I would like to show today more about this great identity solution that I've been working on these days.
Auth0 widget gives you a fully customizable, enterprise-ready login/registration box with just a few lines of JavaScript, Java, Swift, or many other languages. The idea behind Auth0 identity as a service solution is to remove from your developers and time wasted with concerns about the authentication and authorization process. That alleviates and help the engineering team to focus on what is more important to the business.
Auth0 has many options for authentication, but by default, it uses OpenID connect to generate what we call IDToken and then, for authorization it uses OAuth protocol that generates and exchanges the AccessToken.
As I presented in my previous article here it's how OAuth flow works:
Here we have the most common grants and flows base on the application need:
What are the different type of apps:
1-Mobile/Native App
- GRANT: Authorization Code using PKCE - Proof Key for Code Exchange.
- Flow:
1.1- Native APP(client) call /authorize endpoint
1.2-Auth0 redirects with authorization_code in the querystring.
1.3- Native app sends the authorization_code,code_verifier, redirect_Uri,and clientIDto Auth0.
Using the /oauth/token endpoint
1.4-Auth0 validates this information and returns access_token(opt: refresh_token)
1.5-The native app can use the access_token to call the API on behalf of the user.
2-Single Page App
- GRANT: Implicit
- Flow:
1- The app initiates the flow and redirects the browser to Auth0(using /authorize endpoint),
so the user can authenticate.
2-Auth0 authenticates the user. The first time the user goes through this flow a consent page
will be shown where the permissions, that will be given to the application, are listed. For example:
post_messages, list contacts, and others.
3-Auth0 redirects the user to the app with an access_token(and optionally and id_token) in the hash
fragment of the URI. The app can extract the tokens from the hash fragment.
NOTE: In Single PAge application(SPA) this would be done using javascript and in a mobile application
this is typically handled by interacting with a Web View.
4- The app can use the access_token to call API on behalf of the user.
3-Web App
- GRANT: Authorization Code
- Flow:
1- The Web app initiates the flow and redirects the browser to Auth0(specifically to the /authorize endpoint).
So the user can be authenticated.
2- Auth0 authenticates the user, via the browser. The first time the user goes through this flow a consent the page will be shown where the permissions are listed that will be given to the application.
For example post messages, list contacts and so forth.
3-Auth0 redirects the user to the web app(specifically to redirect_uri, as specified in the
/authorize request) with an authorization code in the query string(code).
4-The web app sends the authorization code to Auth0 and asks to exchange it with an access_token
(and optionally an id_token and a refresh_token). This is done using the Cliend id and Client secret.
5- Auth0 authenticates the web app, validates the authorization code and responds back with the token.
6- The web app can use the access_token to call API on behalf of the user.
Benefits:
- Almost any web app you use is going to perform authentication. This is table stakes, and there are a lot of cookie-cutter solutions for various frameworks but can be hard to get it right and secure. One less thing to maintain and worry about when you are building your product. Their starter free plan is sufficient for most startups' needs.
- Auth0 has got SDKs in various languages and a ton of documentation. It's easy to integrate it with your demand.
- It provides compliance with various standards(Ex: HIPAA) if that's a key requirement for your outcome.
Summary:
Learn that you are offloading your whole user data to a 3rd party app in exchange for extensibility. They do offer a way to migrate this data back to your app in case you need it, thus avoiding any vendor lock-in. In my next article, I am going provide code examples that I did integrate this excellent identity solution with my IOS, Java and NodeJS apps. Stay tuned.
Happy coding,
Thiago Leoncio.
No comments:
Post a Comment