Skip to content

Instantly share code, notes, and snippets.

@Tjoosten

Tjoosten/auth-standard-requirements.md

Forked from DragonBe/auth-standard-requirements.md
Created August 5, 2021 16:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Tjoosten/c48d1319c13182ba8c29d5b65fae5b48 to your computer and use it in GitHub Desktop.
Save Tjoosten/c48d1319c13182ba8c29d5b65fae5b48 to your computer and use it in GitHub Desktop.
Download ZIP
The common pattern for user registration, sign in, reset and removal of an account written out
Raw
auth-standard-requirements.md

Auth Stnadard Requirements

Problem statement

To tackle the common application pattern for authenticating, registering, resetting credentials, verifying, and unregistering from an application, the common patterns exists but many implementations make it hard to use the best solutions of different frameworks. While almost each application has this requirement, no standard has been defined.

Possible reasons why it's difficult

  • Too many backend solutions for storing and updating credentials (DB, LDAP/AD, API, SSO, SAML, …)
  • Added complexity when authorisation is required
  • Added complexity when MFA is required
  • Frameworks provide their own tools for integration, but are not interchangeable

Common components used

  • a username: can take the form of a number, a string of characters, an email address
  • a password or passphrase: random characters known only to the user (if generated randomly)
  • an email address or phone number: for validation purposes

Common scenarios used

Registration of a new user

  1. Registers for an account with username, password, password validation, some personal details, and an email address or phone number for validation purposes
  2. Receives a confirmation email or text message with a verification code or link
  3. Enters the validation code or clicks the validation link
  4. Registration process is completed

Authentication of an existing user

  1. Signs in with known username and password/passphrase
  2. If successful, authentication is completed
  3. If unsuccessful, login screen is returned with an error message
  4. Authentication process is completed

Reset of an account

  1. User provides username
  2. Message informs user that if account is known, an email or a text message will be sent with instructions to reset their account (for both valid and invalid accounts)
  3. The code has to be entered or the link in the mail has to be followed
  4. The user provides a new password/passphrase (with second credential field for validation)
  5. Reset process is completed

Deactivation of an account

  1. User provides a username
  2. Message informs user that if account is known, an email or a text message will be sent with instructions to reset their account (for both valid and invalid accounts)
  3. The code has to be entered or the link in the email has to be followed
  4. The user has to explicitly confirm again to deactivate or remove the account
  5. Deactivation process is completed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment