What are the upcoming auth changes?

Is there a topic or PR I can read to under what is upcoming when the tutorial and other docs mention how redwood will “handle auth”. Would like to understand how it compares to Go-TrueAuth.

1 Like

Hi @viperfx :wave:.

RedwoodJS supports the GoTrue library and as well as Supabase which uses GoTrue.

Redwood itself is not “implementing” or building an authentication service, but instead it supports several major, widely used Authentication services and its clients (Auth0, Magic, Firebase, Netlify Identity, Supabase, GoTrue, etc.)

People are currently working on adding more providers to Firebase (and I think that will be in the next release so can use Firebase for Google, GitHub, Facebook, Apple etc :point_right: @danny ) and @jeliasson is working on an Azure ActiveDirectory provider.

Best place to look is in the docs and Roadmap and then in GitHub issues for those tagged with the auth topic.

1 Like

Got it ok. So, the reason I asked is because the docs seemed to suggest something new is coming related to Authorization and auth.

See this text from https://redwoodjs.com/tutorial/authentication

If you inspect the contents of currentUser you’ll see it contains an array called roles . On the Netlify Identity dashboard you can give your user a collection of roles, which are just strings like “admin” or “guest”. Using this array of roles you could create a very rudimentary role-based authentication system. Unless you are in dire need of this simple role checking, we recommend waiting for the Redwood solution, coming soon!

So I was concerned I would implement a solution I liked with GoTrue, but it get deprecated or not the recommended way of doing things in near future.

1 Like

Ah, I see.

Guess what :slight_smile: I worked on that implementation and there’s a cookbook now for RBAC that walks through how it works.

I’ve used it both in using Netlify Identity (which is GoTrue under covers) and Auth0.


Oh awesome. I followed the Netlify Identity steps inside the tutorial, and actually about to rewrite it to go over the steps in https://redwoodjs.com/cookbook/gotrue-auth so I can have more control over the UI and logic.

Would your RBAC cookbook work well if I follow it after doing the gotrue auth steps?

Should the wording in the tutorial be changed?

1 Like

I know I was a little confused recently when looking at all the different authentication/authorization options available and I’ve been following this stuff for months, so I would say a definite yes to making the current state of auth more clear.

1 Like

Maybe we should approach the docs from a use case perspective rather than an options perspective.

For example, not that there is Auth0 and Magic and Firebase (with Facebook) or Netlify with Github or Firebase with Github … which is downright perplexing. … but rather:

I want to give my users a passwordless login

  • Auth supports that, here’s how
  • Magic supports that

I want to have my users login with GitHub

  • Auth0 can
  • Netlify Identity can
  • Supabase can (once upgraded to its 1.0 client)

I want role access built in

  • Netlify Identity can
  • Auth0 can
  • Magic can’t etc

Something like that?


I really like that, for me the confusion between authentication and authorization was part of my problem so I think this solution would help me out for sure.

Especially if you don’t have any prior familiarity with these different solutions it’s not very helpful to just see a list of them.

1 Like

I like the use case approach. Maybe there could be a matrix over the use cases, like the awesome work done in the RBAC cookbook? This would allow continue the use of option based (as I guess the Authentication providers will grow) while still have dedicated sections. Heck, it might even be worth separate the authentication providers into separate pages.

1 Like

Hey @dthyresson, the cookbook you linked above (https://redwoodjs.com/cookbook/gotrue-auth) mentions an advanced version that covers email confirmation coming soon - do you know if this is still in the works? I’m a little stuck on what to do about email invitations using Netlify identity.

Our first iteration won’t include features like Email Confirmation or Password Recovery. Those, among other features, will be covered in the Advanced Concepts section of this recipe (coming soon).

If you want to go with a GoTrue based auth provider and have more control over emails, I’d suggest looking at Supabase:

You get a Postgres database and auth – with email verification, reset etc.

I think the cookbook saying

Our first iteration won't include features like Email Confirmation or Password Recovery. Those, among other features, will be covered in the Advanced Concepts section of this recipe (coming soon).

Are still TBD.

Implementing the email send, receive, confirmation, verification, and password reset involves a suite of non-trivial functions and services (email providers, email templates) and such that – for the moment – are instead very well served (in my opinion) by Supabase, Magic, Auth0, Netlify etc.

I believe that Netlify allows this manually up to a certain number via their management console.

I know you can do something somewhat similar in Auth0 via rules to whitelist a series of emails – and only allow those to login or sign up – and then you can email those people to sign up.

You could even do something similar in Netlify by using the indentity-validate trigger function:

and then check a list of “invited” users and only allow those to sign up.

1 Like