I’ve lost count on how many times I’ve done this:
- start a project
- build a login screen
- build the login procedure
- thought for a couple of minutes/hours/days about the password storage
- debugged the login screen
- debugged the login procedure
- build a “what’s my password” feature
- build a “manage my account” feature
- integrated with social logins
- debugged the social logins
- started the actual project
And in the end, we are never sure if we missed something, specially related to security. Reminder: broken auth and session management is on position 2 of OWASP’s Top 10.
If this sounds like something you’ve done as well, I’d then recommend to take a look at the project Keycloak. It’s an open source software for managing the users of your application, with a whole lot of features that you’d expect from a tool like this.
Granted, the tools is still in alpha, but I’m using it already for a couple of personal projects, with great success. Of special mention is the ability to easily detatch your front end to your backend, with the usage of JSON Web Tokens: with it, you don’t need to keep a state at all on the server side, usually a problem with APIs whose main consumer is a front end application.
And if your application happens to be hosted on a Wildfly/JBoss AS, you can use the Keycloak subsystem and have your application to be agnostic of the authentication/authorization procedores. It’s JAAS being cool again :-)