How do you handle authentication?

[flevour]

I’m impressed by your tool and would love to use it at our company. Thanks for publishing it!

How do you authenticate/authorize access to the admin panel published via esqlate? Can you offer pointers?

[forbesmyester]

Firstly thank you for your kind words 😃

This has been a personal project that grew a too large and took up a too much time, I'm really happy with the reception it achieved.

I think there are primarily two main ways to deal with authentication. You either embed it into the application itself or use a micro-services approach.

1. If I were to embed authentication into the project I'd probably either decide to integrate it into a third party system ( Auth Zero for example ) or use a static list of usernames/hashed-passwords etc. I'd then be either forcing a server admin into paying for a single authentication service which doesn't mesh with their own systems or maintaining a separate list of users... Not good
2. Alternatively I could not do anything in this space and ask people to use micro-services to solve the problem.

I believe the best way to solve this problem is to have an authentication service and use a load-balancer that sends all unauthenticated traffic to that authentication service and all authenticated requests to their intended destination.

The big advantage of this is you create a sort of single sign-on, at least within your suite of products and you also don't have to add code to do authentication into all of your services, so it's more DRY... I don't know about you, but I think authentication code is always non-trivial and stressful to write, I don't want that multiple times!

So I'm doing number 2, but I'm more than happy to give you a few pointers.

Service Graph

                   +----------------+
                   | eSQLate Server |
                   +--+-------------+
                      |
+----------------+    |   +---------------+
| Authentication |    |   | eSQLate Front |
|   Gateway      |    |   +---+-----------+
+-----------+----+    |       |
            |         |       |
        +---+---------+-------+-+
        | Load Balancer (NGINX) |
        +-------^---------------+
                |
                |
                |
            ----+----
           /         \
           |  User   |
           \         /
            ---------

The Authentication Gateway, could choose to pass authentication to Google / GitHub / Microsoft / Auth Zero and depending on their response, send the appropriate response to the Load Balancer. You could of course choose to maintain usernames / hashed-passwords within the Authentication Gateway itself.

The key to all of this is NGINX's auth_request directive.

We use this method at work and I wrote the authentication system (against Microsoft) over two years ago and I've pretty much not touched it since, it's particularly nice because there's not even a user-interface for the authentication gateway, it just bounces them to Microsoft.

I'm planning to write a blog post about this because I think so many people use the first option without knowing about the second and I believe the second is far superior many circumstances. Anyway I wrote the basic code for this blog post about 6 months ago so I've just published it in another repository.

Of course the load-balancer is also a great place to do SSL termination too

[flevour]

Hi Matt, I'm kind of overwhelmed by such a great and lengthy reply, I've learned a lot just by reading it and clicking through the links!

It would be nice to include some documentation on this project, to offer some guidance to other fellow users.

If you don't mind I'd leave the issue open as a reminder for anyone willing to document this. I don't exclude it could be me as soon as I get some bandwidth to start hacking around with this project!