I was able to follow along easily and understood it well. I do have a few questions though that maybe you could answer if you have some time?
Is it recommended to have a separate authentication service API? I'm familiar with microservices architecture, but for a project small enough, is it a good idea to create the authentication flow in that singular API?
Should we initiate it social authentication from the client always or could I do it from the backend API? Say I just place a button on the frontend, "Sign In with Google" which just calls an API method on the backend to initiate the auth flow. How would that work? I'm thinking of doing this so that I can keep all the ClientID and Client Secret (for Google, Facebook, Spotify, etc.) hidden away from the client and tucked away somewhere safe in my backend server/secret vault.
I will try to answer your questions. But these are only my personal oppinions so you should do your own researches, too.
I would use a single microservice that handles everything regarding users and authentication. Like login with google, facebook, (optional) user signup and user database, creation of application JWTs. etc
From a security perspective there is no reason to hide the clientID from the user. But handling the flow in the backend would be a security improvement for other reasons. The OAuth flow in the backend is called "Authorization Code Flow" and it will be more secure. But I did not try it myself yet.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey Christian, thanks for the great write-up!
I was able to follow along easily and understood it well. I do have a few questions though that maybe you could answer if you have some time?
Is it recommended to have a separate authentication service API? I'm familiar with microservices architecture, but for a project small enough, is it a good idea to create the authentication flow in that singular API?
Should we initiate it social authentication from the client always or could I do it from the backend API? Say I just place a button on the frontend, "Sign In with Google" which just calls an API method on the backend to initiate the auth flow. How would that work? I'm thinking of doing this so that I can keep all the ClientID and Client Secret (for Google, Facebook, Spotify, etc.) hidden away from the client and tucked away somewhere safe in my backend server/secret vault.
Hello Aakash,
Thank you for your feedback.
I will try to answer your questions. But these are only my personal oppinions so you should do your own researches, too.
I would use a single microservice that handles everything regarding users and authentication. Like login with google, facebook, (optional) user signup and user database, creation of application JWTs. etc
From a security perspective there is no reason to hide the clientID from the user. But handling the flow in the backend would be a security improvement for other reasons. The OAuth flow in the backend is called "Authorization Code Flow" and it will be more secure. But I did not try it myself yet.