I am thinking that an in-house solution will be cheaper than FusionAuth
-
Why wouldn't it be?
Note this is an amalgamation of common questions about inhouse solutions.
-
I will just toss out some thoughts I have on in-house solutions:
- It will probably take about 8-12 months total to fully implement and test a custom IdP with OAuth, OIDC, SAML, etc. (plus ensuring it is FIPS or SOC2 compliant)
- You’ll have to pen test regularly
- You’ll probably need a security audit on it yearly
- You’ll need to engage security researchers to continuously audit your code, APIs, etc. (pen testers are fine but security researchers find things pen testers don’t)
- You’ll need to monitor CVEs and new exploits to ensure you are safe (at the network, server, and app levels)
- You’ll need to maintain it for as long as it is in use
- You’ll need to keep it compliant with new specifications and security standards
Undertaking these tasks can work for some teams, but walk into it with eyes wide open. Nobody likes to have their auth credentials stolen, and you need to spend time and money to prevent it.