Since I chose to start with integrating authentication to my application, let’s briefly explain what authentication is, then we can look from a high perspective how it works.
For our purpose, authentication is the process of ensuring that visitors of our application really are who they say. To ensure this, they usually have to input a secret that they should be the only one to know.
Thankfully, we do not have to manage this secret. It can be delegated to an external provider such as Google or Twitter through a protocol called OAuth2. If you’ve even gone to a website and used a “Login with Google” button, you used OAuth2.
Using OAuth2
The core principle of OAuth2 can be outlined in the following way:
- The visitor comes to your application and asks to sign up or be logged in using, in this example, Google.
- They are sent to Google to prove they do indeed are themselves, usually through their password.
- Google will send back a secret containing information about your visitor that cannot be faked (at least not easily).
- You store this secret in your visitor’s browser.
- When they want to access authentication protected pages, access is granted only if this secret is valid.
Why OAuth2 ?
Very simply, because it is the fastest for your visitor, and that makes it a good design decision. You just go to a website, click a button, and you’re in !
If they had to create a password alongside with their email, get sent a verification email, then come back to your app, that makes for a much bumpier experience getting started.
They don’t want to lose time, especially if they are not sold on your product. If it takes more than a few seconds, you can kiss them goodbye.
Why not username/password ?
Security-wise, OAuth2 will also be usually safer. You could implement all the login/password login by yourself, but for good security practices and usability, you also need email, multi-factor authentication, and password recovery mechanism. That is without talking about people who use the same password everywhere because it is more convenient which could lead to hacked accounts.
The OAuth providers usually have teams dedicated to ensuring authentication works well, and that the system stays as secure as possible.
Where will I start ?
I will start with integrating Google Sign-In to get started. If it makes sense to do so once I have a working prototype, I will add others like GitHub or GitLab, since Requeme will be a tool for infrastructure engineers. I may add Twitter just because a lot of engineers are on it and testing the tool with their personal account may make sense if they want to sell it to their teams.