Hey everyone! I'm in the process of standardizing our authentication across various projects and I need some advice. Currently, each of our clients has their own authentication database and unique methods for password resets and account management, and while I wasn't involved in those earlier setups, I'm tasked with developing a more unified solution moving forward.
I manage six projects right now: two on Azure, one on AWS, and three self-hosted (which might move to the cloud in the future). For the Azure projects, I've implemented the MSAL library for user logins with Microsoft accounts due to client requirements. However, for the other four, I handle custom authentication. With new clients onboarding next month, I'm eager to avoid repeating this pattern and want to transition to a more established authentication platform.
My current options are Amazon Cognito and Authentik. Cognito appears to be more feature-rich and could lessen my workload, although I've heard mixed reviews about it. On the other hand, Authentik looks appealing, but it would likely require extra engineering and maintenance since we'd be hosting it ourselves. I'm particularly curious if Cognito can handle a multi-tenant setup where each client would have their own subdomain and login page (like client1.example.com, client2.example.com) while keeping user data isolated for each tenant.
Has anyone tried implementing something like this with Cognito or compared it to Authentik in a similar context? I'd really appreciate any insights! 🙂
1 Answer
Implementing multi-tenancy with Cognito can be a bit complicated. While you can utilize Cognito's custom attributes for some aspects, true multi-tenancy requires more than just that. You need to ensure tenant isolation at the API and data storage levels, particularly if you're adopting a shared user pool method. The way you described it—where each client has their own subdomain—isn’t something that comes pre-configured, though it’s doable technically. Just be warned, it’s a significant amount of work. In a nutshell, Cognito can be reliable and cost-effective, but it doesn't work out-of-the-box for more intricate setups like yours.
Wow, that's more complex than I anticipated based on your explanation. Regarding my plan, is it feasible? We have multiple applications using identical database structures, and I'm aiming to integrate everything under AWS Cognito instead. If I drop the idea of custom auth domains for each client, could I set up Cognito with an API like auth.mycompany.com/client1 and auth.mycompany.com/client2?