Research replacing auth0 with simple google and/or github login

[subhankarb]

We use auth0 for user management. We want to know what options we have for simple google and/or github login in flask

We are not sure Auth0 is the best option and want to look at alternatives.

Tasks

• [x] Clarify requirements - and what's wrong with current system
• [x] Find options and [quickly] compare these (this is not a massive research piece)
  • [x] Come up with recommendation on what we do (e.g. no change, change to X)
• [x] List down what changes we need to do to use that
  • [x] What are the pros/cons
  • [x] Any major changes in our structure?
  • [x] If so how to handle that?
• [x] Estimate the time to implement.

Acceptance criteria

• [x] Is it possible to do github/google login without Auth0 (yes, obviously!)
• [x] What options do we have?
• [x] What is the recommended option
  • [x] and why
  • [x] how long it will take
  • [x] any feature changes (recommended or necessary)

Context and Problem

We use Auth0 for our authentication.

The main problems with using Auth0 for us are:

• Implementation Complexity:
  • have to keep two user databases in sync -- our app an Auth0
  • have to deploy and configure Auth0 on app deployment and make sure the main app can talk to Auth0
• UX complexity
  • users leave our app to go to Auth0
  • We have to do additional sign up steps for users on return from Auth0 registration.
  • Keeping branding in sync is another overhead.
  • Flow can breakdown e.g. Password change occurs on a completely unrelated domain
  • The auth0-lock library [the widget we see at the login/signup] is big almost 250kb
• Additional cost: we have to pay for Auth0, handle billing etc etc

At the same time:

• It has become clear we do need user objects in our DB
• there are mature OAuth providers for Flask
• we may not need user/password signup which was one of the reasons we used Auth0 (because it takes care of this + associated complexity like password resets and forgot password)

Options

• Stick with what we have!
• Alternative "cloud" login like Cognito or Stormpath
  • No. No better than Auth0 and we'd have to switch!
• flask-oauthlib https://github.com/lepture/flask-oauthlib -- a focus because used in openspending (and they probably thought about this!)
• Flask-GoogleLogin- https://pythonhosted.org/Flask-GoogleLogin/
• Flask login

Recommendation

flask-oauthlib - https://github.com/lepture/flask-oauthlib

Why?

• using this we have zero external dependencies -- all in one app
• We can also use as OAuth provider as well as login manager
• it has seamless integration with almost all of the oauth providers.
• We can use google and github at the same time.
• open-spending is already using it

API: /login?type=(github|google|..)
Callback API: /login/authorized/{type}

These two examples are enough for our use:

• github
• google

Analysis and Next Steps

What we have and what we plan

• Auth0
  • Username/password sign up + user profile storage
  • Ensure unique username
  • Sending welcome message
  • Password reset / forgot password [although it redirects to Auth0 domain]
• Our code:
  • Sync the auth0 data when user logs in or signs up [username, profile picture, email, full name]
  • Deployment code

What we plan:

• Drop Auth0 and Implement flask-oauthlib
  • Drop email + password signup
  • Signup via github (and google? For now, just github)
• Send signup email (? - is this important for now? Probably not)
• Refactor publisher creation flow
  • e.g. Ask user to create publisher

Features we'll lose:

• Unique user name check at Auth0
• Sending welcome message

Qus

• Do we need ( unique ) user name? [big question]
  • In my opinion we do not.
  • We want publisher name to be unique.
  • Right now we create a publisher with user's username.
  • If we stop that and ask user to create a publisher, then we can check unique publisher name while creating any publisher.
  • What about the fact we do need to be able to link to users in the web interface -- what will we user to create that link (we could use {primary-key-in-db}-{sluggified-fullname})
  • If we just do github signup for now we can auto user their username from github for their username + to create their publisher name

Tasks

Estimate:

• [ ] Implement flask-oauthlib [1.5]
  • [ ] Create github app [datopian account] for getting key and secret [.5]
  • [ ] We can directly use openspending's code for flask-oauthlib. [1]
• [ ] Refactor publisher creation flow [1]
  • Change or fix urls for the flow
  • Fixing tests
• User model change [2]
  • [ ] Remove column auth0-id from user table [1]
  • [ ] Add a column about source (e.g. github) and source id (e.g. github id)
• [ ] Change manager.py script [.5]

Acceptance Criteria

• [ ] You can login to the site with github (and github only for now)
• [ ] Your email and key profile information is saved locally and used e.g. in setting gravatar
• [ ] You are redirected to dashboard after signup / login
• [ ] A publisher is created for you with your username

Stuff for later

• [ ] Setup welcome email sending [4]
  • [ ] Creating template [2]
  • [ ] Implement the email sending process [2]

When we do google sign in ...

• [ ] Refactor publisher creation flow
  • [ ] Remove automatic publisher creation at signup
  • [ ] Add API for creating publisher
  • [ ] Change UI for creating publisher.

A really nice sign up flow:

• You sign up and then are prompted which of your github orgs you want to import as a publisher

[pwalsh]

again: see openspending.

[rufuspollock]

@pwalsh yes, that's exactly what we've been looking at 😄 If you have any specific details here that would be useful -- e.g. talking to @akariv my understanding is that there is no "post-sign-up" flow to do things like send welcome emails or set usernames. That's the kind of thing we'll still need to implement.

Originally, we felt there was a requirement to have simple sign up plus we thought auth0 would be relatively straightforward. Unfortunately (see e.g. #195) this has not been the case and we're looking at simplifying to just google and/or github.

[pwalsh]

OpenSpending allows setting usernames. As for welcome emails and so forth - do we really need them for the MVP? When we use an oauth provider, there are no passwords to reset and so on, so not sure we need it.

[rufuspollock]

@pwalsh

• Re usernames: as i understand it, this is not part of the signup flow whereas we definitely need this (I may be wrong and @akariv can correct me)
• Emails: for an absolute MVP: yes, you might not send a welcome email. However, i think it is definitely desirable feature and it was a consideration in selecting what we did at the time 😉

[subhankarb]

FIXED. See updated description above with analysis and recommendation. I've also created a new issue #268 with the next steps