Question:
Objective: on a third-party service, certain functionality must be connected, but be inaccessible without authorization. How to make authorization on a third-party resource, but so that it takes place for the server?
PS: This is implemented in hypercomments. The service will use Socket.io
Answer:
Use the Passport library or services like uLogin . The first option is more independent, while the second does not require separate registration of your application / site in each social service.
Generally speaking, this is called Social Authentication. Service providers (the same vk, google, twitter, etc.) provide third-party resources with a certain way to verify the identity of the user registered with them:
-
OpenID is an open, standardized authentication protocol. Working with it is universal and quite easy to implement.
Recently, however, its popularity has dropped sharply, due to the discovery of several critical vulnerabilities in the architecture.
-
Pseudo-authentication via OAuth. OAuth itself does not initially provide means for authenticating users to other resources – it gives the user of a certain service (provider) the ability to grant external applications limited rights to use the service API in the context of this user. However, many services provide APIs that return a unique ID and / or Email of a user – it is their sites / applications that use them for authentication.
OAuth is relatively complex in itself, requires the obligatory registration of the application / site with the provider, and the API is different everywhere – for each provider you have to write a separate code that authenticates users.
-
Proprietary authentication protocols are absolutely all kinds of ways that developers' imagination could only come to.
Due to the variety, it is very laborious to implement these authentication mechanisms on your own. Purely for authentication purposes, it is much better to use ready-made libraries or services.