We are in the process of developing a SaaS application with an offline-first approach. Our technology stack comprises NestJS (Node.js), GraphQL, and Vue.js (Single Page Application). We're currently grappling with an authentication conundrum that has been a roadblock in our progress.
We initially tried implementing Keycloak, but it seemed that we spent more time configuring new providers than actually making progress on our application. We've considered Firebase, but due to our startup constraints and budget limitations, we find it unsuitable at this time.
Our application is designed to support multiple authentication providers including Google, Facebook, and OTP email verification. This functionality has been implemented using Passport and NestJS modules. As it stands, we're utilizing JWT for both authentication and refresh tokens, which required us to manually implement the mechanics for token refresh on our UI after rewriting the axios-auth-refresh library.
In the light of our experiences and the current technology landscape, we're seeking advice on the best approach to implement authentication in our scenario. Is the OIDC approach the recommended standard today, or would continuing with a JWT-based token system suffice?
We welcome any guidance or suggestions regarding current best practices for authentication in a similar tech stack.
Thank you in advance for your assistance.
JWT token authentication and Auth/Refresh token approach for our SaaS application worked well. While we explored various authentication options, we found that the JWT-based system provided the simplicity and flexibility we needed for our tech stack, which includes NestJS, GraphQL, and Vue.js in an offline-first context.
To implement this, we had to develop some custom logic, but we used axios-auth-refresh as a helpful boilerplate for handling token refresh. This allowed us to efficiently manage token expiration and maintain user sessions within our Vue.js SPA. Final result could be checked in Revosheets.