Are you that guy who does email and password for sign ups! Don't be that guy you don't have to do this anymore.
Because if thats the case then you have to do the following
- Verify Email
- Forgot Password
- Encrypt/Decrypt passwords
Open Authorization helps in retrieving the users information in a secure manner. A password less login is more secure and you don't forget.
OAuth doesn’t give away your password instead uses access tokens to prove an identity.
At you web app (frontend) you have sign up with google, facebook.
At your backend you will have a clientId , clientSecret ( provided by the 3rd party a.k.a google , facebook) which generates a sign up url and redirects to it. Now you see your 3rd party screen to log in. You log in.
After successful login, a request from 3rd party will be sent to your backend with details of the user.
Now you redirect from your backend to frontend with the user details.
A client Id will be the public identification of your app.
A secret is used to encrypt/decrypt sensitive data , authorizes app and should be kept hidden in the backend. This should be only used to make requests.
When setting up oauth there will be Developer Portal provided by a 3rd party services. Here only you will get yours Ids and Secrets. Here you have to add a redirect URI that is the 3rd step. The 3rd party will call your api which is provided in this url that contains accessToken and other stuff.
An access token is used to identify and authorize users. An accessToken will always expire after some amount of time.
This is used to refresh the accessToken. If the accessToken has 1 hr validity then the refresh token may have 24hrs validity. This is used to avoid the frequent log in with 3rd party to get accessTokens.
If you want a specific information from the 3rd party like userId you set the id in the state. whenever the 3rd party calls our backend you will have the id with you in the state. Almost all oauth, we will be using this to pass some ids and references.
When setting up oauth you will be asked for a scope. A scope limits the access to certain parts of user's private data.
For example ,
Google may share your Displayname , Email , phone. But not other details like Date of birth. Scopes provide a way to limit the amount of access that is granted to an access token.
- There is no need to maintain usersname/passwords.
- No Need to validate emails.
- No forgot passward scenarios.
Overall its just makes our login system more easy and secure.
If nothing works for you then you should try *Magic Links that's for another day.
If you are here it means you may have enjoyed reading this blog. Just follow me @shrihari which will motivate to write more.
You can make a drink Buttermilk 🥛. Small support comes a long way!
Subscribe If you want to receive these blogs in your mail from @Medium for free!