Dr. Strangeauth OR How I Learned To Stop Worrying And Love Authentication

By Ken Mayer

Elevator Pitch

Authentication is HARD. Getting it right is painful. Getting it wrong can end your business or start your new career as a security expert. So let someone else do the heavy lifting. OAuth, while it sounds scary, is one way to get out of the authentication business.

Description

Recently, I had to the pleasure (and pain) of implementing an OAuth CLIENT for an internal project. I will share that experience with you (TDD all the way, baby). We had some non-trivial design decisions to make; how to share tokens across processes and threads, where to store the long term refresh token. We travelled down some garden paths, ended up in a design cul-de-sac, then we tested our way out and into a really nice stable little library that is not nearly as opaque as the standard libraries.

So, while I don’t recommend reimplementing security code, it was a healthy exercise and will give you a better appreciation for why you should use someone else’s library.

The references to Dr. Strangelove go deeper than the title, since one of the core plot devices is that a user of the system was able to gain privileged access to a resource without permission. Heh.