Ask HN: How do you currently solve authentication?

114 点作者 scottmotte超过 5 年前

There are a lot of different ways to do authentication these days. How do you currently solve for it?Any tools you swear by? Anything you recommend? Anything you hate? Do you recommend writing it from scratch or using a framework or service?

32 条评论

kisamoto超过 5 年前

Depends on the project:Firebase Authentication[1] is an excellent easy add on for apps (both Web and Mobile) that I want to get running quickly. It's free, scales, supports lots of social auth providers and can take care of email verification etc.When I'm building a website it really depends. Wordpress and Django have excellent inbuilt authentication and authorization systems. Djangos can be quickly expanded to support social providers with `django-allauth`[2]For everything else I use KeyCloak[3] - Red Hats open source Identity Provider/Single Sign On which supports oAuth2.0, OpenID Connect, SAML, themes etc. Documentation and support is relatively good but can be quite overwhelming especially if you're not used to the relevant standards (knowing the different flows in oAuth2.0 and which one you want to use).[Self plug]: I'm building a KeyCloak-as-a-Service for those who don't want control of their authentication without the hassle of setting up their own cluster. We're in closed Beta at the moment but if you're interested you can search for "Tromsso keycloak"[4] and leave an email to be invited in.[1] <a href="https://firebase.google.com/docs/auth/" rel="nofollow">https://firebase.google.com/docs/auth/</a>[2] <a href="https://github.com/pennersr/django-allauth" rel="nofollow">https://github.com/pennersr/django-allauth</a>[3] <a href="https://keycloak.org/" rel="nofollow">https://keycloak.org/</a>[4] <a href="https://tromsso.com/" rel="nofollow">https://tromsso.com/</a>

nujabe超过 5 年前

Firebase Authentication.I can't say enough good things about this service as it has been a game changer for me productivity wise.-Supports most of the popular OAuth providers natively or you can add any custom OAuth system via custom tokens.-SMS Auth, passwordless login (aka magic links)-Excellent and well maintained client/server SDKs for most of the languages. Makes user management very convenient, including neat things like revoking tokens, cookie session management, linking accounts of users with multiple providers, RBAC via web tokens.-Tight integration with Firestore. Can have fine grained security controls on which users can read/write what documents etc.What takes the cake is Custom Tokens [1]. This is really useful for seamlessly integrating with another authentication system. Would recommend anyone to take a look if they're exploring an auth service.[1] <a href="https://firebase.google.com/docs/auth/admin/create-custom-tokens" rel="nofollow">https://firebase.google.com/docs/auth/admin/create-custom-to...</a>

vbezhenar超过 5 年前

I'm storing hashed password in the database. I'm writing POST http handler and storing user info in the session information. I don't know why would I use framework or even service, it's just few dozens of simple lines of code. I don't use frameworks for simple things. I guess it might make sense when one need to support login via Google, Facebook, etc, I'm working on enterprise websites which don't need that.

评论 #22157500 未加载

评论 #22157501 未加载

评论 #22157440 未加载

评论 #22157533 未加载

评论 #22157432 未加载

评论 #22157553 未加载

评论 #22157474 未加载

cs02rm0超过 5 年前

Last time AWS Cognito, and at least initially, Amplify.I'd never write it from scratch. It's always a PITA, there's always significant compromises - do you make people sign up, do you let them use Google/every other available federated login provider, what 2FA options, will it work on a locked down network, etc.

评论 #22157465 未加载

评论 #22157395 未加载

javajosh超过 5 年前

Warning: this post is about a speculative design unproven in production. Definitely use the de facto standard framework in any production code you write!I get so depressed with authentication complexity. Seems to me there are two ways to avoid it: first, write a service that doesn't care about user identity (it is a fun exercise to think of such a thing!), and second, secure messages, not connections or sessions.Securing messages with public/private key encryption, I believe, is the best possible general approach. Thinking in messages yields the programmer great benefits, not just inside code (it is the cornerstone of the OOP paradigm, after all), but outside of code (message passing is also the cornerstone of distributed programming). Even if you are building a webapp it helps to think in terms of something more general. HTTP becomes just another channel over which messages move. Your app can (and probably will) become sensitive to other channels: email, SMS, webhooks, etc. If you embrace message-level security then you can ignore the channel and deal with the message. Channels may change, but your application code doesn't need to.For an SPA, the key problem (no pun intended) is that a users private key is on the users browser, in the simplest implementation, accessible by everything on the page. If you're not end-to-end encrypted and don't use 3rd party resources at all (its possible!) then the naive solution is fine. The most robust solution is to use a browser extension to isolate the private key. The site requests encryption services from the extension.Another fun and interesting problem is the multi-device user. Do we allow copying the private key, and if not, how do we associate private keys together? I think this is a fun problem from lots of angles, particularly the prospect of your own devices inviting each other to share an identity.

评论 #22161561 未加载

评论 #22159581 未加载

评论 #22160176 未加载

fantyoon超过 5 年前

I use bcrypt to hash the user password and then store it in a database. When the user wants to log in I use the compare function of the bcrypt library. If the hashes match I set a session cookie.I suppose if I worked on projects that wanted to support OAuth I would use Passport.js, but I don't know how much I would trust the any but the largest packages for that.

domlebo70超过 5 年前

I use Auth0. Works well enough

评论 #22157431 未加载

评论 #22157527 未加载

评论 #22157499 未加载

chauffer超过 5 年前

I use <a href="https://www.pomerium.io/" rel="nofollow">https://www.pomerium.io/</a> for my internal services with Google oauth. I like it because unlike oauth-proxy I can define which users are allowed to which (sub)domains. I run this in Kubernetes and it supports forward authentication, so adding a new service is editing a configmap to let pomerium know about the domain and its allowed users (support for defining this in the ingress is coming), and adding a few ingress annotations.

skyfantom超过 5 年前

In some Rails projects i use Device gem, or simpler version made by my own (salted passwords in database, and user_id as jwt in session store).

评论 #22159722 未加载

评论 #22159320 未加载

kcolford超过 5 年前

I use keycloak. It's just like auth0 except it's self hosted and I run it alongside all my other instances.

zwarag超过 5 年前

I'm not currently solving it that way but my next side project definitely is going to try out metamask as the mean of authenticating the user.A friend of mine showed me some "dapps"(decentralized apps) that he uses (uniswap.io, axieinfinity.com and some other i forgot). They all used metamask as the "login platform". The point is that you have your key in this metamask plugin that is stored in your browser and you can sign things. That means you get a challenge from the server and metamask then asks you if you want to sign that challenge. The hole onboarding experience was super easy and you theoretically could use that to pay for some premium features of a service.I thought that is really cool because you don't need to enter email, username, password and whatnot. You just click authorize and you're in.

评论 #22167408 未加载

clintonb超过 5 年前

I use Django’s included authentication.

评论 #22157400 未加载

评论 #22157390 未加载

评论 #22164505 未加载

pharaohgeek超过 5 年前

Simple: Don't. Developing a secure authentication service is actually more difficult than it would seem on the surface. I've come to rely on an external authentication service (or, if necessary, a reputable library/framework specifically designed for it). These days my go-to is Keycloak (<a href="https://keycloak.org" rel="nofollow">https://keycloak.org</a>). It supports pretty much everything: standard username/password, MFA, SAML, OIDC, etc. Plus, it's easily deployable within a Docker container so standing it up is a breeze.

评论 #22163988 未加载

评论 #22163932 未加载

etherio超过 5 年前

I have been implementing different methods for oauth: - building my own handling with hashed passwords stored in the database - using the fantastic sorcery [0] gem for Rails. It's a light-weight auth solution that allows me to customize many different aspects of auth while providing a solid structure. It also has many sub modules that can be added for oauth, resetting password or stronger application security.[0] <a href="https://github.com/sorcery/sorcery/" rel="nofollow">https://github.com/sorcery/sorcery/</a>

anonymoushn超过 5 年前

My users send their password over TLS. I check the password using bcrypt. I assume further communication over the same connection comes from the user.

评论 #22157588 未加载

tooop超过 5 年前

Laravel built in auth, Socialite for social logins.

forgotmypw超过 5 年前

I am working on a hyper-open, hyper-compatible, and hyper-accessible forum system with accessibility by historic browser included in the spec.I use a multi-layer authentication system with various levels of compatibility, security, and accessibility.* The default mode is unauthenticated, which allows the user to post plaintext. Optionally, this can be backed by a device fingerprint, which would group all of this user's posts together. This is supported by all post-Mosaic browsers, except perhaps Mosaic 1.0, which does not support HTML forms. (For Mosaic, there is a fallback writing mode, of the form <a href="http://example.com/your+message+here" rel="nofollow">http://example.com/your+message+here</a>)* There is also a cookie-based authentication system, in which the user asks for a new ID, and the server sets cookies for user id and checksum. The checksum is checked against a server secret via hashing, so no storage of account data is needed on the server. This works with all cookie-supporting browsers.* The other authentication system is based on PGP, and allows the user to either use in-browser PGP (insecure) or client-based PGP (less insecure) to sign their messages. These messages can be both client verified and grouped together into a profile on the server.

polishdude20超过 5 年前

If I use a an external framework or library to let me users login via Google or say outlook, do I need to have my own outlook or Google account? Do I need some authorization to do this if say my company uses outlook for their emails and I want to let my co-workers use their account info to sign in through outlook?

评论 #22157537 未加载

vbsteven超过 5 年前

Spring Security for the logic and password storage. I usually build my own pages for password resets and logins

brylie超过 5 年前

Django user authentication:<a href="https://docs.djangoproject.com/en/3.0/topics/auth/" rel="nofollow">https://docs.djangoproject.com/en/3.0/topics/auth/</a>

DerekQ超过 5 年前

Does anyone know if there's a decent, comprehensive library that handles all authentication / login for .Net Core apps? Bonus points if there's a SSO addition (even if that part is commercial).

评论 #22158163 未加载

antoineMoPa超过 5 年前

Rails + devise even if my application is in another language than Ruby. Laravel could also do the job. Every time I have looked, authentication tools in Javascript are paid or overengineered.

alanfranz超过 5 年前

Keycloak. Open source IDP.

Pandabob超过 5 年前

I've been eyeing Firebase authentication for a Django project of mine, but haven't implemented it yet. Can anyone recommend it or advise against it?

评论 #22157483 未加载

mmusc超过 5 年前

In .net world aspnet identity give you a basic login, can add social logins and identity server adds auth2 support. Both highly customizable

Ken_Adler超过 5 年前

For user authentication: Hosted (Auth0 or Okta), self-hosted: HydraFor Service Identity: SPIRE/SPIFFE... (or Oauth CC flow if mTLS is not possible)

sendilkumarn超过 5 年前

keycloak is really awesome. This also makes sure when you move to any other oAuth2 authentication, we can simply switch the server details.On the other hand firebase authentication is very scalable easy to set up and start.Dont write it from scratch, if you are in JVM, Spring Security provides a robust implementation, we can just plug, configure and play

mister_hn超过 5 年前

In my services, I use a combination of:- hashed password or webauthn token - palm vein or usb token or (less preferred, SMS)

treve超过 5 年前

we've been plugging away at writing an open-source OAuth2 server: <a href="https://github.com/curveball/a12n-server" rel="nofollow">https://github.com/curveball/a12n-server</a>

kitsune_超过 5 年前

Keycloak

rp2684超过 5 年前

One very important aspect of authentication is session management. Doing this wrong (or naively), can have catastrophic effects for your app!!Let me provide an example: It's common knowledge that JWTs are very common. A lot of people who use JWTs, implement them as access tokens for their APIs. JWTs also require a shared secret key - what if this is stolen? Then an attacker can use that to hijack any user's account very trivially, and you may not even realise that it's happened! This is far worse than anyone getting hold of hashed passwords from your database.That being said, I use the following flow for session management: - User logs in, the backend issues a short-lived (~1 hour) JWT and a long-lived refresh token and sends them to the frontend. - The frontend sends the JWT for each API call while it's still valid - In the event that the JWT has expired, the frontend should then use the refresh token to get a new JWT AND a new refresh token (rotating refresh token - see <a href="https://tools.ietf.org/html/rfc6749#section-10.4" rel="nofollow">https://tools.ietf.org/html/rfc6749#section-10.4</a>) - If the refresh token expires, then the user has to login again.While this sounds quite straightforward, the key here is to use rotating refresh tokens - that's what actually makes it fare more secure than just using simple refresh tokens (i'd argue that it's almost the same level of security as just using a long lived access token)Some of the benefits of this approach: - You can detect token theft! If an attacker gets hold of the refresh / access token, because they keep changing, you can detect if an old token is used which is a strong singal of theft (see the RFC link above) - You can change the JWT secret key without logging any users out: Once you change the key, all JWTs are instantly invalidated. But then your frontend client can simply use its refresh token to get a new access token signed with the new signing key (along with a new refresh token). - Allow your users to be logged in for however long you want without compromising security.Some implementation gotchas: - When changing the refresh token, be sure to not invalidate the older token unless your backend is sure that the frontend has received the new token. This can be confirmed by the frontend using the new access / refresh token. This is important since if not done, and if the user is in a bad networked area, it can lead to them being logged out. - See this blog and specifically this race condition: <a href="https://medium.com/hackernoon/the-best-way-to-securely-manage-user-sessions-91f27eeef460#e81c" rel="nofollow">https://medium.com/hackernoon/the-best-way-to-securely-manag...</a>If you do not want to implement this on your own, you can also check out <a href="https://supertokens.io" rel="nofollow">https://supertokens.io</a> - It provides an end-to-end implementation of the above taking care of all race conditions and network failure issues. It also prevents other common web attacks which are on the OWASP top 10 list.-----------------------In terms of user authentication for the login part, I prefer using a no-password method - email or SMS OTP. The reason for this is that I do not have to care about managing user passwords (though that's not too difficult), I do not have to build forgot password flows, and most importantly, users don't have to remember yet another password.I also only allow 3 attempts for OTPs per OTP. So after sending the OTP, if a user fails to input the correct one 3 times, then I revoke the old OTP and send a new one (this is so that someone can't simply brute force their way into an account). If the user login is successful, then I revoke all OTPs for that user. If the user clicks on sending the OTP again, then I send a different OTP (but the old one is still valid). This allows me to have a an OTP timeout of say 1 hour - which is more than enough!According to me, this coupled with the above session management flow, is perfect!

pushpop超过 5 年前

Another thing to bare in mind, for those who are rolling their own, is how you caress those passwords from the DB.The common approach is a simple DB SQL select. But that then means if your web server gets exploited an attacker can dump the entire password database.The safer option is to write a stored procedures to return or modify that table and set permissions on that table so even your web app creds can’t directly query the password table. Then your web service only has access to check a single password, rather than downloading every hash on the DB.If you can also offload the encryption/decryption and hashing then that is another step forward too.

评论 #22159349 未加载