Tutorial: Serverless Authentication

Serverless Authentication

The Webcom Authentication Service makes it possible to reliably identify users of Webcom applications, in order to finely control their access to data. It additionally retrieves user identity details when they sign in, which can be used by applications to customize their behavior (user experience, specific configuration...).

Four classes of authentication methods are currently available to identify users:

Each method returns:

  • a Webcom account (or uid), which is a user identifier unique across all authentication methods for a given application.
    As it is guaranteed to be unique, this identifier should be used by applications to associate some data to their users.
  • an identity (or providerUid), which is a user identifier specific to each authentication method.
    Conversely, as this identifier cannot be guaranteed to be unique across the various authentication methods, it is strongly discouraged to use it to refer to a user within an application.

The Webcom authentication model makes it possible to bind several identities (providerUid) of the same user to the same Webcom account (uid). This brings two main advantages to Webcom applications:

  • an end user is not constrained to always use the same authentication method. For example, s/he can sign in using either her/his email (with the email-based login) or her/his facebook account (with the corresponding standard authentication delegation method).
  • an application may require several authentication methods to access some sensible data. For example, the user may be forced to sign in using an SMS one time password in addition to her/his initial email-based sign in before reading the amount of her/his bank account.
    This is the way Webcom implements multi-factor authentication.