Hello everyone,
I'm currently in the process of planning a new application with the goal to learn something about using microservices in practice. One major topic, no matter what architecture I'd choose, is obviously security which starts with a secure login function. This is already a challenge when building monoliths, but seems to increase in complexity when talking about microservices.
I considered only using 3rd party login providers like Google, Facebook etc, but since I'm targeting less tech-savy users, I think that might scare them off. So having at least the option to login with email+password is an requirement. I've been researching this topic for a while and I learned found some best practices that also confused me a bit.
Most resources I found seem to recommend Open ID connect for (official) applications and the use of a identity server implementation like Keycloak or IdentityServer4, so I started digging deeper and found out about the different OAuth authentification flows that exist and how they differ. One of the major differences was the use case.
Some flows (authorization code flow) were only meant for traditional webapps where a webserver makes API requests on behalf of a user. Others were meant for SPAs and native mobile apps, so that is what I was looking for.
For the use-case of a native mobile app using the authorization code flow with PKCE is considered best pracice. However, using this flow requires redirecting the user to an authorization site on the identity server which I don't mind doing for the web-app. But for the mobile app, I'm afraid this would totally break the user-experience, so here I am looking for other options.
How do you handle user logins in your applications? Do you have any experiences or tools to share? Do you implement the logic yourself or are you using options like Keycloak, Auht0 etc?
Top comments (2)
Hello,
In my case i use jwt with oauth0 fo symfony/vuejs app, i use oauth0 auth0.com/ .
1- Login page
2 - jwt token with information (mail, name) generate
3 - when i receive request in backend from front with token, i decrypt token with class provide by oauth0 and check permission.
I recommend to use jwt, if someone take you jwt token i cant do nothing because is encrypted.
Hi Moritz, we built Cotter, a passwordless login provider for websites and apps targeted for less tech-savvy users by eliminating passwords.
Users can simply log in with an OTP or magic link sent to their email, SMS, or WhatsApp. This is the method that big apps use in developing countries (like Rappi and Gojek) because it reduces friction when the user tries to login since they won't "forget their password".
You can embed Cotter on your webpage so it doesn't need a redirection. For mobile apps, we do use the PKCE flow in which case the SDK will show an in-app browser for the user to enter the OTP before redirecting back to your app.
Both login forms on the website and the in-app browsers in mobile apps are fully customizable to follow your UI theme, it shouldn't break the user experience. PKCE is also the recommended flow for mobile apps based on OAuth 2.0, so there aren't many alternative ways to do it securely.