Ideal Authentication in your JavaScript Application

Transcript

1. Ideal Authentication in your JavaScript Application Meme-driven knowledge sharing. Volodymyr

   Rudyi Almost

2. ABOUT ME CEO of AgileVision.io and CTO of Agile Cashflow.

   Professionally developing software for the last 7 years. Designing architectures for SaaS solutions. AWS-Certified Solutions Architect. Creates SaaS Products Is a SaaS Product

3. Authentication — a process of verifying the identity. Air Force

   Photo/Paul Zadach

4. Authorization — a process of defining access policy for some

   resource.

5. Authentication Most likely You are doing it wrong

6. Even if not anyway... You may be in danger

7. Before you can authenticate you need to implement 1. Registration

   flow. 2. Password reset flow. 3. Credentials Validation 4. Error Handling 5. Error Messages 6. Localization 7. Brute-force attacks protection 8. Email templates

8. After user authenticates, you need to think about 1. “Remember

   me” feature 2. Deleting or blocking/suspending users 3. Event log 4. Anomaly Detection 5. MFA 6. Global logout 7. Scaling

9. Implementation Approaches Let’s see... I will write it myself

10. Pros • Flexible Cons • Huge effort • Difficult to

    maintain • Requires “low-level” testing • Insecure in many cases • Not reusable Public domain image from Wikimedia.org DIY Approach Closer Look

11. Popular Tools to Create Custom Authentication Passport.js

12. Implementation Approaches Let’s see... Pre-Packaged Platform

13. Third-party, self-hosted Pros • Flexible, especially if open-source • Moderate

    implementation effort • Many of bugs made suffer other users (Maybe those will be fixed)

14. Third-party, self-hosted Cons • Learning curve may be steep •

    Proprietary self-hosted solutions can be expensive • Maintenance required • Vendor lock-in

15. Popular self-hosted authentication providers Open-source Proprietary

16. Implementation Approaches Let’s see... AaaS Solution*

17. Authentication as a Service Pros • Almost zero time-to-market •

    Per-user pricing • Low implementation costs • Low maintenance • Tight integration with PaaS where applicable • Often compliant with many regulations, even local ones

18. Authentication as a Service Cons • Vendor lock-in • Per-user

    pricing • Availability is not under control • A gap in support between you and your users. Anything that happens on AaaS side can’t be resolved by anyone but the owner • Limited customization

19. Popular Authentication Services

20. What you should take into account? • Platforms support •

    Migration path • Backup options • Compliance • Implementation cost • License/subscription cost • Implementation timeline, including security audits (Hello, Google!) • Availability, especially past incidents • Support

21. How to think? 1. Prefer Authentication as a Service over

    anything else. 2. Prefer open-source over proprietary self-hosted. 3. Do custom implementation only if there is no other choice or it’s for testing/PoC

22. Authentication Service Market Overview

23. Auth0 Overview • Provided by a company, focused on the

    authentication and authorization service • Integrates well with different platforms and languages • Provides Hosted UI • Client-side and server-side SDKs • MFA Support • Passwordless/OTP sign-in • Self-hosted enterprise version for setups with such requirements

24. Auth0 Weaknesses • Standalone product, thus requires additional integration to

    your infrastructure • Not so fast support for lower tier subscriptions • Powerful, but somewhat complicated • HIPAA and other compliance is available only for enterprise license tier

25. AWS Cognito Overview • Provided as a part of the

    Amazon Web Services(AWS) Platform • Supports OIDC and SAML Federation • Supports web, iOS and Android clients • Provides client-side and server-side SDKs • Deeply integrated with AWS services and can issue tokens to access • Supports Hosted UI • Supports MFA • HIPAA, PCI DSS compliant out of the box • OIDC and SAML Support

26. AWS Cognito Weaknesses • Hosted UI is not very customizable.

    Only logo and several colors can be changed • There is no such thing as action email/action link, besides the standard registration/reset flow. Invitation emails are not first class citizens • API is very slow • Default API rate limits are low • Search API is not usable, unless you are happy with basic search capabilities by name and email • Too few “ready-to-use” integrations for external systems

27. Firebase Overview • Integrates well with the Firebase(obviously) • Provides

    SDKs for many platforms, including C++ and Unity • Flexible email configuration and email actions

28. Firebase Weaknesses • HIPAA Compliance (there are workaro • No

    SAML support out-of-the-box

29. Live coding session Almost

30. Flutter and Svelte Auth0 Example

31. Flutter Example from https://github.com/devdennysegura/flutter-auth0

32. Vue App

33. Public domain image from Wikimedia.org Bonus Slide Pricing Comparison. Rough

    Estimates Auth0 AWS Cognito Okta Firebase 1K $23/mo $0/mo $0/mo Free* 10K $228/mo $0/mo $200/mo Free* 50K $1140/mo $0/mo $1000/m o Free*

34. Questions?

35. Thanks! [email protected] https://agilevision.io