Making an informed decision on our Auth workflow
Hi everyone, new here and hope this belongs to this channel.
I am working on a startup and considering scaffolding our B2C project with T3. I have used most of these technologies extensively in the past but I am unsure about the Auth workflow. I have never used NextAuth and while I realize it would be easy to opt out, I am afraid we would miss out on what seems to be an amazing DX with Next.
I am used to having fully external identity providers in my applications, and I like the idea of not storing user/account information or sessions ourselves for some reason. I would usually rely on an authorization header on my server and simply validate a token with the identity provider before populating the tRPC context with some internal user data.
I realize NextAuth could still allow us to have a single external provider that supports other 3rd parties federated logins (e.g. Auth0, Firebase, Clerk) if we wanted to, but to me, it looks like an anti-pattern (e.g. having only the Auth0 provider without db adapters or maybe with a custom connection to their own credential store).
I am also aware of the benefits of running our own auth server including an easy HTTP-only cookie-based session management out of the box when using adapters.
However, we would like to support email/password credentials and I am just slightly worried that implementing a custom credential workflow with NextAuth would not be the most idiomatic choice based on this https://next-auth.js.org/faq, and that it might leave us with a scattered authentication flow.
Maybe I am just too cautious about the T3 approach using the Prisma adapter on a self-hosted database for no good reason. Is there anything I could read about in order to make a more informed decision? What is your opinion about email/password credentials in 2023?
In any case, thank you for your time if you read through all of this, and to Theo and the T3 team for the great work and content creation
Best,
Andrea
0 Replies