Current section: Intro to Authentication Strategies & Implementation 1 exercises

Intro to Authentication Strategies & Implementation Workshop

Loading lesson


00:00 All right, folks, hold on to your hats. We're going to do web authentication. And look at how many things there are. Oh, it's so much. Some people would look at this list, and they'd say, you know what, that's why you use a third-party service to manage authentication for your application. I've got two responses to that. Or three, maybe.

00:19 One, yeah, you might be right. Depending on how important it is for you to ship quickly and everything, it might be nice to just offload all these concerns to somebody else. Two, if you're using the Epic Stack, this is already all built in. So you can just, boom, get started, and you already have it.

00:36 So it would be even faster than using a third-party service. But then three, even if you are using a third-party service, it's so critical for you to understand these concepts that I just think you should still go through this. It's very important information for you to have. There's a lot of stuff in here that you're going to need to understand, even if you're

00:55 using a third-party service. And at the end of the day, I've worked at a lot of different companies, and not a single one of them used a third-party service for authentication. And whether it's a really big company like PayPal, where, yeah, there is a team that's kind of dedicated to that, I really would have benefited a lot if I understood this stuff so

01:14 that I could understand what they're doing. Or if it's a small company with a smaller app, like a couple engineers, we still had our own authentication. Most modern frameworks will ship with their own authentication. And so it is important, even if you can or do

01:31 use a third-party service for doing your authentication, it's still so useful to understand how to do this. So yeah, we're going to be doing all kinds of things. We're actually going to be using cookies for managing user preferences. Just to give us a little intro to that,

01:47 we're going to be using session storage and a flash pattern so that we can get toast notifications. And we're going to use cookies to identify users, so actual login stuff. So here, I can log in as Cody. Cody's password is codylovesyou. We'll have Remember Me support as well.

02:06 And when we log in, that login works. We have admin users. We're going to be doing RBAC. That's role-based access control. Or reBAC, actually, could be supported in this same way as well. And then, of course, we even have email. And so if I go to create an account

02:24 and I say bobby at example.com, then I have this check your email flow. And I can come over here, take a look at the email that was sent. That'll include both the code itself, as well as a link to just fill out the code automatically. And then I can do my onboarding.

02:42 All of that stuff is supported. Oh, yeah, third-party auth also supported. So we can log in as a user here like this. And then we also have support for two-factor authentication, which will blow your mind. And you can scan the QR code or enter in this code manually.

03:01 And then two-factor authentication supported for not only logging in, but also doing destructive operations like changing an email address or disabling two-factor auth or all sorts of things. So we're going to go through all of that. Oh, and I missed the forgot password flow.

03:19 But that whole flow is totally implemented as part of this workshop as well. So just an outrageous amount of stuff that we're going to be covering in this workshop. I'm so excited to get through some of this stuff. And while we're using GitHub for third-party authentication,

03:36 which, by the way, will work even if you're offline because we'll be setting up mocking as well. But yeah, we're using GitHub for this. You can apply the same thing to anything. I have an example where I applied it to OIDC. I used Google for the OIDC provider. But lots of single sign-on in enterprise

03:55 implements the OIDC spec. And so you could apply that same thing to whatever. If you're doing a SaaS-based company and they want single sign-on, yeah, you're going to learn what you need to do to be able to support that, which is sick. So just like, oh, yeah. And I skipped over locking down UI based on different routes and stuff like that.

04:14 Session expiration and remember me. So much stuff. Like, it's just, this is so full. You're going to be working on this for probably a couple of weeks to get through all this stuff. But when you're done, you will so understand this stuff. And it's going to be awesome. So I'm really excited for you to go through this. I spent a lot of time working on this,

04:33 so I really hope you like it. And I hope that, honestly, it helps you in building whatever it is that you're building. So why don't we get started? Have fun.