hngopher.com

       [HN Gopher] Loginsrv: JWT login microservice with back ends like...
       ___________________________________________________________________
        
       Loginsrv: JWT login microservice with back ends like OAuth2,
       Google, GitHub
        
       Author : networked
       Score  : 47 points
       Date   : 2020-05-23 19:21 UTC (3 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | bhl wrote:
       | How do Oauth2 providers like Google and Github handle password
       | resets or stale data with JWT tokens? Curious because I was
       | trying to implement JWT for auth, but might switch to sessions
       | now.
        
         | blahbhthrow3748 wrote:
         | You basically need to have a revocation list or rely on the
         | expiration time being sufficiently short. JWTs are neat for a
         | lot of things but I don't think they make sense as a
         | replacement for sessions for that reason (where you control the
         | server and the client and you want to authenticate users)
        
           | magicalhippo wrote:
           | Isn't that the point of the refresh tokens? Auth token is
           | short lived, so you get a new one using the refresh token
           | without getting the user involved. But then that gives the
           | auth server a means to deny that request if the user has
           | revoked access?
           | 
           | Or am I misremembering?
        
       | korijn wrote:
       | Awesome! Are there any other open source microservices fulfilling
       | similar purposes? I've been looking all over the place. I decided
       | to go with keycloak and keycloak-gatekeeper after failing to find
       | anything less heavy weight.
        
         | tlarkworthy wrote:
         | I made one myself for internal gsuite auth
         | https://futurice.com/blog/identity-aware-proxy-for-google-cl...
         | 
         | There is a branch with slack integration in progress ATM
        
         | yannikyeo wrote:
         | This post appears while I was searching just now for similar
         | tools and come across FusionAuth and Keratin Authn. Not yet
         | look into the details.
        
       | miohtama wrote:
       | This looks brilliant. I could see loginsrv as a drop-in
       | replacement for SaaS product offering the same functionality,
       | like Xsolla.
        
       | TechBro8615 wrote:
       | Looks cool. FYI, the "sign in with google" button breaks the
       | google branding guidelines [0]. You must use the colored G logo
       | and it must be on a white background.
       | 
       | [0] https://developers.google.com/identity/branding-guidelines
        
         | renke1 wrote:
         | Those branding guidelines are formulated vaguely in my opinion:
         | What colors are allowed for certain button states (hover,
         | focus, etc)? Do I really have to use Roboto? etc.
         | 
         | The assets are also not a good foundation to build a customized
         | (yet compliant) button.
         | 
         | I've also seen so many buttons that cannot possibly be
         | compliant without those guidelines, but Google doesn't seem to
         | care, do they?
        
       | gavinray wrote:
       | I was looking through the examples, it seems like there isn't a
       | way to use this out-of-the-box with an API service that does
       | "/login" and "/signup" by password hash and compare:
       | 
       | - Htpasswd (Dedicated credentials file)
       | 
       | - Simple (user/password pairs by configuration)
       | 
       | - Httpupstream (HTTP API Basic auth configuration)
       | 
       | It mentions "OSIAM" which I'm not familiar with.
       | 
       | Is there a way to use this to "enhance" a basic JWT auth server
       | implementation that does a bcrypt/Argon2 hash or hash comparison
       | on password with these social-sign-on OAuth providers?
       | 
       | Or any similar library, that would be really useful.
        
       | egberts1 wrote:
       | Mmmm, it's uses JWT. That went out the window, for me.
       | 
       | My checklist: https://egbert.net/blog/articles/authentication-
       | for-api.html
        
         | eganist wrote:
         | egberts1, can you please share your reasons for "DO NOT use
         | JWT"? The citation on your blog only links to the wikipedia
         | page https://en.wikipedia.org/wiki/JSON_Web_Token rather than a
         | resource describing any issues with JWTs specifically.
         | 
         | ...I also have to wonder why no CORS. When properly managed
         | (e.g. static-whitelisted allowed origins + allowed credentials
         | from/to dedicated domains) and combined with other best
         | practices around your web SSO framework of choice, it's fine
         | for contexts such as SSO with no back-end sync.
        
           | jugg1es wrote:
           | yea there is zero justification in your blog - just
           | references to pages describing the technology. I would be
           | interested to know what the rational is.
        
       ___________________________________________________________________
       (page generated 2020-05-23 23:00 UTC)