Skip to content

3. Authentication

Jump to bottom
Ayush Goyal edited this page Aug 5, 2023 · 3 revisions

Overview

We use authentication via Google Cloud Identity Platform that allows us to easily facilitate user authentication through JSON web tokens (JWT).

This platform provides plugins that manage login with external services. It uses OAuth 2.0 for GitHub and Google, and SAML for Georgia Tech. Our integration with Georgia Tech SSO is a special case that involved setting up configuration through GT OIT. It also provides tools for email & passcode login and works directly with Firebase to provide tools like password reset and email verification.

When you login on our login website, Google Cloud handles all the verification and retrieves an idToken. Then, the frontend makes a request to our API auth service which creates a session cookie from your idToken. This cookie is then set for all hexlabs.org subdomains which allows us to share authentication through all of our different frontends. Google Cloud Identity Platform does provide built-in persistence for user sessions, but we've found using session cookies is the best way that works well with our backend platform.

Development

Access Token

There are two ways services can authenticate a user. The first way is by reading and decoding the session cookie on the request. The other way is by reading and decoding the Authorization header on the request to verify the sent token.

When doing development/testing, the easiest way is to manually set your Authorization header on your HTTP request using a Bearer token (essentially just an access token). You can retrieve an access token for a user by following these steps:

  1. Visit login.hexlabs.org and open the developer tools.
  2. After logging in, you will see your user profile printed in the console tab as e.
  3. Your access token can be found under the accessToken field. Make sure you copy the entire string, it's pretty long. You can also see your global userId under the uid field.

Note that these tokens expire very quickly after an hour, so you will often have to retrieve a new token if you receive an unauthenticated error.

Usage with Postman

We recommend using Postman for local development. Thus, you would set your authentication to Bearer [accessToken]:

  1. Select the "Authorization" Tab
  2. Select "Bearer Token" from the type dropdown
  3. Enter your token in the field
Clone this wiki locally