So I am building an application that requires single-sign-on. It is split into a frontend-app and a backend-app where the backend is implemented in Elixir/Phoenix. I have found a lot of examples going through this flow but they all assume an Elixir/Phoenix project with a frontend containing view-templates etc. My backend will only serve JSON responses.
-
Is Ueberauth still the right choice in this case?
-
Should SSO authentication be in the backend?
Once authenticated using Ueberauth and using an identity provider like Google I receive a token with a lot of information from them. Based on this I can lookup/create a user in my own database. Now:
- Do I pass this token I got from the provider back to the frontend? Or do I create a new (JWT) token with info relevant to my application/authentication using Guardian? Google-token has an expiry date of 1 hour, whereas I could control this on my own without being dependent on a provider. However, then I have only used Ueberauth for the lookup/creation of a user. Security is still relying on implementing JWT authentication correctly. Is this correct?
I appreciate any help. I have been reading many articles about it but I don’t get the full flow.
