1 | @fusion.io/authenticate
|
2 | -----------------------
|
3 |
|
4 | # BEST PRACTICES
|
5 |
|
6 | ## Keep your **Identity Provider** clean
|
7 | You can think of it as a connection to extract user's from the system. But
|
8 | **NEVER** let your **Identity Provider** depends on your transport layer.
|
9 |
|
10 | One of the **BAD** example is saving the found identity into Session.
|
11 | Session is a concept of HTTP layer, we don't want the **Identity Provider** aware about
|
12 | the current transport layer that it is working on.
|
13 |
|
14 | ```javascript
|
15 |
|
16 | class MyUserIdentityProvider {
|
17 |
|
18 | provide({username, password}) {
|
19 |
|
20 |
|
21 | // DON'T do this. Just please don't!
|
22 | session.user = user;
|
23 |
|
24 | return user;
|
25 | }
|
26 | }
|
27 |
|
28 | ```
|
29 |
|
30 | We will store the user into session, but that code should not be written inside of **IdentityProvider**.
|
31 | Let's do it **after** the authentication success.
|
32 |
|
33 | ## Understanding `Identity` and `Credential`.
|
34 |
|
35 | Okay, maybe you think that I'm joking!
|
36 | But sometimes, we mis-understanding these 2 concepts.
|
37 | Especially when we working with third party services.
|
38 |
|
39 | In **OAuth2** protocol, someone (but not you!) think that `access_token` is just a token.
|
40 | But it is ACTUALLY the `Credential`.
|
41 | The **Identity Provider** will provide user identity by calling API to the OAuth2 server with that `access_token`.
|
42 |
|
43 | Other of common mistake is about `token` is when your application providing APIs.
|
44 | At first, the user login (and their `username`, `password` is `Credential`, everybody knows it).
|
45 | But what next is tricky part. You might provide the `token` for the user after logging in, so they can
|
46 | use that `token` to call your API later. And believe me or not, someone (but not you) think that `token` is `Identity`
|
47 | *But in this scenario `token` IS `Credential`. Not everyone understand it!*
|
48 |
|
49 | Whatever comes in your `.provide()` is the `Credential`, and whatever comes out is `Identity`.
|
50 |
|
51 | ## Treating the `Credential` with cautions.
|
52 |
|
53 | - `Credential` is user's privacy, it is private and sensitive.
|
54 |
|
55 | - **DO** encrypt the `Credential` whenever you store it. Not only the `user's password`, but also your api `token`!
|
56 |
|
57 | - **DO** verify the origin of the `Credential` each time you have it!
|
58 | In the Local case, we have the `username` field, so we can query back in our database if we have such `username`.
|
59 | It is one way of verifying the origin of the `Credential`.
|
60 | In **OAuth2** case, `access_token` will be used to query to the OAuth2 server, it also a mechanism to verify the origin.
|
61 | In `token` case, if you can, when you generate it in the first time, please **sign** it with your private key,
|
62 | so later you can check the signature to verify the origin.
|
63 |
|
64 | - In many webservices whenever you use it you will be provided 2 keys, one `public key` and one `secret key`.
|
65 | You can think of your `public key` is `Identity` and `private key` is `Credential`. Also keep your `private key` in your pocket!
|
66 |
|
67 |
|
68 | ## `Error` is not nutrition. Don't swallow it!
|
69 |
|
70 | // TODO |
\ | No newline at end of file |