Introduction
The objective of this Request For Comments is to present a possible solution to the authentication problem.
Authentication is still today an important part of every application, and if the implementation is not done right, we expose the data of users.
Proposed solution:
The proposed solution is to use oauth2/OpenID. This is currently the specification the majority of websites follows, like Facebook, Google or Microsoft.
Technical details
There is three ways for implementation of oauth2 in the project:
- Use a social 3rd party like one mentioned above. This is the simplest solution to implement, but forcing developers and users to use a 3rd party account to login on our platform can and will turn away users.
- Use a AaaS (Authentication as a service) 3rd party like authy. While this solution has loads of advantages in a hosted context, where we're the only one hosting the solution, but for a more broad use of the solution, this will make it harder.
- Create our own system for authentication, basing our work on frameworks like oxyde-auth. This is the solution that needs the most technical explanation, and I'll be explaining that if that's the chosen solution in another RFC.
Client side of things
I think the part that needs the most description is the client / frontend part, as this seemed unclear.
Each client / frontend will have it's own "public key" and "private secret". While I'll call the second one private, it can be included as an environment variable at compilation time or even added in the code source (even if it's not recommended at all!) as these keys are just used to indicate to the server & client who's trying to connect with your account.
The keys are just used to make that appear on the screen (this is taken from discord for the example):
The part that secures the "oauth2 flow" (The dialog between the server & the client) is the Proof Key for Code Exchange
system (I'll be calling it PKCE for simplicity). It allows the system to prevent MITM of the authorization token, returned by the browser, so a weak point of the transfer.
After all the "oauth2 flow", the client will have a JWT (Json Web Token) and is the only way to access the server as an authenticated client and user. The "public key" and "private secret" are only here to make sure that the application is authorized.
Then you only have to add a "Authorization: Bearer XXX", where XXX is the token you got at the last step for each call to the API.