#038 - I Got Caught Rolling my Own Auth... feat. Dev Agrawal
Jan 29, 2024
auto_awesome
Dev Agrawal, content creator & Developer Advocate at Clerk, discusses DevRel, authentication vs. authorization, JWT, challenges of sharing databases between microservices, and various authentication methods in Clerk.
Authentication and authorization have different focuses and challenges.
Using a third-party provider like Clerk for authentication can simplify the sign-in process.
Embedding permissions in tokens avoids frequent database queries for authorization.
Deep dives
Differentiating Authentication and Authorization
Authentication is the process of verifying credentials and proving the identity of a user, while authorization involves making decisions about what actions the user is allowed to perform based on their credentials. Authentication is a distributed systems problem, dealing with protocols, standards, and security. Authorization, on the other hand, is a modeling problem that requires mapping user roles and permissions to determine access levels. Both authentication and authorization can be complex, but the challenges and focus differ.
The Advantages of Using a Third-Party Auth Provider
Using a third-party provider like Clerk for authentication can streamline the sign-in process, eliminating the need for users to create passwords or verify emails. For simple web apps that primarily require authentication, using a third-party provider makes sense as it frees up development resources and ensures security. However, for more complex authorization scenarios, companies may choose to handle authorization in their own application servers while still utilizing Clerk for session management and storing authorization data in tokens.
Popular Authentication Methods and OAuth
Signing in with Google is the most common authentication method, followed by other OAuth providers like GitHub. OAuth, particularly the OIDC protocol, simplifies the sign-in process by redirecting users to the provider's authentication page and returning a token to the application for future authentication. Google's implementation, for example, involves a JavaScript client library that generates a token callback when the user interacts with the authentication form. OAuth 2 and OIDC have become popular standards that many providers adhere to, making it easier to interface with different providers using similar code.
Benefits of embedding permissions in tokens
By embedding permissions directly in tokens, the authentication system can eliminate round trips to the database for checking a user's permissions. Instead, the token includes information about the user's permissions, allowing the backend system to verify them without accessing the database. This approach, often used with JSON Web Tokens (JWT), makes it easier to run authenticated servers on the edge without relying on database queries for authorization. Short-lived tokens, with a typical timeout of one minute, ensure security while reducing the need for frequent database interactions.
Using replicas to avoid frequent joins with user data
When using an auth provider like Clerk, the user data, session data, and other relevant information are stored with the auth provider as the source of truth. However, to avoid the performance issues of frequent joins with the user's table, it is possible to replicate the required user data, either through webhooks or a Postgres foreign data wrapper. Webhooks allow real-time updates and ensure data synchronization, while the foreign data wrapper minimizes syncing issues, even though it requires additional API requests. These options offer trade-offs, enabling efficient joining of user data without overwhelming database resources or compromising data integrity.
Lane chats with Dev Agrawal— content creator & Developer Advocate at Clerk! Tune in as they discuss DevRel, authentication vs. authorization, JWT, and so much more in this episode.
Learn back-end development - https://boot.dev Listen on your favorite podcast player: https://www.backendbanter.fm
