I've asked this question a bunch of times before and this is the first time I've gotten any suggestions as concrete as firebase. Thanks a ton. It's super helpful when I don't even know what to google. Previous attempts to google it led to me thinking OAuth and OpenID were out of the box solutions, and I gave up. Like, seriously thanks. Any suggested alternatives I should also look into while I'm at it? (ideally ones that aren't "log in via fb or google")
Yes, OAuth and OpenID Connect are both standardized protocols, so they are effectively abstractions for performing delegated authorization and authentication, respectively. They exist basically to promote best practices and to help promote interoperability between products - mores with OpenID Connect, as OAuth does not really have any profiles of usage attached to it.
You sound like you may be looking for a CIAM solution. Searching for CIAM (a customer identity and access management product) should show you tons of alternatives.
Full disclosure is that my employer sells one of these, PingOne for Customers. To clarify the parent's post, Firebase Auth also has the related Google Cloud Identity Platform - I will say even as someone in this space I don't fully understand the reasoning behind Google selling both of those products, however.
In practice if you barely know how to host a server that responds to requests, most solutions won’t work for you because they require writing code that assumes you know somewhat more about how it all works.
I would frankly recommend biting the bullet and doing some heavy reading and trial and error. All of the solutions I know only get you out of the business of storing/managing/checking passwords or MFA. They don’t get you out of anything else.
If you just need something quick and dirty and not "best practices", you could configure HTTP based authentication (over HTTPS) through a web server like Apache.
Want to know what's crazy? I've stood up a bunch of services and stuff professionally over the last bunch of years, it's just that internal company tools always take care of deployment and security and authentication and exposing them to the world. Yay for efficiency and specialization. Boo for blind spots.
The specifics unfortunately depend a lot on what you're protecting. Are you writing an enterprise web app? Consumer web app? Phone app? Desktop app? Blog engine? E-commerce store? Multiple of the above?
How about just a simple personal project I want to only give access to myself and a few friends access to on browser and phone app? User X can access only documents ABC. Users must be logged in. I'm not looking to make a career shift to web dev, but I'd like to be able to build my own cheap toys, basically. While learning interesting and not terrible skills along the way.
- Use sendgrid to send emails, it'll be free at your usage
- Make the login form only accept an email address, dont risk saving passwords, display a generic "if you signed up you'll get an email soon" message on submission for all values.
- Whitelist your buddies' emails, send them a link to login with. Ignore the rest.
- The link can be a UUID without the dashes or something similarly sufficiently random (could sha1 hash the time and be good enough for your purposes). yourdomain.com/login/somesufficientlyrandomandlongkey
- Save that key in the DB, that's effectively the password. Delete stuff after a while so they have to re-login.
Feel free to hit me up on Keybase or whatever (details in my profile) if you want to follow up in detail.
