Building Authenticated Systems

We will go over a few ways you can implement authentication (including offline authentication strategies) and then dive into some code for both a server and a client which you can adapt to suit your own app.

Topics discussed

  • Using External OAuth2 Providers
  • Creating your own OAuth2 Provider
    • Local Authentication Strategy if users don't want to use their existing accounts with another provider
  • User Profile database
    • User's profiles from their OAuth providers + internal fields
  • API Client database
    • Registered API clients which can interact with the data on behalf of users
  • Border
    • AB testing by user
    • AB testing by API client
    • GEO sharding directing requests to closer instances of services
    • Rate-limiting x requests per hour/day etc
    • Throttling
    • User authorization/de-authorization
    • Activity tracking
  • Library for parsing our JWT
    • Used client side or server side to verify that a given JWT
      • Make available its contents to the context
      • Hasn't been modified since it was signed
      • Hasn't expired
  • Sample service repo
    • Use JWT Header to verify request
    • Perform CRUD on a x resource, respecting user's roles on that resource
    • Accepts any JSON as the resource (uses levelDB to keep things simple, but could be any persistent store)



  • Level N/A
  • Language en
  • Duration 30 min
  • oauth2
  • jwt
  • PassportJS
  • bower