Skip to main content

Authentication & Authorization: From Homegrown to Auth0

January 18, 2025By Steve Winter8 min read
...
wardley-maps

Strategic mapping of identity and access management evolution. When to build, when to buy, and how to avoid the security nightmare of rolling your own auth.

securityauthenticationidentityaccess-control

Legend

Component
High Inertia
Dependency
Annotation

The Auth Decision Every CTO Faces

"Should we build our own authentication system or use Auth0?"

This question appears simple but carries massive risk. Get it wrong and you'll either:

  • Build too much: Waste 6-12 months reinventing OAuth while competitors ship features
  • Buy too much: Pay $50K/year for features you could have built in a sprint

This Wardley map shows you exactly where to draw the line.

The Critical Insight

Authentication ≠ Authorization

They're often confused, but they occupy different evolution stages:

  • Authentication ("Who are you?"): Highly evolved, commodity solutions exist
  • Authorization ("What can you do?"): Still custom, domain-specific, competitive advantage

Mix these up and you'll either build what you should buy or buy what you should build.

Reading the Map

The Access Control Value Chain

High Visibility (What users see):

  • User Access (0.95) - The login experience
  • Single Sign-On (0.90) - "Sign in with Google"
  • Multi-Factor Auth (0.85) - 2FA, authenticator apps
  • Session Management (0.80) - Staying logged in

Infrastructure (What users don't see):

  • Password Hashing (0.35) - Storing credentials safely
  • Token Generation (0.40) - JWT creation
  • User Directory (0.45) - Where user data lives
  • Policy Definition (0.30) - Access rules

Evolution Insights

Commodity (75-100%): Never Build

  • Password Hashing (0.95) - Use bcrypt/Argon2, don't invent crypto
  • User Directory (0.90) - LDAP/AD are standard
  • SAML/OIDC (0.85) - Standard protocols, use libraries
  • Token Generation (0.85) - JWT libraries exist everywhere
  • Identity Provider (0.80) - Okta, Azure AD, Google

Product (50-75%): Buy or Use Open Source

  • Session Management (0.75) - Lots of libraries, pick one
  • Multi-Factor Auth (0.70) - Authy, Duo, Google Authenticator
  • Single Sign-On (0.65) - Auth0, Keycloak, Cognito
  • Role-Based Access (0.65) - Products exist but may not fit

Custom (25-50%): Build Here

  • Authorization Service (0.55) - Domain-specific logic
  • Policy Engine (0.45) - OPA is good, but policies are yours
  • Policy Definition (0.40) - Only you know your access rules

Genesis (0-25%): Kill Immediately

  • Custom Auth Code (0.10) - See that warning marker? That's you.

Strategic Decisions

Decision 1: Authentication - Always Buy

Authentication is at 0.60 evolution - firmly in the "Product" phase. There are mature, battle-tested solutions. Building your own is malpractice.

Use these:

  • B2C (consumers): Auth0, Firebase Auth, Cognito, Clerk
  • B2B (enterprises): Okta, Azure AD B2C, WorkOS
  • Open Source: Keycloak, SuperTokens, Ory

Cost:

  • Auth0: $0.023/user/month (first 7K free)
  • Cognito: $0.0055/user/month
  • Keycloak: Free (but operational costs)

Never build:

  • Password storage and validation
  • OAuth/OIDC flows
  • Token refresh logic
  • Password reset flows
  • MFA enrollment

Decision 2: Authorization - Probably Build

Authorization is at 0.55 evolution - still in "Product" but moving toward commodity. This is where you have options.

When to build:

  • Complex permission models (hierarchical teams, resource-level permissions)
  • Fine-grained access control (field-level, row-level security)
  • Domain-specific rules ("managers can approve up to $10K")
  • High-performance requirements (sub-millisecond checks)

When to buy:

  • Simple RBAC (admin/user/guest)
  • Standard patterns (workspace ownership, team sharing)
  • Enterprise features (audit logs, compliance)

Good products:

  • Open Source: Open Policy Agent (OPA), OSO, Permify
  • SaaS: Authzed (Zanzibar-based), Warrant, Cerbos
  • Platform-specific: AWS IAM, GCP IAM, Azure RBAC

Decision 3: The "Custom Auth Code" Emergency

If you have that red node at (0.75, 0.10), you're sitting on a security time bomb.

Why it's dangerous:

  • Rolling your own crypto = inevitable breaches
  • Password reset flows = account takeovers
  • Session management = CSRF, XSS, session fixation
  • Token handling = replay attacks, token theft

Migration plan:

  1. Week 1: Set up Auth0/Cognito
  2. Week 2-3: Implement new auth, run in parallel
  3. Week 4: Migrate users (keep password hashes, re-auth on first login)
  4. Week 5: Switch traffic, monitor
  5. Week 6: Sunset custom code, sleep better

Dependency Analysis

Critical Path: Login Flow

User Access → SSO → Identity Provider → User Directory

Key insight: Your login experience depends on a commodity (Identity Provider). This is good! Means you can upgrade Identity Providers without changing your app.

Best practice: Abstract the identity provider behind your own interface. Use Auth0 today, swap to Cognito tomorrow.

Critical Path: Permission Checks

User Access → Role-Based Access → Authorization Service → Policy Engine → Policy Definition

Key insight: Authorization depends on your custom policy definitions. This is your moat.

Best practice: Separate policy definition (YAML, Rego, Cedar) from policy enforcement (OPA, your service). This lets you change rules without deploying code.

Common Patterns

Pattern 1: The "Auth Sandwich"

┌─────────────────┐
│   Your App      │
├─────────────────┤
│  Auth0 (AuthN)  │ ← Buy this
├─────────────────┤
│  OPA (AuthZ)    │ ← Build policies, use OPA for enforcement
├─────────────────┤
│  Your Database  │
└─────────────────┘

This is the ideal architecture:

  • Buy authentication (Auth0, Cognito)
  • Use open source policy engine (OPA)
  • Build your own policies and authorization logic

Pattern 2: The "Full Stack Buy"

┌─────────────────┐
│   Your App      │
├─────────────────┤
│  WorkOS         │ ← Buy everything
└─────────────────┘

For B2B SaaS with standard patterns:

  • WorkOS, Clerk, or Stytch handle both authentication and authorization
  • Good for startups, simple RBAC, standard enterprise features
  • Trade flexibility for velocity

Pattern 3: The "Enterprise SSO"

┌──────────────────┐
│   Your App       │
├──────────────────┤
│   SAML/OIDC      │ ← Protocol (commodity)
├──────────────────┤
│  Okta/Azure AD   │ ← Customer's identity provider
└──────────────────┘

For enterprise customers:

  • They bring their own identity provider (Okta, Azure AD, Google Workspace)
  • You implement SAML or OIDC (use libraries, don't build)
  • Critical for enterprise sales ($100K+ deals)

Cost Analysis

Authentication Costs

Auth0:

  • 0-7,000 users: Free
  • 7K-100K: $228/month ($0.023/user)
  • 100K-500K: $1,150/month
  • Enterprise: Custom (usually $50K-200K/year)

AWS Cognito:

  • 50,000 MAU free tier
  • $0.0055/MAU after
  • Cheaper but less features than Auth0

Roll Your Own:

  • Engineering time: 3-6 months ($150K-300K loaded cost)
  • Ongoing maintenance: 0.5-1 FTE ($75K-150K/year)
  • Security incidents: $$$$ (average breach costs $4.35M)

Verdict: Auth0/Cognito pay for themselves in avoided engineering time and reduced security risk.

Authorization Costs

Open Policy Agent:

  • Free (open source)
  • Operational costs: ~$5K-20K/year (hosting, monitoring)
  • Engineering: 2-4 weeks initial, ongoing policy updates

Authzed/Warrant/Cerbos:

  • $500-2000/month for under 100K users
  • Enterprise: $20K-100K/year

Roll Your Own:

  • Engineering time: 1-3 months ($50K-150K)
  • Ongoing: Policy updates as features ship
  • Flexibility: High (it's your code)

Verdict: Start with OPA + custom policies. Consider SaaS if you need Zanzibar-style scale or want to offload operational burden.

Security Considerations

What Not to Build

Never implement these yourself:

  1. Password hashing: Use bcrypt with cost factor 12+ or Argon2
  2. Token signing: Use industry-standard JWT libraries
  3. OAuth flows: Use Auth0/Cognito, don't parse OAuth specs
  4. Password reset: Use magic links from auth providers
  5. MFA enrollment: Use Authy/Duo, don't roll your own TOTP

What to Control

You should own:

  1. Authorization logic: Who can access what resources
  2. Audit logging: Track all permission checks
  3. Policy definitions: Document access rules
  4. User-to-role mapping: How users get permissions

Movement Recommendations

Immediate (Next 30 Days)

  1. Audit custom auth code: If you have any, plan migration
  2. Set up Auth0/Cognito: Get off custom authentication
  3. Document authorization rules: Write down who can do what
  4. Add MFA: Enable for all admin accounts

Short-Term (Next 6 Months)

  1. Implement RBAC: Define roles, assign permissions
  2. Add enterprise SSO: SAML/OIDC for enterprise customers
  3. Policy as code: Move authorization rules to OPA/Cedar
  4. Audit logging: Track all access decisions

Long-Term (12+ Months)

  1. Fine-grained permissions: Resource-level, field-level access
  2. Attribute-based access control: Context-aware permissions
  3. Zero-trust architecture: Verify every request
  4. Compliance automation: SOC2, GDPR, HIPAA controls

How to Use This Map

  1. Identify your position: Where are you today on auth/authz?
  2. Find the danger zone: If you have custom auth code, migrate ASAP
  3. Draw the buy line: Authentication = buy, Authorization = probably build
  4. Plan your migration: 30-60 days to Auth0, 60-90 days to proper authz
  5. Review quarterly: Auth landscape evolves (passkeys, WebAuthn, etc.)

The goal isn't perfect identity management. It's secure-enough access control that doesn't slow you down and doesn't get you breached.

Further Reading