Understanding the context
When it comes to customer identity and access management (CIAM), notifying various accounts specific events to the customers is paramount. These events could range from creating an account, adding MFA or deleting or deactivating their accounts. Being transparent and laying this data upfront instills trust within the customers and also help identifying security compromises if any.
Auth0 is once such identity management platform that provides support for emails through their customisable email templates. Currently, they have support for the following:
- Verification emails (using link or code)
- Welcome emails
- Enroll in MFA emails
- Change password emails
- Blocked account emails
- Password breach alert emails
- Verification code for email MFA
- User invitation
The above templates can be easily customised using their liquid syntax, and additionally, there are terraform resources available that automates many steps for us.
Acing the requirement
Our requirement was fairly simple. We had to send out emails to our customers whenever there was a successful password change activity detected in their account. And since we were using Auth0, we were pretty laid back as we thought it would be straightforward to achieve. Brimming with confidence, when we looked into this, we found that though there is support available for major events, there are still many events for which email templates are not yet available and one such event is Success Change Password (scp) event. Auth0 does have a template for a Success Change Password Request (scpr) event, which is sent along with a password-reset link to reset a password. However, the email template we were interested in, was the one that gets triggered after a password is successfully changed and the one available wasn't of much use to us.
Webhooks to the rescue
We found that we could rely on the relevant events from Auth0 logs to trigger the notifications. As webhooks allow events to be delivered to an external web server and Auth0 offers several integrations that can automatically push events to third-party, we captured the scp event from Auth0 logs and configured a custom webhook which would push this to an external queue.
We implemented a producer-consumer model where Auth0 would publish events to the queue and then a consumer would listen to this queue, and as a result send out notifications. We had an additional consumer just for the logs, so that we could consume the relevant events. This approach worked out for us as we could easily scale this for other events. We could just add multiple consumers and configure the webhook to listen to multiple events.
Wishful thinking
The above solution works and is decently extensible, however, the ideal solution would be that Auth0 has customisable email templates which can support any event. For now, the event codes that trigger emails is a subset of all the events mentioned here. It would be really helpful to see a template that can support any event and thereby minimise the need to write additional code. Hope to see this feature soon :).
Top comments (1)
One of my apps has 350K MAU, 10 million downloads.
Auth0 would charge me USD 1500/mo for 10K users.
After that is "contact us".
So, if 10K = USD 1500. 350K would be more than USD 50K.
Auth0 is a fucking scam.
Not even Firebase (which gives me authentication for free even when I had more than 850K MAU during the pandemic) would not charge me that much with custom function hooks.
I won't even mention the cost of mailgun, supabase, etc. Those crap SaaS are, well, crap. I just have a server on OVH that costs me USD 89 and handle all my stuff with plenty of air to breathe.