Implement JWT with Google Sign-On

Once you understand the basics of JWT, it's probably time to implement it with a third-party identity provider such as Google, Facebook, or Amazon (among too many). The benefits of using a third-party identity provider are:

1. Users of your app do not have to create a new account with you. If you are offering a new product or service, there is a huge temptation to gather as much information as possible about your users. Resist that temptation. Gather only what you need and what you don't need is to manage the usernames and passwords of your users.
2. You do not have to provide the customer service function of dealing with lost, forgotten, or compromised credentials (usernames, passwords). Google, Facebook, Amazon, etc. have thought about this a lot harder than you have and devoted way more resources than you have to this effort. Let them do it.
3. You can connect otherwise personally identifiable but private information to an abstract ID from the third-party identity provider and thereby anonymize your data. As my good friend Shawn Tuma says, there are two types of companies: Those that have experienced a data breech and those that will. When that terrible day comes to your app, it will be nice to know that no login credentials were stolen and that most of the data you store is so anonymized that even you don't know what belongs to whom.

Developers roll their own identity solutions for a number of (I contend) bad reasons, one of which is that using third-party identity providers is not easy because it's not very well explained. Until now. In this practical blog post by Eiji Kitamura, Mr. Kitamura provides a tutorial on how to implement JWT authentication with Google's Sign-On service.

Simple JWT Implementation

Single page apps (SPA) are not only the rage, but the future (for now). Their benefits include more responsive user interfaces, less traffic between the user and the server, and a more native experience for the user. Another benefit is that they can permit developers to implement a server-less back-end. An example of a server-less back-end is Amazon's lambda functions.

User authentication and authorization are important topics no matter what architecture you select for your service, but they become a little tricky in the single page app world. Part of that trickiness is probably due to the fact that most of us are not accustomed to having to reintroduce ourselves and our qualifications in every encounter with someone, but that's what you have to do when implementing a server-less singe page app.

Naren Arya has posted this excellent tutorial on the basics of implementing JSON Web Tokens (JWT) and explains his interest in the topic this way:

JWT authentication is becoming very popular these days. The traditional authentication uses cookies and sessions. With the advent of Single Page Applications(SPA) and microservices, there is a need to look beyond the sessions. Any token based authentication serves that purpose. JWT is a type of token-based authentication.

He's absolutely right.

If you are new to JWT or, as in my case, have probably implemented it...ah...imperfectly, read his post AND do yourself the favor of trying it out.

Once I read this post and understood the basics of JWT, I was able to go back to my app and fix my integration with Google's OATH service.