I initially tried Azure with Entra ID, but personally found it a bit slow, hard to customize, and more complex than I needed due to its API and external dependencies.

I believe a good general rule for authentication and authorization is to strike a balance between security and user experience. If your security measures frustrate users, it might be worth improving the UX.

Aside from third-party auth like Google, I like the passwordless approach used by apps like Canva and Skype—where users receive a code via email instead of entering a password.

I built my own solution. You can check the source code or use the package if you prefer not to build your own.

The frontend part is available as an npm package, though, it includes more than just auth features. If you're only interested in login, registration, or Google auth, you can check the source code and just use the parts that you need.

Example use case (access token expires in 15 minutes, refresh token in 24 hours):

1. User logs in → receives access and refresh tokens.
2. Possible scenarios:

• • Tab stays open → tokens refresh silently every 15 minutes.
• • Tab is closed and reopened after 16 minutes → refresh token is still valid; new tokens are issued.
• • Tab is closed and reopened after 25 hours → both tokens are expired; login form is shown.