One thing I disagree with is the firebase recommendation. I’ve used it several times and it seems to consistently lead to misery. I haven’t worked with a single team in which everyone was glad they picked firebase. Auth has been part of the problem in several cases.
If you want to go with off the shelf features and behaviours, maybe you’ll be happy. React integration is definitely awkward as mentioned in the post.
I’m looking forward to the post on Ory. At the moment I use Clerk by default.
It’s possible to implement everything it does yourself, but it does such a solid job by default for such a low price that, unless your budget is $0, it’s hard to justify rolling your own. I believe they even have a fairly generous free tier, too.
That's really weird, I have created 5+ production application as part of my consultancy, out of which 2 are $1M+ ARR now. I am curious, what are the issues you ran into while using Firebase auth?
I should have prefaced this by saying if you follow the happy path, firebase auth is probably fine most of the time. But here are some issues I can recall (it has been a while too, so maybe some of this is fixed):
- No session management apart from the JWT
- No way to force-logout users across devices
- Can't easily track active sessions
- State sync across tabs can be weird
- 1000-byte limit for custom claims
- Claims require a token refresh
- No user impersonation
- RBAC is pretty miserable to implement with rules
- Auditing gets expensive quickly
- Auth emulator doesn't quite match production behaviour
- Quota limits for email sending are brutal
- Token revocation support isn't great
- Testing custom claims is messy
- Password policy customization doesn't seem to exist (maybe I'm bad at docs though)
- Backup/restore of auth is pretty ugly
- Probably not typical to need, but integrating with existing user databases is basically not a consideration in the design of the system, so glue code gets huge fast (think integrating with Stripe customers for example)
- Auth lifecycle events are pretty limited
- No support for custom auth providers
- Custom token signing is poorly documented and difficult to reason about
Most of this is due to firebase auth being opinionated. This is fine if you don't need it to be flexible.
I could also be behind the times, but this was my experience over many projects spanning many years, so I imagine it's probably similar today.
One thing I disagree with is the firebase recommendation. I’ve used it several times and it seems to consistently lead to misery. I haven’t worked with a single team in which everyone was glad they picked firebase. Auth has been part of the problem in several cases.
If you want to go with off the shelf features and behaviours, maybe you’ll be happy. React integration is definitely awkward as mentioned in the post.
I’m looking forward to the post on Ory. At the moment I use Clerk by default.
It’s possible to implement everything it does yourself, but it does such a solid job by default for such a low price that, unless your budget is $0, it’s hard to justify rolling your own. I believe they even have a fairly generous free tier, too.