Good day devs.
I have been thinking about this, and I want to know what you think, or your experience with it.
I basically want to create a user authentication system, do you think social Authentication is okay or should I do a basic registration->login flow. I am mindful of issues that may arise in the future.
Thanks, I would really love to hear from anyone.
Oldest comments (4)
As a penetration tester, some of the most common and most impactful ways to screw up your site is to make a mistake with authentication. Outsourcing that to 3rd parties - whether it's social logins like Google/Facebook with Auth0 or AWS Cognito or whatever - is a good move. It's just something that gets done wrong so often it's not worth it. Those social logins are typically not providing the 3rd party with any information besides that the user uses your site, so there's no privacy issue - probably. You should double check with each social login provider.
Regardless of the authentication mechanism you use, don't forget about authorization! Authentication from the social login tells you someone is who they say they are, but authorization determines if that person is allowed to access the resource they're requesting. Like someone else's profile data, or a restricted admin endpoint.
Thank you for your response, really helpful.
I am also curious to why dev.to chose to ignore potential users without social accounts, conversely should you put the two alternatives i.e. login with social accounts and login without social accounts together?
Social authentication is convenient. You don't need to worry about storing passwords.
Of course the problem is what if a potential user doesn't have any of your options. You'd either say they won't be able to use your platform, or provide them with alternative authentication option.
For example there was an app where we only wanted Instagram users with more than 500 followers to be able to login. Everyone else could browse the app but they couldn't contribute without getting authenticated.