Look at technology options for user authentication and forms

[c-fuchs]

Overview

Our app will need to create new users and authenticate existing users. Let's look at technology options to handle this.

Resources/Instructions

Django example form to add users. Scroll down to Django Admin. Here

[ExperimentsInHonesty]

@joelparkerhenderson recommends OAuth as the protocol. Is there a reason for us to use a provider or is this something we can build ourselves using the protocol? Please elaborate or provide additional web resources for us self educate.

[joelparkerhenderson]

I recommended authentication via an outsourced service, rather than building auth services inside the app. I suggested Authentication as a Services (SaaS) vendors, such as Auth0 - not OAuth. Auth0 is a provider that can do lots of ways of authentication, such as via Google, Facebook, email, multi-factor, single-sign-on, etc. Related and/or alternatives are Okta, LogMeIn, Cisco Auth.

I prefer using an AaaS vendor over building into the app, because authentication tends to be much harder than most people realize, and it's much better to outsource it than try to build it in-house and always keep it secure.

[c-fuchs]

Hi @joelparkerhenderson, our new dev @timmalstead suggested Firebase for authentication. Is this an option for us?

[timmalstead]

Hello all, happy to be a part of the project! @c-fuchs @joelparkerhenderson I definitely would suggest firebase as an authorization option as it is free, secure and the easiest to set up of the third party with options I've seen. My suggestion would be to do firebase for poc and then build up our own auth routes after that. I would love to hear all thoughts on this. Have a lovely day.

[joelparkerhenderson]

Good Tim.

Can you propose a simple POC of the authentication that shows what you want to have in a solution, and use all content-free information? What I mean by content-free is all fake data, fake graphics, fake copywriting, etc. In other words, the POC to prove that Firebase (or others) are choices for many HFLA projects?

I can set you up on www.nonprofitnetworks.com for you to deploy them.

[AlbertUlysses]

Hey everyone, we had this conversation for another project. We decided to use Auth0 (or plan to) for it. I know that our goal is keep things as Open Sourced and/or free. As of now Auth0 has a tier that is free (7,000 users). Furthermore, since HFLA is a non-profit, Auth0 allows us to have as many users for free:

Have an open source project? Get Auth0 for free with our Open Source Program.
Are you building an open source project that is completely non-profit? If you add an attribution badge on your website, you and your collaborators can use all the Auth0 features without limits!

Here is the link: https://auth0.com/pricing/

So if the project is under the HFLA umbrella then it sounds like it's covered.

Sometimes we have projects that are only frontend, and so building a custom login isn't even necessary and Auth0 is good for those cases.

If we sell the software or become maintainers and start to make money, then HFLA can evaluate the price of customising the backend vs paying Auth0 to continue the services.

[timmalstead]

Sounds good to me! 👍

[ExperimentsInHonesty]

We have decided to use Auth0

[ExperimentsInHonesty]

We ended up using Cognito because it is available for a reasonable cost with our existing AWS infrastructure in incubator.