What are the upcoming auth changes?

viperfx · November 5, 2020, 3:11pm

Is there a topic or PR I can read to under what is upcoming when the tutorial and other docs mention how redwood will “handle auth”. Would like to understand how it compares to Go-TrueAuth.

dthyresson · November 5, 2020, 3:26pm

Hi @viperfx .

RedwoodJS supports the GoTrue library and as well as Supabase which uses GoTrue.

Redwood itself is not “implementing” or building an authentication service, but instead it supports several major, widely used Authentication services and its clients (Auth0, Magic, Firebase, Netlify Identity, Supabase, GoTrue, etc.)

People are currently working on adding more providers to Firebase (and I think that will be in the next release so can use Firebase for Google, GitHub, Facebook, Apple etc @danny ) and @jeliasson is working on an Azure ActiveDirectory provider.

Best place to look is in the docs and Roadmap and then in GitHub issues for those tagged with the auth topic.

viperfx · November 5, 2020, 3:54pm

Got it ok. So, the reason I asked is because the docs seemed to suggest something new is coming related to Authorization and auth.

See this text from Authentication | RedwoodJS Docs

If you inspect the contents of currentUser you’ll see it contains an array called roles . On the Netlify Identity dashboard you can give your user a collection of roles, which are just strings like “admin” or “guest”. Using this array of roles you could create a very rudimentary role-based authentication system. Unless you are in dire need of this simple role checking, we recommend waiting for the Redwood solution, coming soon!

So I was concerned I would implement a solution I liked with GoTrue, but it get deprecated or not the recommended way of doing things in near future.

dthyresson · November 5, 2020, 4:05pm

Ah, I see.

Guess what I worked on that implementation and there’s a cookbook now for RBAC that walks through how it works.

I’ve used it both in using Netlify Identity (which is GoTrue under covers) and Auth0.

viperfx · November 5, 2020, 6:06pm

Oh awesome. I followed the Netlify Identity steps inside the tutorial, and actually about to rewrite it to go over the steps in https://redwoodjs.com/cookbook/gotrue-auth so I can have more control over the UI and logic.

Would your RBAC cookbook work well if I follow it after doing the gotrue auth steps?

Tobbe · November 5, 2020, 8:45pm

Should the wording in the tutorial be changed?

ajcwebdev · November 8, 2020, 7:29pm

I know I was a little confused recently when looking at all the different authentication/authorization options available and I’ve been following this stuff for months, so I would say a definite yes to making the current state of auth more clear.

dthyresson · November 8, 2020, 7:38pm

Maybe we should approach the docs from a use case perspective rather than an options perspective.

For example, not that there is Auth0 and Magic and Firebase (with Facebook) or Netlify with Github or Firebase with Github … which is downright perplexing. … but rather:

I want to give my users a passwordless login

Auth supports that, here’s how
Magic supports that

I want to have my users login with GitHub

Auth0 can
Netlify Identity can
Supabase can (once upgraded to its 1.0 client)

I want role access built in

Netlify Identity can
Auth0 can
Magic can’t etc

Something like that?

ajcwebdev · November 8, 2020, 7:41pm

I really like that, for me the confusion between authentication and authorization was part of my problem so I think this solution would help me out for sure.

Especially if you don’t have any prior familiarity with these different solutions it’s not very helpful to just see a list of them.

jeliasson · November 9, 2020, 12:51pm

I like the use case approach. Maybe there could be a matrix over the use cases, like the awesome work done in the RBAC cookbook? This would allow continue the use of option based (as I guess the Authentication providers will grow) while still have dedicated sections. Heck, it might even be worth separate the authentication providers into separate pages.

hamishirving · January 2, 2021, 8:30pm

Hey @dthyresson, the cookbook you linked above (GoTrue Auth | RedwoodJS Docs) mentions an advanced version that covers email confirmation coming soon - do you know if this is still in the works? I’m a little stuck on what to do about email invitations using Netlify identity.

Our first iteration won’t include features like Email Confirmation or Password Recovery. Those, among other features, will be covered in the Advanced Concepts section of this recipe (coming soon).

dthyresson · January 4, 2021, 1:16pm

If you want to go with a GoTrue based auth provider and have more control over emails, I’d suggest looking at Supabase:

You get a Postgres database and auth – with email verification, reset etc.

I think the cookbook saying

Our first iteration won't include features like Email Confirmation or Password Recovery. Those, among other features, will be covered in the Advanced Concepts section of this recipe (coming soon).

Are still TBD.

Implementing the email send, receive, confirmation, verification, and password reset involves a suite of non-trivial functions and services (email providers, email templates) and such that – for the moment – are instead very well served (in my opinion) by Supabase, Magic, Auth0, Netlify etc.

I believe that Netlify allows this manually up to a certain number via their management console.

I know you can do something somewhat similar in Auth0 via rules to whitelist a series of emails – and only allow those to login or sign up – and then you can email those people to sign up.

You could even do something similar in Netlify by using the indentity-validate trigger function:

and then check a list of “invited” users and only allow those to sign up.