Pure social authentication

Hello, I have some questions about adding social login. Currently, I am using dbAuth and I want to add social login like FB, Google, etc.
I know some third-party plugins like auth0 able to achieve it but if I want to remove the logo I need to pay for it.
Is there anyway to add the social login easily just like nextauth?

There are a couple of threads on here about adding Oauth apps to the dbAuth flow:

We don’t currently have anything on the roadmap for supporting third party logins natively in dbAuth, (there are plenty of third party auth solutions available) but if someone wants to try adding Oauth support to dbAuth they should open an Issue as an RFC and talk about a proposed solution. We would be more than happy to discuss!

1 Like

There is already an RFC (of sorts) by @Irev-Dev here extending dbAuth with SSO by Irev-Dev · Pull Request #45 · Irev-Dev/redwood · GitHub
@rob I’m sure he’d love your input on that.

1 Like

I didn’t even realize that was an open PR! Just commented, thanks for the heads-up @Tobbe!

@dthyresson I know you’ve looked at the Supabase GoTrue-based auth libs. What do you think about adding something like their SSO support to dbAuth? (I made a comment to the same effect on the PR linked above)

(To be clear, I don’t mean using their lib, just taking inspiration and doing something similar on our own)

FYI I read SSO as single sign in not social login, but I assume you are asking to support third party auth over OAuth in dbAuth.

Personally, this is a slippery slope towards implementing full-featured authentication service inside Redwood and is something I am not in favor of.

If you are not careful you’ll have to build soooo much. Mail. Password strength. Auditing. Admin api. Callback whitelisting. App and user metadata. Multiple identity provider support. Account blocking. Login attempt anomaly detection. IP address spoof detection. Token refreshing.

Then you’ll want passwordless and magic link. And then SMS one time password authentication. And then support multiple phone providers.

Oh and then 2FA or even MFA.

And then you’ll have to do GDPR protection on all your user profile data.

And what happens if your password salt is compromised? Or you leak the hashes?

Where will it end?

I see dbAuth as a light weight and limited alternative to the authentication as a service providers and one that should be used with some understanding of its limitations. It’s nice to get you started.

Authentication isn’t just a user record in a database. It’s a product.

2 Likes

Fair. Still, there are people that would like to use redwood in their company and not in the internet. And usually you would want to use oidc there, which uses the user from a keycloak or a gitlab instance.

1 Like

I’m doing parts of this now via Oauth implementation via GitLab

1 Like

Fair. In my field of work (law applications), self-hosting is critical. Other institutions, like universities, want to stay independent of third parties as much as possible.

I’m interested in how you are going to approach it. I’d offer to help if there is a repo to work on.

You can find that linked in the other forum post.

1 Like