
Show HN: OAuth microservice for FB, Twitter, etc. - fitz2001
https://login-with.com
======
Sujan
The information on `/login` should probably be on / so I can read somewhere
what "Stateless authentication microservice" actually means.

Also maybe a sentence why this is neat and should be used...

~~~
fitz2001
Would be great if you could create an issue and write some more details about
your requirement.

~~~
rhizome
Does "put information about the service on the front page" really require a
ticket?

~~~
dtech81
Nope, but a ticket helps them track it, helps make your request more durable,
more likely to be developed into a higher resolution of detail, and ultimately
more likely to be fulfilled.

~~~
rhizome
Thanks, but I know what trouble tickets are.

------
saganus
So what's exactly the use case for this? I'm not entirely sure.

Let's say I deploy it. Users of whatever service I provide use this to login
to Google, Twitter, etc, then what? do I need to also implement something on
the servers I'm protecting behind a login? I.e. some "verification" method
that checks whether the client's JWT tokens are valid so I can grant them
access?

~~~
fitz2001
It's helpful if you want your website/webapp to support login with X (Google,
Facebook, etc). Your services on the same domain can than use these
credentials and eventually use the respective API's with the per-user key.

All you need to do is: a) get key/secret for the respective service b) deploy
this microservice with the respective env variables

~~~
usea
This kind of explanation would be really useful on the website. Right now it
has nothing to describe what it is/does.

~~~
aisofteng
The explanation you replied to didn't say anything I didn't find obvious from
the tag line.

------
jarym
I found the GitHub link to contain a lot of useful info about what this is:
[https://github.com/lipp/login-with](https://github.com/lipp/login-with)

Very nice work!

------
johnbellone
This is really cool. I was looking for something like this a few days ago for
a side project. Great job!

~~~
fitz2001
THX!

------
olalonde
[https://github.com/bitly/oauth2_proxy](https://github.com/bitly/oauth2_proxy)
is a good one as well.

------
hultner
How does it handle revoked and expired sessions?

From my prior research this seems to be a problem with the JWT which would
either require distribution of ever growing blacklists or session verification
through shared server side sessions.

Would also love to see some API documentation.

I really like the idea and always reimplementing login services seems like
unnecessary hassle.

~~~
nathancahill
Expired can happen clientside, just check the timestamp. Revoked would be a
short blacklist that lasts the duration of the session, once a token is
expired it no longer has to be revoked.

But I'm also curious how a revoked list would be handled with this service.

~~~
hultner
That's only true if you do not allow for long running sessions which are
commonplace today. And it still requires a lookup every time to see if a
particular session is blacklisted.

From what I could grasp there's no mechanics for blacklists/revocations in the
current implementation of this service.

------
Gys
Could be useful in my current project, but I need LinkedIn also.

~~~
fitz2001
Created an issue [https://github.com/lipp/login-
with/issues/21](https://github.com/lipp/login-with/issues/21)

:)

------
RUTHLESS_RUFUS
I cannot wait to allow a bazillion fake Twitter and FB accounts from the
Eastern Bloc countries to pour into my website and bigly MAGA. Thanks, social
sign-on!

~~~
michaelmior
What's stopping people from creating fake accounts without social logins?

~~~
RUTHLESS_RUFUS
Administrators and community moderation who pay attention to their own access
logs rather than ambiguous Facebook Review Teams who look the other way.

~~~
michaelmior
There's nothing stopping admins or mods from policing people who happen to use
social login.

~~~
RUTHLESS_RUFUS
Except that they don't.

Account identity and authentication being outsourced to Facebook means your
community maintainers don't get to notice the fact that those 100 MAGA-
spouting dimwits are from Romania. They don't get that information in the
first place.

