Should you pick Cognito User Pool or Auth0?

A brief view toward two cloud authentication systems

Authentication and authorization system is central in enterprise products. With the proliferation of SaaS products in the cloud, I would say one of the key architecture skill-set nowadays to build an SaaS applications is to pick the right authentication (AuthN) and authorization (AuthZ) stack and use them in the right way according to your specific use cases. Since this newsletter is for engineers to relate their past knowledge to building applications on cloud, I felt this may be a good topic to write.

If you read my previous article in this newsletter, you probably already know the role of Cognito User Pool (CUP) in the AuthN and AuthZ workflow, which could serves 3 functionalities — it is a user catalog, it is an IdP, and it can ‘federate’ other IdPs.

Auth0 can serve the above functionalities as well. And when we use enterprise products, we often see Auth0 as the authentication system. Given that Cognito User Pool is an AWS native solution as cloud authentication service, and given that Auth0 is a popular cloud authentication service in enterprise space, it is a natural question to ask, which one should I pick?

Auth0 has out-of-box capabilities that Cognito User Pool does not support

To be honest, before AWS released its amplify-js library (which I talked about in another article in this newsletter), using Cognito User Pool as the authentication solution to fulfill the above 3 functionalities was not as convenient as using Auth0; and even as of today, for a lot of enterprise use cases, Auth0 may still be much easier to get out-of-box features that your application needs than Cognito User Pool. For example, if you want to retrieve your user’s refresh_token from their social IdP in your SaaS, Auth0 supports it out-of-box, yet it is not a supported feature in Cognito User Pool — and this single feature may be a deal breaker for the SaaS builders.

Cognito User Pool: amplify made it almost trivial to get started

The easiness of using Cognito User Pool as the authentication building block for an SaaS (or consumer) application has greatly improved, with the open source library amplify (if you are a starter, please read my previous article talking about the different role of amplify-js and amplify-cli). For us who follow the amplify starter tutorial, it almost takes no time to build the authentication solution with Cognito User Pool.

The key difference we may want to pay attention

Cognito User Pool could be very cost effective: the first 50,000 monthly active user (MAU) is free, comparing to 7,000 active user for Auth0;

Auth0 provides some features that Cognito User Pool does not offer: for example, as a developer tool, the “Try Connection” on Auth0 console is convenient for us to verify if our social login integration has been properly setup;

Setting up Cognito User Pool in the application is almost out-of-box with amplify: AWS amplify-js together with amplify-cli has made the authentication system setup almost out-of-box.

Cognito User Pool comes with some native AWS service integrations: for example, there exists an API-Gateway authorizer, Cognito User Pool authorizer, if your authorization strategy does not need to be super complex / advanced.

Conclusion:

When people compare Cognito vs. Auth0, it’s a bit misleading because they are really comparing Cognito User Pool to Auth0, hopefully this article together with my previous one clarifies that.

Auth0 still offers features that Cognito User Pool can’t provide (as of 1/11/2021), such as retrieving and storing the refresh_token from the social login in the user catalog.

Cognito User Pool is cost effective and comes with some very convenient out-of-box integration with other AWS services.

Comments

[Bob V]

Could you explain a bit why the refresh_token feature of Auth0 is important? Is it a deal breaker if I choose to go with cognito for use with appsync? Thank you