[HN Gopher] Loginsrv: JWT login microservice with back ends like... ___________________________________________________________________ Loginsrv: JWT login microservice with back ends like OAuth2, Google, GitHub Author : networked Score : 47 points Date : 2020-05-23 19:21 UTC (3 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | bhl wrote: | How do Oauth2 providers like Google and Github handle password | resets or stale data with JWT tokens? Curious because I was | trying to implement JWT for auth, but might switch to sessions | now. | blahbhthrow3748 wrote: | You basically need to have a revocation list or rely on the | expiration time being sufficiently short. JWTs are neat for a | lot of things but I don't think they make sense as a | replacement for sessions for that reason (where you control the | server and the client and you want to authenticate users) | magicalhippo wrote: | Isn't that the point of the refresh tokens? Auth token is | short lived, so you get a new one using the refresh token | without getting the user involved. But then that gives the | auth server a means to deny that request if the user has | revoked access? | | Or am I misremembering? | korijn wrote: | Awesome! Are there any other open source microservices fulfilling | similar purposes? I've been looking all over the place. I decided | to go with keycloak and keycloak-gatekeeper after failing to find | anything less heavy weight. | tlarkworthy wrote: | I made one myself for internal gsuite auth | https://futurice.com/blog/identity-aware-proxy-for-google-cl... | | There is a branch with slack integration in progress ATM | yannikyeo wrote: | This post appears while I was searching just now for similar | tools and come across FusionAuth and Keratin Authn. Not yet | look into the details. | miohtama wrote: | This looks brilliant. I could see loginsrv as a drop-in | replacement for SaaS product offering the same functionality, | like Xsolla. | TechBro8615 wrote: | Looks cool. FYI, the "sign in with google" button breaks the | google branding guidelines [0]. You must use the colored G logo | and it must be on a white background. | | [0] https://developers.google.com/identity/branding-guidelines | renke1 wrote: | Those branding guidelines are formulated vaguely in my opinion: | What colors are allowed for certain button states (hover, | focus, etc)? Do I really have to use Roboto? etc. | | The assets are also not a good foundation to build a customized | (yet compliant) button. | | I've also seen so many buttons that cannot possibly be | compliant without those guidelines, but Google doesn't seem to | care, do they? | gavinray wrote: | I was looking through the examples, it seems like there isn't a | way to use this out-of-the-box with an API service that does | "/login" and "/signup" by password hash and compare: | | - Htpasswd (Dedicated credentials file) | | - Simple (user/password pairs by configuration) | | - Httpupstream (HTTP API Basic auth configuration) | | It mentions "OSIAM" which I'm not familiar with. | | Is there a way to use this to "enhance" a basic JWT auth server | implementation that does a bcrypt/Argon2 hash or hash comparison | on password with these social-sign-on OAuth providers? | | Or any similar library, that would be really useful. | egberts1 wrote: | Mmmm, it's uses JWT. That went out the window, for me. | | My checklist: https://egbert.net/blog/articles/authentication- | for-api.html | eganist wrote: | egberts1, can you please share your reasons for "DO NOT use | JWT"? The citation on your blog only links to the wikipedia | page https://en.wikipedia.org/wiki/JSON_Web_Token rather than a | resource describing any issues with JWTs specifically. | | ...I also have to wonder why no CORS. When properly managed | (e.g. static-whitelisted allowed origins + allowed credentials | from/to dedicated domains) and combined with other best | practices around your web SSO framework of choice, it's fine | for contexts such as SSO with no back-end sync. | jugg1es wrote: | yea there is zero justification in your blog - just | references to pages describing the technology. I would be | interested to know what the rational is. ___________________________________________________________________ (page generated 2020-05-23 23:00 UTC)