I am learning fullstack development but I always get stuck with authentication. Do you know of any frameworks/ways that makes auth super easy to implement?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (6)
Hi Khair, you might like to add the
#securitytag to this post so a few more people see it that could make suggestions πMy opinions:
Thank you so much Phil! This is actually pretty insightful!
I currently use Nextjs as the main framework for web development.
I will definitely checkout OAuth! By the way, what's your opinion on JWT?
Glad to be of help! I'll have to politely avoid Nextjs specifics though as I've never used a front-end framework (really!)
JWTs? Good for large scale, low latency services where the inherent risk of fixed validity periods is acceptable / manageable through other controls. We used them extensively at my last company to provide horizontal scalability without adding the complexity of Redis or similar authentication caches. Our risk / exposure to fraud etc. due to the lifetime of issued tokens was mitigated through two mechanisms: short (minutes) token lifetime for interactive (web) sessions; for long-term API tokens, a revocation list that services were required to collect every few minutes and check requests against. We did not expect to revoke many tokens (only if customers left within their contract period, or reported compromised tokens), so this scaled well.
We also created an authentication gateway to avoid all of our service teams having to directly interact with multiple authentication technologies (you can buy such gateway services these days from the likes of Auth0, Okta or cloud vendors..) - the gateway team dealt with user authentication and permission mapping (federation through OAuth and SAML, local users, resellers, our own support staff, etc.), to produce documented internal JWTs that our service teams could develop against independent of how the user was authenticated. We spent some time designing the permissions schema to support our existing and future services / APIs, this was probably the hardest part to get right!
That's fascinating to see JWTs in scalability of your company. I never knew JWTs would scale that well.
This is pretty much why JWTs exist π, as a signed, timestamped token they are self-contained, there is no need to go back to a central authority in real time to verify access for every user request, only to check their signature locally against a well-known (public) signing certificate, then apply their permissions to your local service capabilities.
Auth0 have a nice set of docs on JWTs and surrounding ecosystem
That's awesome! I may as well learn JWTs then. Thanks for your insights!