Since its early days, DEV relied solely on authentication providers to set up and access user accounts. There are pros and cons with that decision, but I’d say it’s working well, overall, with over 756,805 registered users (and counting!) today.
After DEV became part of the larger Forem umbrella, we’ve continued to expand from GitHub and Twitter authentication to allowing many other use cases like invite only (private) or email+password registration, to name a few.
Despite these new authentication options, our backend implementation of them hasn’t changed much. This is because we rely on OAuth (an open-standard authorization protocol/framework) and a polymorphic approach, which allows our team to add new providers that adhere to the OAuth protocol.
Below, I'll explain how these authentication factors connect with external influences (like Apple and Facebook), leading us to build our own authentication provider. If you’re more interested in the implementation (show me the code), check out the next part in this series, coming soon!
Empowering community by giving ownership to creators (decentralization) is the bedrock of Forem's mission. Anyone that hosts their own Forem site becomes part of the world wide web (WWW), just like any other website does. It becomes a bit more interesting when we look at the network of Forem sites.
In case you missed it, a while ago we announced how you can now self-host your own Forem. Starting your own community with data ownership and the transparency of the open source (much like DEV) is finally possible 🌱
Since we now have a network of sites that run Forem's open source community software, we need to work on the ecosystem around it. So we shipped the Forem iOS app with this in mind.
Forem for iOS means that you can browse many different Forem communities in one centralized app on the go. Since the days of our DEV iOS app (soon to be sunsetted), we have enhanced the mobile browser experience with Push Notifications and many more features. Together, we've accomplished all of this despite relying on a WebView-based implementation, which might be a sensitive topic at times... but that’s a post for another day 😅
Since a Creator has full ownership of their Forem, we can’t control the authentication methods they choose to enable (this is the point). Apple, on the other hand, requires everyone using their authentication to comply with their guidelines.
ranted joked a little about the “SIWA rule” in a DEV Twitch Stream a while ago, along with other mobile/ecosystem related conversations. SIWA is the acronym we use for
Sign In With Apple.
Because Apple requires every iOS app that allows for social logins to have SIWA enabled, the Forem iOS app is being rejected by AppStore reviewers when they find some Forems listed in the app don’t have SIWA enabled by choice.
Despite being less than ideal, we had to hide all social authentication providers if the Forem site doesn’t have SIWA enabled within the
ForemWebView context (which means it’s being rendered in a mobile app). This is the PR for that in case you’re curious.
Later, Facebook shut down their OAuth flow protocol in Android WebView contexts. According to them, this was a decision made “for security reasons”. This is the issue where some of this conversation has taken place. Similar to the SIWA situation, we’re not able to show the Facebook auth option.
With these challenges led us back to a big picture idea discussed over year ago: an SSO solution that would work across Forems. The goal is to make authenticating with any Forem site easier — on any platform or context. Enter Forem Passport.
OAuth is incredibly powerful and even somewhat democratic, in the sense that each individual user chooses to authorize or revoke the permissions they’ve given through the OAuth protocol.
The iOS mobile app now integrates directly with Forem Passport and we’ve started to reach out to creators so they can enable the Forem authentication provider to allow for this better experience across platforms.
In the next post in this series, I’m going to share the ongoing and upcoming projects we're working on, all of which integrate with the Passport project in one way or another. Read all about it here