Platform authentication
Last updated: Mar 2, 2026
Rationale
Authentication flows for Fluid Attacks' platform are performed by an in-house implementation. Such implementation currently supports:
- OAuth with Microsoft Azure
- OAuth with GitLab
- OAuth with Bitbucket
- Email-based OTP tokens for two-factor authentication
The main reasons why we chose it over other alternatives are:
- It allowed us to federate authentication for all users, so we did not have to store passwords or any other sensitive user information in our database.
- It allowed our clients to easily control employee access via their enterprise GitLab, Microsoft Azure or Bitbucket user directories. Once a client removed one of their employees from their user directory, access to the platform was automatically blocked for that user.
- Being a basic component of any application, the authentication module started to exist in the early days of our application.
- Our needs were simple; we did not need a complex authentication provider at the time.
- It just worked as expected.
Alternatives
As the application evolved, so did our interest in using a third-party SaaS authentication provider. Below are the ones we have reviewed, ordered from most to least interesting based on our specific needs.
Auth0
- Auth0 focuses on providing a centralized authentication platform for applications.
- It has started to cover authorization with Okta FGA.
- Its Python library is open source and supports asynchronous environments.
- It has a Terraform provider.
- It has a >99% availability SLA.
- It has a pricing model based on monthly active users (pay for what you use).
- It supports many popular compliance frameworks and certifications.
- It supports most (if not all) public identity providers.
- It supports a wide number of enterprise identity providers, allowing us to support protocols like SAML, OIDC, LDAP, Azure Active Directory, and Google Workspace, among others.
- It implements protections against bot attacks, brute force attacks, etc.
- It supports many MFA factors, including push notifications, sms notifications, one-time passwords, email notifications, and recovery codes, among others.
Auth0 was last reviewed on Jan 22, 2025.
Stytch
- Stytch focuses on providing a centralized authentication platform for applications.
- It does not provide any extra features outside of its main focus.
- Its Python library is open source and supports asynchronous environments.
- It has a Terraform provider, but it is still in beta phase.
- It has a >99% availability SLA, but only for enterprise plans.
- It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0.
- It supports many popular compliance frameworks and certifications.
- It supports the most popular public identity providers
- It lacks support for protocols like SAML, OIDC and LDAP.
- It implements protections against bot attacks, brute force attacks, etc.
- It only supports SMS notifications and one-time passwords as MFA factors.
Stytch was last reviewed on Jan 22, 2025.
AWS Cognito
- AWS is one of the most popular cloud solution providers.
- AWS provides many services, among which are cloud storage and cloud computing. In this article, we focus on AWS Cognito, an authentication solution for applications.
- Its Python library is open source, but does not support asynchronous environments. Luckily, the community has been maintaining an asynchronous fork that we currently use.
- It has a Terraform provider.
- It has a >99% availability SLA.
- It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0 and Stytch.
- It supports many popular compliance frameworks and certifications.
- It only supports Amazon, Google, Facebook and Apple as public identity providers.
- It supports SAML and OIDC.
- Generally speaking, it falls behind in terms or protections when compared to Auth0 and Stytch.
- It only supports SMS notifications, email notifications, and one-time passwords as MFA factors.
AWS Cognito was last reviewed on Jan 24, 2025.
Descope
- Descope focuses on providing a centralized authentication platform for applications.
- It does not provide any extra features outside of its main focus.
- Its Python library is open source, but does not seem to support asynchronous environments, making it not usable for us.
- It has a Terraform provider, but it is still in beta phase.
- It has a >99% availability SLA.
- It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0, but more expensive than Stytch.
- It supports many popular compliance frameworks and certifications.
- It supports the most popular public identity providers.
- It supports SAML and OIDC.
- Generally speaking, it falls behind in terms or protections when compared to Auth0 and Stytch.
- It only supports WhatsApp notifications and one-time passwords as MFA factors.
Descope was last reviewed on Jan 22, 2025.
Kinde
- Kinde focuses on providing a centralized authentication platform for applications.
- It also provides services for user management, lead generation and machine-to-machine connections.
- Its Python library is open source, but is barely supported and does not seem to support asynchronous environments, making it not usable for us.
- It does not have a Terraform provider.
- It does not provide information about SLAs.
- It has a pricing model based on monthly active users (pay for what you use) and is cheaper compared to Auth0 and Stytch.
- It supports many popular compliance frameworks and certifications.
- It supports the most popular public identity providers.
- It supports SAML and Azure OIDC.
- Generally speaking, it falls behind in terms or protections when compared to Auth0 and Stytch.
- It only supports SMS notifications, one-time passwords and email notifications as MFA factors.
Kinde was last reviewed on Jan 22, 2025.
WorkOS
- WorkOS provides SaaS solutions to requirements usually needed by enterprise applications.
- Due to its broad focus, it provides services for user management, administrative portals, authentication, and authorization, among others.
- It does not provide a Python library. Instead, it offers either an external GUI or a way to build it using an API. More information can be found in its GitHub repo.
- It does not have a Terraform provider.
- It has a >99% availability SLA.
- Its pricing model makes it free for up to 1 million users, making it the cheapest option.
- It supports many popular compliance frameworks and certifications.
- It supports the most popular public identity providers.
- It supports SAML and OIDC.
- It implements protections against bot attacks, brute force attacks, etc.
- It only supports one-time passwords as an MFA factor.
WorkOS was last reviewed on Jan 22, 2025.
Usage
We use an in-house implementation for all authentication flows at Fluid Attacks' platform.