Embedded with custom domain vs Universal login

Hi, we are creating a React application where we need to do a simple username/password login. I was thinking about doing an embedded login so that we can easily reuse our styling, existing components, translations, …

But everywhere i look in the documentation i see that “Universal login” would be better.

My question: If we would use an embedded login with a custom domain what security issues do we still have comparing to the universal login?
If you use a custom domain is this still cross-origin-authentication then?
The only issue i was seeing was ‘silent authentication’, but this also is solved by using a custom domain?

We also only have one application that needs to use the login.

Kind regards,
Daan

Hi @daanporon,

Welcome to the Auth0 Community!

We highly recommend using UL. It is the recommended login method for many reasons, security and otherwise.

I’ll link to some resources that compare the two methods.

I am told it is still considered cross origin, even with custom domain. Although you can avoid some of the third party cookie issues.

Hope this helps!

Thanks,
Dan

1 Like

Hi, thanks for the reply … i already read those resources. But the way i understand it all the issues are solved by using custom domain. The only issue i still see is that the user credentials are entered on the same domain as where the tokens are being send too. And this could be a possible security issue. But further then that i can’t think of any. Other advantages are if you need a universal login, but what if you don’t need it …

I was hoping to get a better view on why UL is recommended … what the security issues could be with embedded. So that i could take a better decision on which is the best solution for us.

Kind regards,
Daan

@daanporon,

Outside of what is outlined in the links from above, it is going to depend on the architecture of your application. Part of the reason we so highly recommend UL is because of the control Auth0 has over the authentication process. UL is a much more controlled environment. Embedded login puts more trust in the developer building the app to address any security concerns. It creates a greater attack surface. This is a reason why we recommend UL so highly and add caution to anything regarding embedded.

Hope this helps!

Thanks,
Dan

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.