- Users of your app do not have to create a new account with you. If you are offering a new product or service, there is a huge temptation to gather as much information as possible about your users. Resist that temptation. Gather only what you need and what you don't need is to manage the usernames and passwords of your users.
- You do not have to provide the customer service function of dealing with lost, forgotten, or compromised credentials (usernames, passwords). Google, Facebook, Amazon, etc. have thought about this a lot harder than you have and devoted way more resources than you have to this effort. Let them do it.
- You can connect otherwise personally identifiable but private information to an abstract ID from the third-party identity provider and thereby anonymize your data. As my good friend Shawn Tuma says, there are two types of companies: Those that have experienced a data breech and those that will. When that terrible day comes to your app, it will be nice to know that no login credentials were stolen and that most of the data you store is so anonymized that even you don't know what belongs to whom.
Developers roll their own identity solutions for a number of (I contend) bad reasons, one of which is that using third-party identity providers is not easy because it's not very well explained. Until now. In this practical blog post by Eiji Kitamura, Mr. Kitamura provides a tutorial on how to implement JWT authentication with Google's Sign-On service.
No comments:
Post a Comment