OAuth server?

Rodolfo

Α & Ω
Chevereto Staff
Administrator
License owner
When I went headless CMS for Chevereto 4 I didn't notice that sensitive account information like password and email address will require extra considerations in the new model. This is because there's no user interface, all the actions are API commands.

How to manage passwords and email? It is too risky to provide endpoints for those and if provided, it will spawn the hassle of having to check if no third-party is abusing that, the rate limiting, bla bla bla. You know how it goes, a big bag of "told you so".

I think that there's the opportunity to solve this problem in a very elegant way by creating an account server application. This will allow to provide account handling for all API clients, leveraging all the design, presentation, validation, proxy, etc. It is your own oauth server for your Chevereto API.

At this time this is just a concept, but I wanted to share it with you.

Reasoning behind this idea is that the service becoming a headless API seeks to enable users to empower themselves by getting/crafting improved user interfaces. By doing this, user interfaces will be cheaper to develop as the entire account handling is provided elsewhere.

What you think about it? Is basically take /login and /signup and distribute it as another service layer 😜
 

lovedigit

Well-Known Member
Internals
V3 Beta tester
License owner
Big Chevereto
This will be epic. :)
It will give website owners freedom to choose the platform for auth.
 
Top