"Stateless authentication microservice" has only one possible meaning to me. Did you want to ask something more specific, or do you just not know what those (common) words mean?
It tells me that is has something to do with login, "without state" (whatever this means in this context) and that it is somehow not a "big service" but very "micro", so probably independent. Stateless and microservice can mean so many things.
A microservice is a service that does only one thing, and does it simply.
Something stateless doesn't keep state - after an interaction with a client, nothing has changed in the service itself.
A stateless authentication microservice is something I would expect to run, listen on a port for some sort of authentication credentials, and return either some sort of authorizarion token or an authentication error.
Nope, but a ticket helps them track it, helps make your request more durable, more likely to be developed into a higher resolution of detail, and ultimately more likely to be fulfilled.
So what's exactly the use case for this? I'm not entirely sure.
Let's say I deploy it. Users of whatever service I provide use this to login to Google, Twitter, etc, then what? do I need to also implement something on the servers I'm protecting behind a login? I.e. some "verification" method that checks whether the client's JWT tokens are valid so I can grant them access?
It's helpful if you want your website/webapp to support login with X (Google, Facebook, etc). Your services on the same domain can than use these credentials and eventually use the respective API's with the per-user key.
All you need to do is: a) get key/secret for the respective service b) deploy this microservice with the respective env variables
jwt - A "JSON Web Token" (JWT) containing profile information and the respective access tokens (Twitter/etc). http-only!
profile - A JSON string which containing non-sensitive information (accessible from browser JS):
username - string / mandatory, the account specific user alias (e.g. Twitter name) - photo - string / optional, the account specific user image link
name - string / optional, the "real" name
"
This looks like just enough rope to hang oneself. If you check only the profile variable it could easily be set by the user herself. So I guess you need to check the jwt.
I guess it makes more sense if this would be run as reverse proxy so the cookies can't be tampered with.
From my prior research this seems to be a problem with the JWT which would either require distribution of ever growing blacklists or session verification through shared server side sessions.
Would also love to see some API documentation.
I really like the idea and always reimplementing login services seems like unnecessary hassle.
Expired can happen clientside, just check the timestamp. Revoked would be a short blacklist that lasts the duration of the session, once a token is expired it no longer has to be revoked.
But I'm also curious how a revoked list would be handled with this service.
That's only true if you do not allow for long running sessions which are commonplace today. And it still requires a lookup every time to see if a particular session is blacklisted.
From what I could grasp there's no mechanics for blacklists/revocations in the current implementation of this service.
I cannot wait to allow a bazillion fake Twitter and FB accounts from the Eastern Bloc countries to pour into my website and bigly MAGA. Thanks, social sign-on!
It's much easier for a spammer to get through your own implementation of spam filtering than through Facebook's or Google's.
Do you think you can implement automatic ip black listing, phone confirmation and better spammy account categorizers based on common spam signals than the big players, who have dedicated research teams working on this? I know I can't and even if I could, I'd rather spend my dev time on tasks related to the core business.
Account identity and authentication being outsourced to Facebook means your community maintainers don't get to notice the fact that those 100 MAGA-spouting dimwits are from Romania. They don't get that information in the first place.
Also maybe a sentence why this is neat and should be used...