$30 off During Our Annual Pro Sale. View Details »

Ideal Authentication in your JavaScript Application

Ideal Authentication in your JavaScript Application

From this talk, you'll know how to implement a secure and reliable authentication mechanism in your JavaScript applications.
I'll go through popular "Authentication as a Service" providers and show how you can use them in JavaScript applications.
Finally, I'll teach you how to introduce additional security measures to your application, like multi-factor authentication without a hassle.

Volodymyr Rudyi

November 08, 2019
Tweet

More Decks by Volodymyr Rudyi

Other Decks in Programming

Transcript

  1. Ideal Authentication
    in your JavaScript
    Application
    Meme-driven
    knowledge sharing.
    Volodymyr
    Rudyi
    Almost

    View Slide

  2. ABOUT ME
    CEO of AgileVision.io and CTO of Agile Cashflow.
    Professionally developing software for the last 7
    years. Designing architectures for SaaS solutions.
    AWS-Certified Solutions Architect.
    Creates SaaS
    Products
    Is a SaaS
    Product

    View Slide

  3. Authentication — a
    process of verifying
    the identity.
    Air Force Photo/Paul Zadach

    View Slide

  4. Authorization — a
    process of defining
    access policy for
    some resource.

    View Slide

  5. Authentication
    Most likely
    You are
    doing it
    wrong

    View Slide

  6. Even if not
    anyway...
    You may
    be in
    danger

    View Slide

  7. Before you can authenticate you need to implement
    1. Registration flow.
    2. Password reset flow.
    3. Credentials Validation
    4. Error Handling
    5. Error Messages
    6. Localization
    7. Brute-force attacks protection
    8. Email templates

    View Slide

  8. After user authenticates, you need to think about
    1. “Remember me” feature
    2. Deleting or blocking/suspending users
    3. Event log
    4. Anomaly Detection
    5. MFA
    6. Global logout
    7. Scaling

    View Slide

  9. Implementation Approaches
    Let’s see...
    I will write it myself

    View Slide

  10. Pros
    ● Flexible
    Cons
    ● Huge effort
    ● Difficult to maintain
    ● Requires “low-level”
    testing
    ● Insecure in many
    cases
    ● Not reusable
    Public domain image from Wikimedia.org
    DIY Approach
    Closer Look

    View Slide

  11. Popular Tools to Create Custom Authentication
    Passport.js

    View Slide

  12. Implementation Approaches
    Let’s see...
    Pre-Packaged Platform

    View Slide

  13. Third-party, self-hosted
    Pros
    ● Flexible, especially if
    open-source
    ● Moderate implementation
    effort
    ● Many of bugs made suffer
    other users (Maybe
    those will be fixed)

    View Slide

  14. Third-party, self-hosted
    Cons
    ● Learning curve may be
    steep
    ● Proprietary self-hosted
    solutions can be
    expensive
    ● Maintenance required
    ● Vendor lock-in

    View Slide

  15. Popular self-hosted authentication providers
    Open-source
    Proprietary

    View Slide

  16. Implementation Approaches
    Let’s see...
    AaaS Solution*

    View Slide

  17. Authentication as a Service
    Pros
    ● Almost zero time-to-market
    ● Per-user pricing
    ● Low implementation costs
    ● Low maintenance
    ● Tight integration with PaaS where
    applicable
    ● Often compliant with many regulations,
    even local ones

    View Slide

  18. Authentication as a Service
    Cons
    ● Vendor lock-in
    ● Per-user pricing
    ● Availability is not under control
    ● A gap in support between you and
    your users. Anything that happens
    on AaaS side can’t be resolved by
    anyone but the owner
    ● Limited customization

    View Slide

  19. Popular Authentication Services

    View Slide

  20. What you should take into account?
    ● Platforms support
    ● Migration path
    ● Backup options
    ● Compliance
    ● Implementation cost
    ● License/subscription cost
    ● Implementation timeline, including security audits (Hello,
    Google!)
    ● Availability, especially past incidents
    ● Support

    View Slide

  21. How to think?
    1. Prefer Authentication as a
    Service over anything else.
    2. Prefer open-source over
    proprietary self-hosted.
    3. Do custom implementation only
    if there is no other choice or it’s
    for testing/PoC

    View Slide

  22. Authentication Service Market
    Overview

    View Slide

  23. Auth0 Overview
    ● Provided by a company, focused on the authentication and authorization
    service
    ● Integrates well with different platforms and languages
    ● Provides Hosted UI
    ● Client-side and server-side SDKs
    ● MFA Support
    ● Passwordless/OTP sign-in
    ● Self-hosted enterprise version for setups with such
    requirements

    View Slide

  24. Auth0 Weaknesses
    ● Standalone product, thus requires additional integration to your infrastructure
    ● Not so fast support for lower tier subscriptions
    ● Powerful, but somewhat complicated
    ● HIPAA and other compliance is available only for enterprise license tier

    View Slide

  25. AWS Cognito Overview
    ● Provided as a part of the Amazon Web Services(AWS) Platform
    ● Supports OIDC and SAML Federation
    ● Supports web, iOS and Android clients
    ● Provides client-side and server-side SDKs
    ● Deeply integrated with AWS services and can issue tokens to access
    ● Supports Hosted UI
    ● Supports MFA
    ● HIPAA, PCI DSS compliant out of the box
    ● OIDC and SAML Support

    View Slide

  26. AWS Cognito Weaknesses
    ● Hosted UI is not very customizable. Only logo and several colors can be
    changed
    ● There is no such thing as action email/action link, besides the standard
    registration/reset flow. Invitation emails are not first class citizens
    ● API is very slow
    ● Default API rate limits are low
    ● Search API is not usable, unless you are happy with basic search capabilities
    by name and email
    ● Too few “ready-to-use” integrations for external systems

    View Slide

  27. Firebase Overview
    ● Integrates well with the Firebase(obviously)
    ● Provides SDKs for many platforms, including C++ and Unity
    ● Flexible email configuration and email actions

    View Slide

  28. Firebase Weaknesses
    ● HIPAA Compliance (there are workaro
    ● No SAML support out-of-the-box

    View Slide

  29. Live coding session
    Almost

    View Slide

  30. Flutter and Svelte
    Auth0
    Example

    View Slide

  31. Flutter
    Example from
    https://github.com/devdennysegura/flutter-auth0

    View Slide

  32. Vue App

    View Slide

  33. Public domain image from Wikimedia.org
    Bonus Slide
    Pricing Comparison. Rough Estimates
    Auth0
    AWS
    Cognito
    Okta Firebase
    1K $23/mo $0/mo $0/mo Free*
    10K $228/mo $0/mo $200/mo Free*
    50K $1140/mo $0/mo $1000/m
    o
    Free*

    View Slide

  34. Questions?

    View Slide

  35. Thanks!
    [email protected]
    https://agilevision.io

    View Slide