Are services like Auth0 or Okta really worth paying for? For a business, perhaps; the overhead of paying for an auth-focused software engineer, as well as the operational overhead of monitoring, could very well be more expensive than handing over a credit card. However, if you have made the decision to host your own, it turns out you can do so on AWS’s Free tier, with only a few strategic technical choices.
Counting the API requests
The reason this is so cheap, is that authorization – especially considering the advent of signed tokens – only requires a few API requests. Let’s count the number of API requests required for a typical user session of 30 minutes:
- One call to
/.well-known/openid-configurationto read the oauth2 configuration. - One call to
/jwks.jsonto read the signing key set. - One call to the
/oauth/authorizationendpoint to initialize the authorization flow. - One call to a
/oauth/callbackendpoint, usually triggered by a third party IDP (sign-in via google) - One call to the
/oauth/tokenendpoint, to issue the first token. - One additional call to the token endpoint as long as the user session persists, to refresh tokens.
As you can see, initializing a session takes 5 calls, while maintaining a session takes one call for however long your Access Token TTL is set. I personally prefer mine at 5 minutes, so let’s work with that. All together, assuming an average 30 minute session working in your app, is 10 API calls. Note that machine clients only need 3 API calls to initialize a session, as the callback is not needed.
The AWS Free Tier
The “cheapest” architecture to use in AWS to publish an API is a combination of the API Gateway, Lambda, and DynamoDB. Speaking practically, the true cost limit of this architecture are the gateway and lambda limits, which in both cases are set to 1,000,000 (one million requests per month).
Putting it together, assume 10 API calls per user, and 30 days in a month, results in ~3333 active, daily users. Increasing the token duration to 10 minutes increases that to 4761. Each additional batch of users will then cost you ~$1.20 per month, which grows linearly until you hit usage tiers.
When to switch from Lambda?
Eventually, you’ll build enough traffic that you may consider buying something, or hosting an EC2 instance and/or container. 1,000,000 requests per month result in about 23 requests per minute, which most servers can handle swimmingly. Furthermore, a small AWS EC2 reserved instance will cost you about $23/month (speaking from how I’m hosting this blog), so the cost/benefit tradeoff is 23/1.20 + 1, so 20x times what lambda would handle. In short, 60K daily active users and a total request rate of 430 requests per minute, or 7.1 requests per second.
But what does it cost to build one?
There are many open source OAuth2 servers out there, and if you choose to go that route you might as well pay for the “exorbitant” $23/month fee from AWS.
However, speaking from experience, a simple STS service which does not have its own login, performing authorization against a third party like Google or Facebook, takes about a week to build and deploy. The complexity comes from building a tenancy model that allows different organizations to sign up and have an isolated permission management API; so if you’re creating a B2C service, it’s relatively quick. B2B is more complex, however in this arena chances are the off-the-shelf solutions out there won’t exactly match your business needs.