Redwood: Support Authentication

I'm concerned about the financial cost of using Netlify Identity. It's free to add Identity to the Netlify free "Starter" level with a limit of 1000 active users. At the “Pro” level, which costs $45/mo, adding Identity costs $99/month, with a limit of 5,000 active users. Apparently “active users” is the number of users who log into your site during a month. Consider the use case of a gated content website ("sign up with your email address for access to a free tutorial"). Without devolving into a discussion of what is fair pricing or sustainable for various use cases such as SaaS, the model itself (with cost of hosting tied directly to the number of users) would inhibit use of Redwood for some use cases. For sake of comparison, adding Devise to Rails for authentication costs nothing. I hope there's a way to add authentication and authorization to Redwood without restricting the use case to be less than universal.

I like the idea of a flexible auth layer that can use various backends, some paid and some not, so the developer has choices. This should be an adapter layer, not wired to one specific service.

@chris-hailstorm I agree 100%. We'd like to offer many integrations that all make it easy to get auth going, including owning all your own user data in your database.

I need RBAC authorization that costs nothing. Netlify Identity is expensive.

Not JAM, still want to share: https://www.ory.sh/

Could put this work at the highest priority?

Update: work on Auth integration is happening now. It's early so there's no timeline, but this is a top priority right now.

The current plan is to support both Netlify and Auth0 out of the box. And we are thinking about ensuring ways to implement a different Auth in your app if desired/needed.

More to come.

Django has Auth as a first class feature supported by the framework. Perhaps Redwood can pull in PassportJS and add Prisma generator boilerplate?

There is a number of authentication abstraction layers for JS:

https://blog.bitsrc.io/6-javascript-user-authentication-libraries-for-2019-6c7c45fbe458

I believe PassportJS requires Express in order to function. This may be an issue if the deployment target is Netlify Functions or other serverless runtimes.

I took a look at the Passport option a while ago. Appears the only way to use it is via the serverless-http wrapper, which is very fat. I don't think it works well in the Redwood footprint.

There is also something like https://magic.link

It is simple enough to replicate the functionality in Redwood.

What about having plugins, like Gatsby. So we could use existing auth plugins or roll up our own auth.

@Jaikant that's clearly the right approach. People will have need of many different auth providers.

@thedavidprice we (Auth0) would love to collaborate on this. Are the design discussions happening somewhere? slack?

@woloski Wow, that would be fantastic. Thanks in advance! And your timing is perfect.

The leads on the project are @peterp from the core team and @chris-hailstorm. Chris has created design docs and an implementation plan, which have been reviewed by the core team and given a 👍 to get started. We have a bit more organization to do, but we have a plan in motion to open this up to the community for conversation and contribution — soon! And of course we’d welcome getting your input and help here on the front end.

For now, I’ll make sure the core team sees this. If you’re not a member of our community forum yet, you might want to sign up for “summary” emails as that’s where we’ll have community conversation and (most likely) post the docs. Lastly, the implementation will take place on our example Invoice App, so watching that project will keep you in the loop as well.

I'd really like to see a simple username/password option (potentially using argon2 or scrypt)

Grant seems to be a popular option for OAuth with integrations for many different sites

A quick update here:

A general purpose way to handle authentication is days away!

I've got a rough implementation that allows you to login, logout, grab a user and grab an auth token from either auth0 or netlify's go true library. It'll give you access to auth0 and netlify's client if you need anything specific to those (like signup in netlify)

The nexts steps are to clean it up, allow the token to passed along to apollo client, and to write some docs.

Once that's done we'll be able to decode the auth0 token on the api side and get a user's identity.

After that I would love it if the community could add firebase, and the core team will look into a plan for a simple username/ password implementation.

Related to the thought of offering an in-house approach to auth: I've got part of an initial JWT-based approach working. Only parts implemented so far are sign up, sign in, and token refresh. Next up is configuring email support in Redwood, rendering emails in-browser when in development mode, etc., which will enable email confirmation, forgot password, and other flows requiring the use of email.

I plan on writing up and sharing the implementation somewhere as I finish. I'd love to collaborate/help on a similar approach in Redwood proper, if that still is on the menu eventually.

@peterp, I see in #497 that Auth0 and Netlify are going to be supported by default is there going to be a guide on how to use a different client or if not could there be official support for magic.link's?

@Burnsy Yup! I'll add that to the docs

@peterp awesome!