I’m investigating options to restrict access to a statically built site (using Hugo as site generator). With Netlify Identity being phased out, this announcement suggests to use auth0 instead. However, the available documentation is aimed at dynamic sites (such as built with Next.js) only.
After some digging, it appears the most reliable, easily managed way to restrict access to a static site is to use role-based access control with JWT. However, it appears anything beyond Netlify Identity requires an Enterprise Plan. This is not a very attractive upgrade path. Are there any plans to support auth0 (or similar provider) on the Free Tier and/or Pro Tier too? Or is there an alternative solution that I’ve missed?
I know Netlify Identity is being phased out, so I looked into using Auth0.Most Auth0 guides I’ve found are for dynamic sites like Next.js, not static Hugo sites. From my research, the best way for static sites is using role-based access control with JWT. But I see this might require an enterprise plan on Netlify.
You are correct that, according to the current documentation, using role-based access control (RBAC) with external JWT providers like Auth0 or Okta is only available on Netlify’s Enterprise plan.
Are there any plans to support auth0 (or similar provider) on the Free Tier and/or Pro Tier too? Or is there an alternative solution that I’ve missed?
Currently, the recommended approach is to use Auth0 for the now-deprecated Netlify Identity.
As for alternatives, the following options are available on other accounts that are not Enterprise:
Password Protection: You can protect your entire site or specific deploys with a password, either with a basic password or by requiring Netlify team login.
This is less flexible than RBAC but is available on Pro plans and above
Learn more: Require password or login credentials.
Basic Authentication with Custom HTTP Headers: Allows you to protect specific paths with multiple username/password pairs, but does not provide role-based access
Learn more: Access control options for your Netlify sites.
Thanks for the clarification @clarnx. Unfortunately, auth0 is not a replacement for Identity, as Netlify does not support JWT/RBAC on anything below the Enterprise plan. For static sites, access control with auth0 (or any similar service) needs to be done sever-side to make it reliable. The alternatives you shared are helpful, but unfortunately inadequate for what I have in mind.
The recommended advise is to use Edge Functions if you wish to roll out any kind of a custom auth or integration with any other auth provider. The feature for Enterprise that’s being discussed is not really useful for modern sites and there are hardly any sites that are using it. I won’t be surprised if that’ disppears as well (no plans yet though).
With Edge Functions, you can use a custom JWT secret and handle JWT verification within it to allow/deny user access.