DEV Community

Fernando for The DEV Team

Posted on

Forem’s Approach to Decentralized Authentication and Authorization

This is the first part in a series that will cover the new Forem Passport service provider, which integrates with the Forem open source software behind DEV and other communities.

A Brief History of Our Authentication Options

Since its early days, DEV relied solely on authentication providers to set up and access user accounts. There are pros and cons with that decision, but I’d say it’s working well, overall, with over 756,805 registered users (and counting!) today.

After DEV became part of the larger Forem umbrella, we’ve continued to expand from GitHub and Twitter authentication to allowing many other use cases like invite only (private) or email+password registration, to name a few.

Despite these new authentication options, our backend implementation of them hasn’t changed much. This is because we rely on OAuth (an open-standard authorization protocol/framework) and a polymorphic approach, which allows our team to add new providers that adhere to the OAuth protocol.

Below, I'll explain how these authentication factors connect with external influences (like Apple and Facebook), leading us to build our own authentication provider. If you’re more interested in the implementation (show me the code), check out the next part in this series, coming soon!

How Forem is Decentralized

Empowering community by giving ownership to creators (decentralization) is the bedrock of Forem's mission. Anyone that hosts their own Forem site becomes part of the world wide web (WWW), just like any other website does. It becomes a bit more interesting when we look at the network of Forem sites.

In case you missed it, a while ago we announced how you can now self-host your own Forem. Starting your own community with data ownership and the transparency of the open source (much like DEV) is finally possible 🌱

Since we now have a network of sites that run Forem's open source community software, we need to work on the ecosystem around it. So we shipped the Forem iOS app with this in mind.

Forem for iOS means that you can browse many different Forem communities in one centralized app on the go. Since the days of our DEV iOS app (soon to be sunsetted), we have enhanced the mobile browser experience with Push Notifications and many more features. Together, we've accomplished all of this despite relying on a WebView-based implementation, which might be a sensitive topic at times... but that’s a post for another day 😅

Authentication Hurdles: Apple and Facebook

Since a Creator has full ownership of their Forem, we can’t control the authentication methods they choose to enable (this is the point). Apple, on the other hand, requires everyone using their authentication to comply with their guidelines.

We actually ranted joked a little about the “SIWA rule” in a DEV Twitch Stream a while ago, along with other mobile/ecosystem related conversations. SIWA is the acronym we use for Sign In With Apple.

Because Apple requires every iOS app that allows for social logins to have SIWA enabled, the Forem iOS app is being rejected by AppStore reviewers when they find some Forems listed in the app don’t have SIWA enabled by choice.

Despite being less than ideal, we had to hide all social authentication providers if the Forem site doesn’t have SIWA enabled within the ForemWebView context (which means it’s being rendered in a mobile app). This is the PR for that in case you’re curious.

Later, Facebook shut down their OAuth flow protocol in Android WebView contexts. According to them, this was a decision made “for security reasons”. This is the issue where some of this conversation has taken place. Similar to the SIWA situation, we’re not able to show the Facebook auth option.

Authentication on a Decentralized Network of Forem Communities

With these challenges led us back to a big picture idea discussed over year ago: an SSO solution that would work across Forems. The goal is to make authenticating with any Forem site easier — on any platform or context. Enter Forem Passport.

OAuth is incredibly powerful and even somewhat democratic, in the sense that each individual user chooses to authorize or revoke the permissions they’ve given through the OAuth protocol.

The iOS mobile app now integrates directly with Forem Passport and we’ve started to reach out to creators so they can enable the Forem authentication provider to allow for this better experience across platforms.

On some Forem sites like DEV, CodeNewbie and, you can already connect your Forem Passport account from your settings or directly register a new account using the Forem auth provider.

In the next post in this series, I’m going to share the ongoing and upcoming projects we're working on, all of which integrate with the Passport project in one way or another. Read all about it here

Top comments (2)

maxfindel profile image
Max F. Findel

Hey Ben, this is some great news! I just connected my account but upon redirect I land at which breaks the design (CSS fails to load). I think the redirect should be back to settings, right? The same happened when I connected my GitHub account.
New post page with broken CSS

cwraytech profile image
Christopher Wray

Very cool. Sounds like a lot of work!