Decide on a solution for user management

[tobiasdiez]

Azure Active Directory B2C provides a lot of the user management stuff out of the box and the pricing is acceptable.

There are some negative reports like

• https://www.reddit.com/r/AZURE/comments/ve1xha/azure_ad_b2c_should_be_retired/
• https://www.reddit.com/r/dotnet/comments/wptidc/azure_ad_b2c_is_the_very_worst_microsoft_service/

but these come from a) different needs than what b2c is providing and b) frustration with "Custom policy". So we try to avoid the latter ;-).

Another disadvantage is that the customization of the ui is a bit cumbersome via css, so we need to partly re-implement the user login/register/pwd forget pages: https://docs.microsoft.com/en-us/azure/active-directory-b2c/customize-ui?pivots=b2c-user-flow

Implementation:

• https://www.virtual-olympus.com/2021/09/securing-graphql-azureadb2c-5
• https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-browser-samples/vue3-sample-app
• https://github.com/AspNetMonsters/vue-azure-b2c-sample
• unit tests: https://stackoverflow.com/questions/49307985/azure-ad-b2c-get-token-programatically-for-unit-testing
• nuxt2 using auth-module: https://github.com/stuartpreston/nuxt-auth-azuread-example
• nuxt2 manual: https://github.com/jeverduzco/azure-ad-b2c-nuxt-example/blob/master/plugins/msal.js
• nuxt3 manual: https://github.com/Sanjaydotcom/logistix/blob/main/plugins/msal.ts
• nuxt3-sessions: https://github.com/sidebase/nuxt-session
• nuxt-auth module: https://github.com/sidebase/nuxt-auth

Alternatives:

• auth.js using nuxt module. Problem is that they don't really support login with email + password
• lucia, nuxt integration and nuxt example

[tobiasdiez]

Let's wait for the new nuxt3 auth module: https://github.com/nuxt/auth (https://v3.nuxtjs.org/community/roadmap/)

[Siedlerchr]

Why not Oauth2 ?

[tobiasdiez]

Azure B2C provides an implementation of Oauth2: https://docs.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow. The point is that I don't feel like implementing it myself, or use expensive services such as auth0. See also #578.

[mohit038]

Firebase authentication is also a good alternative if you are open to using services other than Azure. It’s free, open source and offers very similar features.

[tobiasdiez]

Thanks, that looks like a nice alternative indeed. I especially like that they have an sdk-solution, where you have full control of the user interface.

[calixtus]

Be aware that as soon we distribute user related data outside European Economic Area we have to explicitly inform the user about this and ask for his permission. Maybe we should ask for a legal consult on this, since I have heard many rumors of expensive cease and desist orders, when this was not done right...

[koppor]

The whole platform is hosted on Microsoft Azure, so there should no additional burden if the logins are hosted on Azure, too.

[tobiasdiez]

We could also reuse next-auth/ https://authjs.dev/ now that it is framework-agnostic: https://github.com/nextauthjs/next-auth/discussions/3942#discussioncomment-4402799 (there are plans for a nuxt module, but I'm not sure about the status)

Another alternative: http://sidebase.io/nuxt-auth/getting-started

[tobiasdiez]

h3 now also has native session support, https://github.com/unjs/h3/pull/315. At the very least, this should be used over express-session.

---

Another alternative is https://supertokens.com/

[tobiasdiez]

With https://github.com/JabRef/JabRefOnline/pull/2242, we are now using lucia.

The biggest contender is nextauth /auth.js but their login with credentials workflow is just way too limited. Lucia offers a lot of flexibility in this regard.