from Hacker News

Ask HN: Minimum Authentication/Authorization Features for a on Prem Web App?

by monkey26 on 4/4/17, 7:56 PM with 4 comments

I've developed a web application (an event Dashboard really) that is starting to get more users, but it doesn't have any authentication yet, instead it relies on the user to setup their own authenticating reverse proxy, and as you might expect, authentication is a highly requested feature.

The app so far is something install on-prem, I don't have a cloud hosted version, but don't want to rule it out. Its mostly likely to be used by the IT and/or security team and small to medium size orgs.

What are the minimum features of AA I should be offering? Its not that hard to simply add .htpasswd type auth, but its something I want to attempt to get right the first time.

If it matters, its a single page web app built with Angular 2, and the backend is Golang.

I need to think about some sort of RBAC and/or ACLs as well.

Thanks for any input.

by osullivj on 4/4/17, 8:16 PM
My app [1] uses Auth0 for cloud authentication, which gives me login with Google & GitHub IDs. The on prem deployment uses pywin32 for Windows Auth, which is important in corporate environments that will require you to work with Active Directory. So I can use Windows UIDs like DOMAIN\userID. I can also map my rights groups to AD groups. My system isn't open source, but I do include all the JavaScript and Python source. So if you grab the download [2] you can read the pywin32 code in ssauth.py, as well as the Auth0 integration in the JavaScript and Tornado based backend Python.
[1] http://spreadserve.com
[2] http://spreadserve.com/s3/downloads.html
by davelnewton on 4/4/17, 7:59 PM
I'm not sure I totally understand the question.
A simple username/email and password solution seems like it'd solve authentication, but isn't that obvious?
Authorization depends totally on what your app actually needs, e.g., do different users have different roles? How fine-grained does the authorization need to be?