I've been assigned to a new project at my company and they told me I have 100% freedom on the tech I can use to create a new SSO (Single Sign-On) solution for many websites that we manage. It's kind of a baby step towards building a pseudo social network with our websites.
My rationale here is that while I'm pretty familiarised with PHP and its whole stack (nginx, MariaDB, etc), I'm curious about the performance "risks" it has.
I'm currently looking for comparisons between NodeJS and PHP, specifically concurrency benchmarks, because we're expecting to have lots of traffic. I know some ways to handle this in PHP, but I'm not a NodeJS developer, this would be my first project.
I'm also aware that other languages such as Go can handle high amounts of concurrency easily, but I'm new on that front as well.
So what would you do? Code in the language you're familiar with, or take the high road and learn another one for the sake of the project's longevity and better performance?
Top comments (9)
I'm not totally sure what it would take to build this SSO but the Node ecosystem strikes me as more tuned for this sort of thing. Could your solution be backed by a third party like Auth0? Certainly seems worth checking out.
I also get the feeling that AWS Lambda's authorization might fit.
I haven't used any of these myself but they come to mind based on previous research. Anyway, I'm kind of just feeling around based on my gut about some of the problems you might be facing. If it seems like I'm way off base, I probably am.
Good luck either way.
Being honest with you, this is the first time I'm developing such a feature, so I'm very new to these concepts as well, I'm doing my research right now.
I'll check out Auth0 and see if it could be a good fit. I've also heard good things about AWS Lambda.
Thanks!
Cool, I usually spend time telling people why not to use Lambda because many want to use it purely for novelty, but depending on your needs it could be a decent route to check out for this project.
Roberto, a word of advice. Don't build one. I went through this at a job already. I received a code base from a contractor that was supposedly ready to go to prod (spoiler, it wasn't) for a custom SSO solution (SAML, WSFed...). Eventually, it went to prod, but there was always little tweaks and maintenance. In the end, we convinced our client to buy a commercial solution, which included support and they were great when I had to work on some custom stuff to integrate into it.
Unless your specialty is Identity Access Management, go with an off the shelf solution. If you need OAuth, go with Auth0. I mean, they actually wrote the book on JWT ๐
Having said that, it's still good to understand these technologies. As well, to my initial point, the off the shelf solution will have already solved all the edge cases that you'd probably run into. And new ones that crop up will be treated by their support team while you focus on what's important, building your product.
Thanks a lot for the advice, Nick! I'm actually really scared of not knowing enough about this because I don't want to debug things in a live environment with angry people up my neck ๐ . And I'm definitely not an IAM specialist XD.
As you said, I'll still try to learn about the underlying technology, but I'll try to pitch the idea of getting an off-the-shelf service instead of building one, and see how that goes.
If I get told to build one still, then well, I'll have to put on my Indiana Jones hat I guess ๐คช
Hi Roberto,
I wouldn't build a SSO from scratch myself, every time I see stuff like SAML it reminds me of the SOAP days and I want to die slowly. Ok I'm joking, but not completely joking :D
What requisites do you have? Do you need to integrate with existing solutions? Do you need to support third parties like Facebook, Twitter or whatever authentication?
Should it be self hosted or can you just "buy one" like as others have suggested?
I would have a look at auth0.com/ and developer.okta.com/ for example.
I would also have a look at the possibility to delegate authentication to an API proxy putting that in front of each app.
Like using Kong as a proxy and interfacing it with oauth2 and/or jwt (also support auth0): getkong.org/plugins/jwt/#using-the...
Hi Rhymes!
I totally get you, building SOAP also makes me want to die slowly a bit ๐
I need to implement an SSO to a bunch of websites we have across the company. My contractor wants to eventually build some kind of social network where everything is aggregated, so they want a service to create custom accounts (imagine a 'Sign Up with your AwesomeAccount!') where all the user activity gets logged (like, if someone comments on a post, etc.) so we can later add it to a Dashboard or something. It's basically phase-1.
I'll be checking out each off-the-shelf solution and see which one fits.
Thanks for the advice!
hey @roberto , did you finally made it works ?
because I'm struggling with the same thing here