New to SaaS Application Building
Hey all, I'm curious what people do surrounding authentication/authorization for SaaS apps. I'm new to the arena and wondering what the different solutions are. So if I intend to deploy an application across multiple tenants who have their own IdP (e.g. Azure, AWS, GCP, Logto, etc.) that I want my app to interface with, what Better Auth plugin should I be using? Organization? OIDC? SSO? A hybrid mix?
If I hook up to their IdP, then I need a way to map their IdP defined roles to the app roles that my application will define. How do people typically manage that IdP configuration for the app and IdP role to app role mapping? At deploy time? Runtime check with some administrative UI pages built into the application?
Sorry if these are dumb questions, but curious to get insight as I'm trying to build a scalable SaaS app.
8 Replies
I would first read through the concepts pages to understand how better auth handles the authentication flows.
you might not need a plugin at all depending on the data can use the social providers/custom oAuth and the mapProfileToUser
https://www.better-auth.com/docs/concepts/oauth
If your tenants are acting as their own identity provider you can use the custom OAuth Plugin to integrate with their system as long as you have the ability to register an app/ client secret with them
OAuth | Better Auth
How Better Auth handles OAuth
Can you expand on that last point of registering a clientId / secret with them? Would they provide that info to me and I would have to store it in my own DB for reference?
I was thinking also of having a single deployment for the app and at runtime configure the OAuth / OIDC settings for the given tenant deployment of my app via some administrative page.
Not sure if that makes sense to do though
The only way to have your application be used with an OIDC provider is if you register an app with your tenant. Youll also pick permissions for your app to request when they login etc. This is done in their OIDC system and its where you get your client id and secret
As far as handling the settings at runtime currently better-auth is not really designed to do that, it needs to know the configuration of each service at module load time to open proper routes etc, its not exactly designed to be dynamic (might be possible with custom plugins I am not sure)
But if you configure more oauth providers you would need to restart the auth server, then when calling login from the client it passes the provider (each of your tenants) to the server and the server would know which oauth flow to route through
I have a similar use where I would like to make it dynamic so Im planning to comb through the code at some point and possibly make a plugin to allow dynamic configuration from a db table if its not too complicated but for now deployments just happen at midnight when barely anyone is accessing auth)
I was thinking of acheiving that dynamism, whereby when I onboard a new tenant and deploy an instance of the app with their subdomain defined, they would first have to go through an IdP configuration page (if no IdP configuration details exist for them) and input things like their clientId and secret. They would input that info themselves so I wouldn't see it and then it would be securely stored as a db record with the sensitive stuff encrypted and the app just consumes that info at runtime to configure and present the proper IdP auth flow via something like oidc-client-ts instead of doing OIDC through Better Auth.
GitHub
GitHub - authts/oidc-client-ts: OpenID Connect (OIDC) and OAuth2 pr...
OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications - authts/oidc-client-ts
Not sure if that would add friction with Better Auth as it may not be the "idiomatic" Better Auth way of doing this kind of dynamic flow
@bekacru do you have any feedback on this dynamic OIDC approach? Or am I way off with this mental model?
You should use the SSO plugin
Tho currently it only support OAuth or open id providers
That's fine to start -- hopefully SAML support comes in the future.
Just to make sure I'm on the same page -- I can use the SSO plugin to dynamically register a tenant's IdP setup yeah? The workflow I was thinking is I send the admin of some new onboarded tenant a secure link to a one-time, IdP setup page within my SaaS application that would call that
authClient.sso.register interface after they're done inputting the information. Once that info is stored, they can then SSO login through their own subdomain portal tenant.myapp.com and I would just use their previously provided IdP configuration to log them in.
@bekacru any thoughts on the above? Just want to make sure I was following your thoughts to some extentyeah this seems the right model