
Ask HN: Minimum Authentication/Authorization Features for a on Prem Web App? - monkey26
I&#x27;ve developed a web application (an event Dashboard really) that is starting to get more users, but it doesn&#x27;t have any authentication yet, instead it relies on the user to setup their own authenticating reverse proxy, and as you might expect, authentication is a highly requested feature.<p>The app so far is something install on-prem, I don&#x27;t have a cloud hosted version, but don&#x27;t want to rule it out. Its mostly likely to be used by the IT and&#x2F;or security team and small to medium size orgs.<p>What are the minimum features of AA I should be offering? Its not that hard to simply add .htpasswd type auth, but its something I want to attempt to get right the first time.<p>If it matters, its a single page web app built with Angular 2, and the backend is Golang.<p>I need to think about some sort of RBAC and&#x2F;or ACLs as well.<p>Thanks for any input.
======
osullivj
My app [1] uses Auth0 for cloud authentication, which gives me login with
Google & GitHub IDs. The on prem deployment uses pywin32 for Windows Auth,
which is important in corporate environments that will require you to work
with Active Directory. So I can use Windows UIDs like DOMAIN\userID. I can
also map my rights groups to AD groups. My system isn't open source, but I do
include all the JavaScript and Python source. So if you grab the download [2]
you can read the pywin32 code in ssauth.py, as well as the Auth0 integration
in the JavaScript and Tornado based backend Python.

[1] [http://spreadserve.com](http://spreadserve.com)

[2]
[http://spreadserve.com/s3/downloads.html](http://spreadserve.com/s3/downloads.html)

------
davelnewton
I'm not sure I totally understand the question.

A simple username/email and password solution seems like it'd solve
authentication, but isn't that obvious?

Authorization depends totally on what your app actually _needs_ , e.g., do
different users have different roles? How fine-grained does the authorization
need to be?

~~~
monkey26
I guess what I'm asking -- Is simple username and password enough?

Is just a "user" level and an "admin" level enough? I guess this is perhaps a
bit app specific.

Is authenticating against RADIUS, or AD a must? Okta? How about Google Apps? I
don't think GitHub is important in my case. Whats come to be a given here?

~~~
davelnewton
Nothing's a "given".

No way to know if non-granular "user" and "admin" are sufficient. For a lot of
apps they are. For many it's more of a "user of a group" and "admin of a
group" which is still straight-forward. Granular authorization can be a
challenge if it wasn't architected in at the beginning, but even then it just
depends.

In terms of authenticating against providers, who knows. For me, local auth,
Google, FB, Twitter, and GH are more than enough, but your needs may vary.

