What are problems with implementing authentication and authorization?

Question

Hey y'all,I would like to hear strange problems you encountered while working on authentication and authorization (when you work on a mobile app, or web app, etc...)? What are things you did not think of before implementing your system. How would you avoid such problems?If you are using Identity and User Management Services (or probably you work there) like Auth0 (or others), why are you using it and what are you missing?

photonios · Accepted Answer

Auth0 solves pretty much every problem I've encountered. Which is admittedly, not a whole lot. It's not that these are super hard problems, it's just that it often seems like a waste of time. Instead of working on authentication and authorization, I'd much rather focus on the actual functionality.
Problems I encountered:
* Normalized user profile using data from various identity providers [1].
* Passwordless login [2].
* Using custom SMS gateway for passwordless login or 2FA [3]
There are not a stable, polished, feature rich alternatives to Auth0 that are affordable. I know that's a lot to ask for, but since you're asking. Auth0 is very nice, but prohibitively expensive. There are also not a lot of maintained and stable alternatives. Pretty much the only one I am aware of is Keycloak.
[1] https://auth0.com/docs/users/normalized/auth0
[2] https://auth0.com/passwordless
[3] https://auth0.com/docs/connections/passwordless/guides/use-s...

shynrou · Answer

The browser can have to cookies with the same name, and variations in path or domain, but still transmit both in a http request. This causes most cookie parsers to make mistakes since they expect only one.Also on the note of cookies, modern browser do not delete session or stale cookies if the browser was not closed properly, eg. the user just shutdown the system without closing the browser.