Authentication done right: Consuming (and Serving) Oauth2.0
Submitted by Arnav Gupta (@championswimmer) on Friday, 2 February 2018
Technical level: Advanced
Your brand has multiple products on the web. They all need authentication. But obviously, you’d maintain a common authentication and user database.
Also, in this age, you cannot make a login system without
Login with [Facebook|Google|Twitter|...]
For the second thing, you need to consume Oauth2.0 (the industry standard now), for the first thing, you need to make your own Oauth server.
And you want all of this to happen securely (so yeah, little to no frontend JS)
This talk is nothing but my journey of building oneauth
Even before we had a tech team, I knew we’d be building at least 2 very disconnected products, but having a common authentication mechanism. My search for a reference took me to HasGeek’s own - Lastser
I eventually wrote my own in NodeJS, which uses a lot of open source tools from Auth0 (including the famous Passport.js)
Also we had a lot of users using an older website with user accounts made there. Our new website seamlessly migrates them when they login for the first time on new website.
What we will cover is -
- Usual local authentication (email + username + password)
- Best practices (no frontend JS, bcrypt passwords, project strucuture)
- Consuming Oauth from Facebook/Twitter/Github or others
- Connecting existing account to social logins
- Fallback strategies (migrating users silently from old website without showing them)
- Building your own Oauth2.0 server
- Consuming your own Oauth in your clients (Web and/or Mobile)
- Deduplicating users without breaking loose hell
- Maintaining state across login logic (returnTo, redirectTo)
Some important theory covered will be -
- Authentication vs Authorization (without the Aadhaar debate ;P )
- Authentication via Authorization (OpenID connect)
- OpenID vs Oauth
- Oauth1.0 vs Oauth2.0
- Implicit vs Explicit Authorization (serverless vs w/server consumers)
- Cookies vs Tokens
- Tokens (Bearer vs JWT: having server-side deauthorization capability)
- Token Refreshing logic
Our story is a typical startup turning half-baked PoC’s and MVP’s into production ready websites.
We didn’t verify emails or even have unique email address column from the beginning. How can we bake
those in, post facto (without destroying everyone’s accounts) will also feature in my talk.
Arnav Gupta is the Co-Founder of Coding Blocks, an online + offline software development bootcamp, based out of New Delhi, where he mentors Android and NodeJS students.
He has been tinkering with Android, NodeJS and Electronics since school and has contributions to open source projects like the Android OS (AOSP), Arduino IDE, FOSSIA Open Event.
Arnav has been a speaker at many national and international conferences including FOSSASIA, DroidCon India, JsFoo, Fragments, MODS, Devfest Russia and OSDConf.