| 1 | @fusion.io/authenticate
|
| 2 | -----------------------
|
| 3 |
|
| 4 | # BEST PRACTICES
|
| 5 |
|
| 6 | ## Keep your **Identity Provider** clean
|
| 7 | You can think of it as a connection to extract user's from the system. But
|
| 8 | **NEVER** let your **Identity Provider** depends on your transport layer.
|
| 9 |
|
| 10 | One of the **BAD** example is saving the found identity into Session.
|
| 11 | Session is a concept of HTTP layer, we don't want the **Identity Provider** aware about
|
| 12 | the current transport layer that it is working on.
|
| 13 |
|
| 14 | ```javascript
|
| 15 |
|
| 16 | class MyUserIdentityProvider {
|
| 17 |
|
| 18 | provide({username, password}) {
|
| 19 |
|
| 20 |
|
| 21 | // DON'T do this. Just please don't!
|
| 22 | session.user = user;
|
| 23 |
|
| 24 | return user;
|
| 25 | }
|
| 26 | }
|
| 27 |
|
| 28 | ```
|
| 29 |
|
| 30 | We will store the user into session, but that code should not be written inside of **IdentityProvider**.
|
| 31 | Let's do it **after** the authentication success.
|
| 32 |
|
| 33 | ## Understanding `Identity` and `Credential`.
|
| 34 |
|
| 35 | Okay, maybe you think that I'm joking!
|
| 36 | But sometimes, we mis-understanding these 2 concepts.
|
| 37 | Especially when we working with third party services.
|
| 38 |
|
| 39 | In **OAuth2** protocol, someone (but not you!) think that `access_token` is just a token.
|
| 40 | But it is ACTUALLY the `Credential`.
|
| 41 | The **Identity Provider** will provide user identity by calling API to the OAuth2 server with that `access_token`.
|
| 42 |
|
| 43 | Other of common mistake is about `token` is when your application providing APIs.
|
| 44 | At first, the user login (and their `username`, `password` is `Credential`, everybody knows it).
|
| 45 | But what next is tricky part. You might provide the `token` for the user after logging in, so they can
|
| 46 | use that `token` to call your API later. And believe me or not, someone (but not you) think that `token` is `Identity`
|
| 47 | *But in this scenario `token` IS `Credential`. Not everyone understand it!*
|
| 48 |
|
| 49 | Whatever comes in your `.provide()` is the `Credential`, and whatever comes out is `Identity`.
|
| 50 |
|
| 51 | ## Treating the `Credential` with cautions.
|
| 52 |
|
| 53 | - `Credential` is user's privacy, it is private and sensitive.
|
| 54 |
|
| 55 | - **DO** encrypt the `Credential` whenever you store it. Not only the `user's password`, but also your api `token`!
|
| 56 |
|
| 57 | - **DO** verify the origin of the `Credential` each time you have it!
|
| 58 | In the Local case, we have the `username` field, so we can query back in our database if we have such `username`.
|
| 59 | It is one way of verifying the origin of the `Credential`.
|
| 60 | In **OAuth2** case, `access_token` will be used to query to the OAuth2 server, it also a mechanism to verify the origin.
|
| 61 | In `token` case, if you can, when you generate it in the first time, please **sign** it with your private key,
|
| 62 | so later you can check the signature to verify the origin.
|
| 63 |
|
| 64 | - In many webservices whenever you use it you will be provided 2 keys, one `public key` and one `secret key`.
|
| 65 | You can think of your `public key` is `Identity` and `private key` is `Credential`. Also keep your `private key` in your pocket!
|
| 66 |
|
| 67 |
|
| 68 | ## `Error` is not nutrition. Don't swallow it!
|
| 69 |
|
| 70 | // TODO |
| \ | No newline at end of file |