DEV Community

Cover image for What is the easiest way to do auth?
Khair Alanam
Khair Alanam

Posted on

What is the easiest way to do auth?

I am learning fullstack development but I always get stuck with authentication. Do you know of any frameworks/ways that makes auth super easy to implement?

Top comments (6)

Collapse
 
phlash profile image
Phil Ashby

Hi Khair, you might like to add the #security tag to this post so a few more people see it that could make suggestions 😁

My opinions:

  • avoid it if possible (eg: online shops often delay until checkout, and offer unauthenticated purchase)
  • make it someone else's problem (use federation / OAuth for social logins), there will often be a library for this available in your chosen stack, and integration services like: oauth.io/ that do all the ugly bits.
  • use whatever is built-in to your stack (eg: asp.net comes with learn.microsoft.com/en-us/aspnet/c...) before attempting to bolt on 3rd party solutions.
Collapse
 
khair_al_anam profile image
Khair Alanam

Thank you so much Phil! This is actually pretty insightful!

I currently use Nextjs as the main framework for web development.

I will definitely checkout OAuth! By the way, what's your opinion on JWT?

Collapse
 
phlash profile image
Phil Ashby

Glad to be of help! I'll have to politely avoid Nextjs specifics though as I've never used a front-end framework (really!)

JWTs? Good for large scale, low latency services where the inherent risk of fixed validity periods is acceptable / manageable through other controls. We used them extensively at my last company to provide horizontal scalability without adding the complexity of Redis or similar authentication caches. Our risk / exposure to fraud etc. due to the lifetime of issued tokens was mitigated through two mechanisms: short (minutes) token lifetime for interactive (web) sessions; for long-term API tokens, a revocation list that services were required to collect every few minutes and check requests against. We did not expect to revoke many tokens (only if customers left within their contract period, or reported compromised tokens), so this scaled well.

We also created an authentication gateway to avoid all of our service teams having to directly interact with multiple authentication technologies (you can buy such gateway services these days from the likes of Auth0, Okta or cloud vendors..) - the gateway team dealt with user authentication and permission mapping (federation through OAuth and SAML, local users, resellers, our own support staff, etc.), to produce documented internal JWTs that our service teams could develop against independent of how the user was authenticated. We spent some time designing the permissions schema to support our existing and future services / APIs, this was probably the hardest part to get right!

Thread Thread
 
khair_al_anam profile image
Khair Alanam

That's fascinating to see JWTs in scalability of your company. I never knew JWTs would scale that well.

Thread Thread
 
phlash profile image
Phil Ashby

This is pretty much why JWTs exist 😁, as a signed, timestamped token they are self-contained, there is no need to go back to a central authority in real time to verify access for every user request, only to check their signature locally against a well-known (public) signing certificate, then apply their permissions to your local service capabilities.

Auth0 have a nice set of docs on JWTs and surrounding ecosystem

Thread Thread
 
khair_al_anam profile image
Khair Alanam

That's awesome! I may as well learn JWTs then. Thanks for your insights!