The Premise

Curology had rolled their own authentication solution using Laravel’s built-in auth solution with additional plugins. As the company has grown its technologies have become more complex and distributed. Having a monolithic application that also houses auth logic with credentials, roles, and permissions stored in the central application database could result in a number of bottlenecks for third-party services that also need to query that information. This sparked their need for auth to be decoupled from their own internal systems and to be its own first-class stateless auth solution that their third-party services could access.

The Process

“We ran a project internally where we bet all the different auth providers against each other. We found that each one had a different philosophy on how their integrations worked and how they laid out their services. SuperTokens was by far the one that offered the most flexibility to work in our particular architecture.”

Eric WongPrincipal Software Engineer @ Curology

As a medical company, Curology handles sensitive patient data that needs to be secured. The vendor they would choose is required to have SOC2 compliance and architecture that is secure and battle-tested. Additionally, their chosen vendor needed to be extensible enough to play well with their third-party services. After evaluating a number of authentication vendors it came down to 3 options AWS Cognito, Auth0, and SuperTokens.

AWS Cognito pricing was the most appealing but had to be ruled out since they did not have a good way to migrate to and off the platform, especially with Curology’s social login credentials. Auth0’s tenant architecture posed some limitations for Curlogy. Curology needed all the brands to be supported in a central database of users, essentially a single user pool ruling out Auth0. The Curology team wanted to ensure they were being responsible when it came to pricing, but, they wanted the product they chose to be technically sound with great documentation. Ultimately SuperTokens was the only solution that was able to pass all their requirements.

“SuperTokens has a very simple well thought out HTTP API. That was really important to us. We also like that parts of SuperTokens are Open Source”

Eric WongPrincipal Software Engineer @ Curology

Additionally, the ability to spin up dev environments proved invaluable.

Setting up SuperTokens took minimal time for Curology. Using the SuperTokens CLI they were able to get up and running in a couple of days. Most of their time was spent tying in their integrations with SuperTokens.

For the migration, Curology chose a “Lazy-migration” approach and divided the migration by the provider. It started with migrating “Email-Password” based users, these users would be migrated on the spot whenever they tried signing in.  They are currently in the process of migrating over their users with Social Login accounts. This approach is great as it reduces the possibility of data inconsistencies when compared to a “big bang” approach.

Results

Through SuperTokens, Curology was able to build consistent login experiences across all the brands Curology worked with. The key selling point of SuperTokens for Curology was the flexibility. Overrides and hooks allowed Curology to integrate with a number of services that they used. Additionally, the ability to lazily migrate their users to ensure data consistency was valuable. They have migrated over more than 100k customers, and through working with SuperTokens they realized that achieving something similar with other vendors would have been difficult.

“I am very relieved that we chose SuperTokens”

Eric WongPrincipal Software Engineer @ Curology

To watch entire case study discussion video please click here.