One major component of our thesis project is the ability to authenticate users from their Facebook accounts and vendors from their email address/password combinations. To do this, we could either 1) roll our own authentication scheme where our server issues JWTs to our clients or 2) use a service that issues and manages the JWTs for us. To preserve our sanity, we chose the latter, specifically, the identity and authentication service Auth0.

Auth0 provides users a way to login via custom, open-source web forms called widgets that can be filled out with username/password combos or through social integration buttons that allow for third-party authentication by Facebook, Google, Twitter and others.

Auth0 also gives you the option of customizing your login/signup pipeline by implementing your own rules in a sandboxed vanilla JavaScript environment with a few optional npm modules such as pubnub, azurestorage, q, or mongo. You can, for example, have a rule setup to automatically notify your server via a PubNub channel every time a user signs up for your service.

By default, Auth0 will store your user's credentials securely on their server, but you can also opt to have the same credentials stored on your own database by using the mongo or mysql npm modules within a rule that runs like a hook on certain types of authentications.

In addition, Auth0 provides many other enterprise services, such as analytics and a web management dashboard. I think we made the right choice in opting-out of rolling our own authentication and I hope this post will help you make the same decision. Thanks for reading!