I

Identity

A secure way to sign in to websites

14
I

Identity

A secure way to sign in to websites


The problem Identity solves

We at SRMKZILLA - Official Mozilla Campus Club of SRMIST have several portals up and running where people can register for our events and services. Managing the user data for each of these portals separately becomes a hassle, and is also a pain for the user because they have to register separately for each of them.

This is where Identity comes in. Identity is now the one place you have to sign in for all-things-SRMKZILLA. It is OAuth2.0 compliant, meaning it is easy to integrate with popular libraries such as

simple-oauth2

. It also lets users give granular access to their data, and lets them review all authorized app activity.

(The project is not open source yet. It will be when we release the public beta!)

Challenges I ran into

I had to give the users the ability to revoke access their token before it was expired, which it turns out is an actively discussed problem with JSON Web Tokens. I ended up maintaining an in-memory deny-list (implemented as a hashmap) in Redis and added the token's unique identifier in this deny-list. I setup Redis to remove this token from the list when the token expires eventually so that it doesn't take up any extra space.

I also have to take care of authenticating any external resource servers in the future. Currently, the authorization server doubles as the resource server so there is no need to expose an introspection API or authentication mechanism, but this need might arise in the future. I plan to use basic authentication between the resource server and Identity and renewing the password manually from time-to-time.

Discussion