I Built an EU-Compliant OAuth2 Provider for €20/Month (Auth0 Wanted €200+)

The Problem: Compliance Meets Cost Reality

I needed an OAuth2 identity provider for my SaaS projects that met EU Consumer Act and GDPR requirements. When I looked at existing solutions, the pricing shocked me: Auth0 started at €200+ per month for the features I needed, and AWS Cognito’s complexity made me nervous about properly configuring compliance settings.

As a solo developer with AWS experience and tight budget constraints, I asked myself: could I build this for less while maintaining full control over EU compliance? The answer turned out to be yes.

The result is idp8.com—a fully functional OAuth2 provider running on AWS Lambda and DynamoDB, protected by Cloudflare’s anti-bot features, handling thousands of authentication requests monthly for approximately €20/month.

This article walks through the technical architecture, compliance implementation, and cost breakdown of building your own identity provider when Auth0’s pricing doesn’t make sense.

Why Not Use Auth0 or Cognito?

Before committing to building a custom solution, I evaluated the obvious alternatives.

Auth0 Pricing Reality

Auth0’s pricing model breaks down like this:

• Free tier: 7,000 active users, limited features
• Essentials: €29/month for basic features
• Professional: €200+/month for advanced features, compliance tools, and higher user limits

For a bootstrapped SaaS with uncertain growth, committing to €200/month before product-market fit felt risky. The free tier limitations (no custom domains, basic auth only) made it unsuitable for production use.

AWS Cognito Considerations

Cognito has attractive pay-per-use pricing but comes with tradeoffs:

• Complex configuration with unclear compliance implications
• Limited customization of authentication flows
• Vendor lock-in to AWS ecosystem
• Documentation gaps around EU-specific compliance requirements

I wanted full control over how user data was handled, stored, and made available for GDPR requests.

The Build vs Buy Decision

I decided to build when I realized:

• I already knew AWS serverless architecture (Lambda, DynamoDB, API Gateway)
• My traffic patterns were predictable and low enough to benefit from serverless economics
• EU compliance required custom implementations regardless of provider
• Building would teach me OAuth2 deeply, a valuable skill for future projects
• Total control over data meant easier compliance audits

For teams without AWS experience or those expecting rapid, unpredictable scale, buying still makes more sense. For my use case, building was the right call.

EU Consumer Act and GDPR Requirements

Before writing any code, I mapped out exactly what compliance meant for an identity provider operating in the EU.

Core Requirements

Right of Access (GDPR Article 15): Users must be able to request and receive all personal data you hold about them in a structured, machine-readable format.

Right to Erasure (GDPR Article 17): Users can request deletion of their data, and you must comply within 30 days unless you have legitimate grounds to refuse.

Data Portability (GDPR Article 20): Users must be able to export their data in a common format (JSON, CSV) for transfer to another service.

Consent Management: You must track explicit consent for data processing, allow withdrawal of consent, and document the legal basis for processing.

Data Residency: For EU users, personal data should be stored and processed within EU regions to simplify compliance.

Breach Notification: You must detect, document, and notify users of data breaches within 72 hours.

Data Protection by Design: Build security and privacy into the architecture from the start, not as an afterthought.

How I Implemented Each Requirement

Data Export Endpoint: I created an API endpoint /users/{user_id}/export that returns all user data as JSON: profile information, authentication history, consent records, and session logs.

Account Deletion Workflow: The /users/{user_id}/delete endpoint marks accounts for deletion, triggers a cleanup Lambda that removes personal data from DynamoDB, anonymizes audit logs, and sends confirmation email within 24 hours.

Consent Tracking: A separate DynamoDB table stores consent records with timestamps, purpose descriptions, and consent status. Every authentication flow checks and logs current consent state.

Data Residency: All AWS resources (Lambda, DynamoDB, S3) are deployed exclusively in eu-west-1 (Ireland) and eu-central-1 (Frankfurt) regions.

Audit Logging: Every authentication event, data access, and administrative action is logged to S3 with immutable object locking enabled for compliance audits.

Encryption: DynamoDB encryption at rest is enabled by default, Lambda environment variables are encrypted with KMS, and all API traffic uses TLS 1.2+.

Technical Architecture Overview

The system uses a serverless architecture to minimize fixed costs while maintaining scalability.

High-Level Flow

[User Browser]
       ↓
[Cloudflare (anti-bot, rate limiting)]
       ↓
[API Gateway (HTTPS endpoints)]
       ↓
[Lambda Functions (business logic)]
       ↓
[DynamoDB (user data, tokens, consent)]
       ↓
[S3 (audit logs, backups)]

Core Components

API Gateway: Exposes REST endpoints for OAuth2 flows: /authorize, /token, /userinfo, /revoke. Handles TLS termination, request validation, and integrates with Lambda.

Lambda Functions: Separate functions for each concern: authorization handler, token generator, user management, consent tracking, data export. Written in Node.js for fast cold starts.

DynamoDB: Three tables: Users (profile, credentials), Clients (OAuth2 client registrations), Tokens (access tokens, refresh tokens, authorization codes). On-demand billing mode for unpredictable traffic.

Cloudflare: Sits in front of API Gateway custom domain, provides bot protection, rate limiting, DDoS mitigation, and caching for static responses. Free tier covers basic needs.

AWS KMS: Generates and manages signing keys for JWT tokens, encrypts sensitive Lambda environment variables (database connection strings, API secrets).

S3: Stores compliance audit logs with lifecycle policies (retain 2 years, then archive to Glacier). Also used for user data export files.

CloudWatch: Logs all Lambda execution, API Gateway requests, and custom application metrics for monitoring authentication success rates and error patterns.

Why Serverless Works for Auth

Authentication traffic is spiky: high during business hours, low overnight. Serverless pricing aligns perfectly with this pattern:

• Pay only for actual requests, not idle capacity
• Auto-scaling handles traffic spikes without configuration
• No server maintenance or patching required
• Cold start latency (50-200ms) is acceptable for authentication flows

For a service handling 50,000 requests per month, serverless costs roughly €20/month. A constantly running EC2 instance would cost €30-50/month even if idle 90% of the time.

OAuth2 Implementation Details

I implemented the most commonly used OAuth2 flows with security best practices.

Authorization Code Flow with PKCE

This is the primary flow for web and mobile applications.

Flow steps:

1. Client initiates authorization request to /authorize with client_id, redirect_uri, scope, and PKCE parameters (code_challenge, code_challenge_method)
2. User authenticates via idp8.com login page (protected by Cloudflare Turnstile)
3. User grants consent for requested scopes
4. System generates authorization code, stores in DynamoDB with 10-minute TTL
5. Client exchanges code for tokens at /token endpoint, providing PKCE code_verifier
6. System validates code, verifier, and issues access token (JWT) and refresh token

Why PKCE matters: PKCE (Proof Key for Code Exchange) prevents authorization code interception attacks, especially important for mobile and single-page applications. I made it mandatory for all authorization flows.

Token Structure and Security

Access Tokens (JWT):

I use JWT format for access tokens with this structure:

{
  "iss": "https://idp8.com",
  "sub": "user_123456",
  "aud": "client_abc",
  "exp": 1643723400,
  "iat": 1643719800,
  "scope": "read:profile write:data",
  "tenant_id": "tenant_xyz"
}

Signed with RS256 (RSA SHA-256) using KMS-managed private keys. Public keys are exposed at /.well-known/jwks.json for clients to verify signatures.

Token Expiration:

• Access tokens: 1 hour (short-lived)
• Refresh tokens: 30 days (long-lived, stored securely)
• Authorization codes: 10 minutes (single-use)

Refresh Token Rotation: Each time a refresh token is used to obtain a new access token, I issue a new refresh token and invalidate the old one. This limits the damage if a refresh token is compromised.

Scope Management

Scopes define what permissions a client has:

• read:profile - Read basic user information
• write:profile - Update user profile
• read:data - Access user data
• write:data - Modify user data
• admin - Administrative access (restricted)

Scopes are stored in the Clients table during client registration and validated during token issuance.

Client Credentials Flow

For machine-to-machine authentication (backend services), I implemented the simpler client credentials flow:

1. Service sends client_id and client_secret to /token endpoint
2. System validates credentials against Clients table
3. Issues access token with scope limited to client’s permissions
4. No user context, no refresh tokens

This is used for automated jobs, API integrations, and service accounts.

DynamoDB Schema Design

I chose a multi-table design over single-table for clarity and simplicity at my scale.

Users Table

Primary Key: user_id (partition key)

Attributes:

• email (string, unique)
• email_verified (boolean)
• password_hash (string, bcrypt hashed)
• first_name, last_name (strings)
• created_at, updated_at (timestamps)
• tenant_id (string, for multi-tenancy)
• consent_status (map of consent purposes → boolean)

GSI: email-index (for login lookups)

Clients Table

Primary Key: client_id (partition key)

Attributes:

• client_secret (string, hashed)
• client_name (string)
• redirect_uris (list of allowed redirect URIs)
• allowed_scopes (list of permitted scopes)
• tenant_id (string)
• created_at (timestamp)

Tokens Table

Primary Key: token_id (partition key)

Attributes:

• token_type (string: “authorization_code”, “refresh_token”)
• client_id (string)
• user_id (string)
• scope (string)
• code_challenge (string, for PKCE)
• expires_at (number, Unix timestamp)
• used (boolean, for authorization codes)
• created_at (timestamp)

TTL: expires_at (DynamoDB automatically deletes expired tokens)

GSI: user_id-index (for listing user’s active tokens)

Consent Table

Primary Key: consent_id (partition key)

Attributes:

• user_id (string)
• purpose (string: “authentication”, “data_processing”, “marketing”)
• granted (boolean)
• granted_at (timestamp)
• withdrawn_at (timestamp, nullable)

GSI: user_id-index (for consent record queries)

Why Not Single-Table Design?

Single-table design optimizes for DynamoDB’s pricing model by reducing the number of tables. For my use case:

• Query patterns are simple (lookup by ID, email, or user_id)
• Traffic volume doesn’t justify complex optimization
• Separate tables make the schema easier to understand and audit for compliance
• Cost difference is negligible at my scale (€8/month for 3 tables vs €6/month for 1 table)

I prioritized clarity and compliance auditability over marginal cost savings.

Cloudflare Integration for Security

Cloudflare sits in front of the entire system and provides critical security features that would be expensive to implement in AWS.

Anti-Bot Protection

The login page at login.idp8.com uses Cloudflare Turnstile (their CAPTCHA replacement) to prevent automated credential stuffing attacks.

How it works:

1. User visits login page
2. Cloudflare Turnstile widget loads (invisible challenge)
3. User enters credentials
4. Form submission includes Turnstile token
5. Lambda function validates token with Cloudflare API before checking password
6. Only valid human requests proceed to authentication

This catches 99%+ of bot traffic before it reaches AWS, saving Lambda invocations and DynamoDB reads.

Rate Limiting

Cloudflare’s rate limiting rules protect critical endpoints:

• /authorize: 10 requests per minute per IP
• /token: 5 requests per minute per IP
• /login: 3 failed attempts per 5 minutes per IP (locks out brute force)

These rules run at Cloudflare’s edge, blocking malicious traffic before it incurs AWS costs.

DDoS Protection

Cloudflare’s network absorbs volumetric DDoS attacks automatically. During a recent 50,000 request/second attack (likely testing), Cloudflare blocked 99.8% of traffic. My AWS bill showed no spike—normal €20 for the month.

Without Cloudflare, that attack would have cost hundreds of euros in Lambda invocations and DynamoDB writes.

Custom Domain and SSL

Cloudflare provides the custom domain (idp8.com) with free SSL certificates. This saves the cost and complexity of managing Route 53 and ACM certificates in AWS.

Setup:

1. Domain registered with Cloudflare Registrar
2. DNS points to API Gateway custom domain endpoint
3. Cloudflare issues SSL certificate automatically
4. Full (strict) SSL mode encrypts traffic Cloudflare ↔ AWS

Why Cloudflare + AWS?

Combining Cloudflare (free tier) with AWS serverless gives you:

• Enterprise-grade DDoS protection for free
• Bot mitigation without writing code
• Rate limiting without API Gateway throttling costs
• Free SSL and custom domains
• Edge caching for static responses

It’s the best of both worlds: AWS’s flexible serverless compute with Cloudflare’s security and global edge network.

Security Implementation Deep Dive

Security for an OAuth2 provider must be airtight. Here’s how I locked down each layer.

Password Security

Hashing: bcrypt with cost factor 12 (adjustable as hardware improves)

Storage: Only password hashes stored in DynamoDB, never plaintext

Complexity requirements: Minimum 8 characters, must include uppercase, lowercase, number, special character (enforced at registration and password change)

Breach detection: Passwords checked against Have I Been Pwned API during registration (5 million+ compromised passwords blocked)

Token Signing with KMS

Key management: RSA 2048-bit key pair generated and stored in AWS KMS

Signing process:

1. Lambda constructs JWT payload
2. Calls KMS Sign API with SHA-256 hash of payload
3. KMS signs with private key (never leaves KMS)
4. Lambda combines payload and signature into JWT

Verification: Clients download public key from /.well-known/jwks.json and verify signature locally (no KMS call needed)

Key rotation: Automated annual rotation with overlap period where both old and new keys are valid

Secrets Management

Lambda environment variables: Encrypted with KMS customer-managed keys

Client secrets: Hashed with bcrypt before storing in Clients table (same as passwords)

API keys: Stored in AWS Secrets Manager with automatic rotation every 90 days

No hardcoded secrets: All configuration loaded from environment variables or Secrets Manager at runtime

Input Validation

Every API endpoint validates input rigorously:

• Email format validation with regex
• Redirect URI validation against whitelist (prevents open redirect attacks)
• Scope validation against client’s allowed_scopes
• SQL injection prevention (DynamoDB is NoSQL, but still validate)
• XSS prevention via output encoding

Rate Limiting Layers

Cloudflare: First line of defense, blocks at edge

API Gateway: 10,000 requests per second burst limit, 5,000 steady-state per account

Application logic: Custom rate limiting in Lambda tracks failed login attempts per user/IP and implements exponential backoff

Failed login attempts:

• 3 attempts: 30-second lockout
• 5 attempts: 5-minute lockout
• 10 attempts: 1-hour lockout
• 20 attempts: Account locked, requires password reset

Audit Logging

Every security-relevant event is logged to S3:

• Authentication success/failure (user_id, IP, timestamp, user agent)
• Token issuance (client_id, scope, expiration)
• Consent changes (user_id, purpose, granted/withdrawn, timestamp)
• Password changes (user_id, timestamp, IP)
• Account deletions (user_id, requested_at, completed_at)
• Administrative actions (admin_id, action, target, timestamp)

Logs are immutable (S3 Object Lock enabled), retained for 2 years, then archived to Glacier for 5 more years.

Vulnerability Scanning

Dependency scanning: npm audit runs in CI/CD, blocks deployment if high/critical vulnerabilities found

Lambda runtime updates: Automated monthly updates to latest Node.js LTS runtime

Penetration testing: Annual third-party pen test (required for some client contracts)

Cost Breakdown: €20/Month

Here’s the actual monthly cost breakdown from my AWS bill:

AWS Lambda:

• 1 million invocations: €0.20
• Compute time (500ms average, 512MB memory): €4.20
• Subtotal: €4.40

DynamoDB:

• On-demand pricing: ~100,000 read request units: €2.50
• ~50,000 write request units: €3.12
• Storage (5GB): €1.25
• Subtotal: €6.87

API Gateway:

• 1 million requests: €3.50
• Data transfer out (10GB): €0.90
• Subtotal: €4.40

S3:

• Storage (20GB logs): €0.46
• PUT requests (10,000): €0.05
• GET requests (5,000): €0.00 (negligible)
• Subtotal: €0.51

AWS KMS:

• Customer managed key: €1.00
• Sign/verify operations (10,000): €0.30
• Subtotal: €1.30

CloudWatch:

• Log storage (5GB): €0.50
• Metrics: €0.30
• Subtotal: €0.80

Route 53:

• Hosted zone: €0.50
• Subtotal: €0.50

Cloudflare:

• Free tier (up to 100,000 requests/day)
• Subtotal: €0.00

Total Monthly Cost: €18.78

Rounded to €20/month for variability.

Cost Comparison vs Auth0

For equivalent features:

Feature	Auth0 Professional	idp8.com (AWS)
Basic OAuth2	€200/month	€20/month
10,000 MAU	€200/month	€20/month
Custom domain	Included	€0.50/month (Route 53)
Bot protection	Add-on €50/month	Free (Cloudflare)
Audit logs	Included	€0.51/month (S3)
Total	€250/month	€20/month

Savings: €230/month or €2,760/year

At 100,000 monthly active users, Auth0 pricing jumps to €500+/month. My AWS costs would increase to approximately €40/month (still 12x cheaper).

When Does Auth0 Make Sense?

Auth0 becomes competitive when:

• You have no AWS experience (learning curve costs time)
• You need enterprise support with SLAs
• Compliance certifications matter (SOC 2, ISO 27001) and you can’t audit yourself
• Your team is large and wants a managed UI for user administration
• Unpredictable viral growth makes budgeting serverless costs risky

For bootstrapped founders with technical chops, building is clearly cheaper.

Challenges and Lessons Learned

Building an OAuth2 provider taught me plenty through trial and error.

Challenge 1: OAuth2 Edge Cases

Problem: The OAuth2 spec has many edge cases not obvious from reading the RFC.

Examples:

• What happens if a user revokes consent mid-flow?
• Should refresh token rotation be mandatory or optional?
• How do you handle client secrets that get leaked?

Solution: I studied Auth0 and Okta’s documentation extensively, read OAuth2 security best practices (RFC 8252, RFC 8628), and implemented the strictest reasonable interpretation of each requirement.

Challenge 2: DynamoDB Query Patterns

Problem: DynamoDB’s query limitations bit me multiple times.

Example: I needed to look up users by email (not the primary key). My first attempt did a full table scan on every login—absurdly slow and expensive.

Solution: Added a Global Secondary Index on email. Lesson learned: design GSIs upfront based on access patterns, not as an afterthought.

Challenge 3: Lambda Cold Starts

Problem: First request after idle period took 800ms (unacceptable for login flows).

Solutions:

• Reduced Lambda package size by removing unnecessary dependencies (800ms → 400ms)
• Used provisioned concurrency for critical functions during peak hours (€10/month extra)
• Accepted 400ms for first login as tolerable (subsequent requests ~50ms)

Trade-off: Provisioned concurrency adds cost but improves user experience. I enable it 9am-6pm CET, disable overnight.

Challenge 4: Testing OAuth2 Flows Locally

Problem: OAuth2 requires HTTPS, redirect URIs, and proper domain resolution—hard to replicate locally.

Solution:

• Used ngrok for HTTPS tunnels during development
• Created test clients with localhost redirect URIs
• Built a CLI tool that simulates OAuth2 flows for automated testing
• Wrote integration tests that run against a staging environment

Challenge 5: Compliance Documentation

Problem: EU compliance isn’t just technical—it requires documentation, privacy policies, terms of service, and data processing agreements.

Solution:

• Hired a part-time legal consultant to draft GDPR-compliant policies (€500 one-time cost)
• Created internal documentation mapping each GDPR requirement to implementation
• Set up quarterly compliance reviews to audit logs and verify DPAs are current

Lesson: Technical implementation is 60% of compliance. Documentation and legal review are the other 40%.

Challenge 6: Multi-Tenancy Isolation

Problem: I wanted multiple SaaS projects to use idp8.com, but isolated from each other.

Solution:

• Added tenant_id to every DynamoDB table
• Lambda functions filter all queries by tenant_id from JWT context
• API Gateway validates tenant ownership before allowing operations
• Created a tenant management console for isolating user data

This was more complex than single-tenant but essential for reusability across projects.

When to Build vs Buy

After building and operating idp8.com for several months, I have clear opinions on when building makes sense.

Build If:

• You have AWS/serverless experience or want to learn deeply
• Budget is tight (<€200/month for auth)
• Traffic is predictable and relatively low (<1 million requests/month)
• You need full control over data for compliance or audit reasons
• Customization requirements exceed what SaaS providers offer
• You enjoy infrastructure and security work

Buy (Auth0/Okta/etc) If:

• You have no AWS experience and no time to learn
• Your team needs a GUI for user management
• Compliance certifications (SOC 2, ISO 27001) are required and you can’t self-audit
• Budget is not a constraint (enterprise SaaS with funding)
• Unpredictable viral growth is expected
• You want to focus 100% on product, not infrastructure

For solo developers and small teams with technical skills, building is almost always more cost-effective. For larger teams or non-technical founders, buying makes sense.

Monitoring and Observability

You can’t manage what you don’t measure. Here’s how I monitor idp8.com in production.

Key Metrics

Authentication success rate: % of /token requests that succeed (target: >99.5%)

Latency percentiles: p50, p95, p99 for each endpoint (target: <200ms p95)

Error rates: 4xx and 5xx errors per endpoint (target: <0.1% 5xx)

Token issuance volume: Requests/minute to detect unusual spikes

Failed login attempts: Track brute force attempts per IP/user

DynamoDB throttling: Read/write capacity exceeded events (should be zero on on-demand)

Monitoring Stack

CloudWatch Dashboards: Real-time graphs of Lambda invocations, DynamoDB operations, API Gateway requests

CloudWatch Alarms: Alert via SNS (email/SMS) when:

• 5xx error rate exceeds 1% for 5 minutes
• p99 latency exceeds 500ms for 5 minutes
• Failed login attempts exceed 100/minute
• DynamoDB throttling occurs

CloudWatch Logs Insights: Query Lambda logs for debugging, filter by user_id or client_id to trace issues

X-Ray: Distributed tracing for complex requests that touch multiple Lambda functions and DynamoDB tables

Incident Response

When an alarm fires:

1. CloudWatch SNS sends alert to my phone
2. I open CloudWatch dashboard to see affected metrics
3. Check Logs Insights for error messages and stack traces
4. Reproduce issue locally if possible, or in staging environment
5. Deploy hotfix via automated CI/CD pipeline
6. Document incident in runbook for future reference

Average time to resolve P1 incidents: 15 minutes.

Future Improvements

idp8.com meets my current needs, but there’s always room to expand.

Planned Features

Social login: Add “Sign in with Google” and “Sign in with GitHub” for better UX

Passwordless authentication: Implement magic link and WebAuthn/passkey support

Multi-factor authentication: SMS, TOTP, and hardware key support

User management UI: Web console for admins to manage users, clients, and view audit logs

Terraform configuration: Replace manual AWS console setup with infrastructure-as-code

Automated penetration testing: Integrate security scanning into CI/CD pipeline

Scaling Considerations

Current architecture handles ~1 million requests/month comfortably. To scale to 10 million+:

• Enable DynamoDB auto-scaling or switch to provisioned capacity for predictable pricing
• Add Lambda reserved concurrency to prevent throttling during spikes
• Use CloudFront in front of Cloudflare for additional caching (static assets, JWKS)
• Shard DynamoDB tables by tenant_id if any single tenant grows too large
• Add read replicas via DynamoDB Global Tables for multi-region deployments

At 100 million requests/month, costs would rise to approximately €150/month—still 50% cheaper than Auth0’s enterprise tier.

Conclusion

Building idp8.com proved that you don’t need a huge budget or enterprise SaaS to run a production-grade OAuth2 provider that meets EU compliance requirements. With serverless AWS architecture and Cloudflare’s free security features, I achieved:

• €20/month operating costs (vs €200+ for Auth0)
• Full GDPR and EU Consumer Act compliance
• Complete control over user data and authentication flows
• Enterprise-grade security (bot protection, DDoS mitigation, rate limiting)
• Scalability to handle traffic spikes without configuration

The key lessons:

• Serverless pricing aligns perfectly with unpredictable auth traffic patterns
• Cloudflare’s free tier provides security features that would cost thousands to build
• EU compliance is achievable with careful planning and documentation
• OAuth2 is complex but manageable if you study the specs and best practices
• Building is significantly cheaper when you have AWS skills and predictable scale

For solo developers and bootstrapped startups, this pattern is repeatable: use AWS serverless for compute/storage, Cloudflare for security/edge, and invest time in understanding the domain (OAuth2, compliance) rather than paying for a managed service.

If you’re building a SaaS and need authentication, consider whether Auth0’s convenience is worth 10-12x the cost. For many technical founders, the answer is no—and building might be the better path.

Now go build your own OAuth2 provider (or adapt this pattern for your authentication needs). Your wallet and compliance auditors will thank you.