I made a recent blog post on keeping passwords safe, so I did a lot more research and creating a few test programs for this purpose. I found that having a user provide the api or application their username and password alone isn’t very safe. Especially if we are storing that password in our database, that immediately puts their information at risk. That is assuming the third party company that will be used for authentication follows much better security measures. Instead of having a customer provide you with the direct credentials, redirecting them to a trusted third party is ideal, such as google. What happens is when a user wants to create an account, we redirect them to google such as OAuth2.0. Then ask the user for permission for say, their email, and general information like name. Once authorized OAuth2.0 returns an authentication token that we can use to further do more requests. This way we can create an account and store any local information we might need for the user but not have to deal with putting the customers information at risk. The process is a little more in depth by authenticating every step of the login process, making sure it’s not intercepted, and having a different client requesting the information. This can be achieved by using a state value, that only the requesting user will have. We will then compare this value to insure it is still the same client, and deny any non authorized requests. This also makes it very easy to create accounts and to login the user. We now avoid the customer from having their credentials stored in two different locations, this reduces their chances of being involved in a breach. This would be the easier generally more secure method for someone who is not very experienced and even for someone very experienced. The great thing about tokens as well is, they are always retractable by google, if the user wants to revoke all access to a token ( site), they can. Once invalidated, no further request would be able to access any information from the user.
