (e.g., Notion), and hey, are any of the above related to your business?

Life is short

I love coding, and I could precisely feel that bad mood of being stuck in the early stage of a project. If you are an indie developer, you’ll find the sign-in and identity stuff is also repeating: almost EVERY app needs it.

Things I’ve tried

• Keycloak has comprehensive features but is a bit of “old school” to me.
• Ory look really cool. But it doesn’t have a configurable and cross-platform UI.
• Supertokens is a rising star, but it has to inject into the backend service.
• Auth0 is a big, mature SaaS in this area, but it’s hard to figure out setting up the unified UI for what I want, e.g., make social sign-in the primary method.