Authentication

OK this is the beginning of a transition. We need to be able to control access to data. Before we can do that we need some way to know you are who you say you are, or at the very least assign an account ID to you.

That's today's topic: how can I authenticate that you are who you say you are.

Passwords?

So I'm happy to babble about the mechanics of passwords a little later in the semester. But they are the most common and cheapest thing on the internet for handling authentication.

But like the rest of web-dev I'll show you the firebase way and then, if you'd like, I'll show you how the rest of the world does it.

OAuth in the Wild

Typically in these sort of DIY OAuth setups you'll need a few things:

• An "application" that is presented to the User (created in the tech giant's ecosystem)
• A starter button (hosted by you) that sends the user to the tech giant's approval page
• A callback page (hosted by you) where the user is redirected to, in the params of this page is a temporary TOKEN
• Your callback page must get a backend you control to take the temporary TOKEN and POST it back to the tech giant along with an "Authorization header"
• That authorization header contains hashes of secrets from your app
• That callback page must be on an APPROVED URL list
• Finally you have two things, an ACCESS TOKEN and a REFRESH TOKEN, the access token has an EXPIRATION TIME
• the ACCESS TOKEN can be used inside of headers to get access to tech giant APIs
• the REFRESH TOKEN can be used in a POST request to the tech giant in order to get a NEW TOKEN with EXTENDED TIME

I think I have a live manual demo to show:

Start the OAuth send the user to https://app.blackbaud.com/oauth/authorize

The docs for this link are HERE

OAuth in Firebase

Alright so let's setup Google OAuth together and do a live demo.

Now to the code side: