1

fyi I'm a total newbie to server stuff (I'm an app developer, trying to implement a simple but secure api back end)

It sounds simple enough, user sends his username/password, if it authenticates, you give them a token, and they include that token in all future requests.

But every example I find online to use a 3rd party auth provider (like auth0 or Facebook) for the log-in part of this process.

Is there a reason why I cant just send an encrypted username and password in a regular api request to my own server, check it against a table that contains a hashed password, and generate a token on my own server? If not why isn't there any examples of this, if there are please point me to it.

I'm developing with ktor (kotlin), but any java style language such as node will do.

Sam b
  • 11
  • 1
  • There is no reason why you couldn't do this. The reason is generally that the concerns of something like an API Gateway (or indeed anything service provider) is very different from an AuthN provider (identity provider). If you're using an API Gateway such as Tyk.io, you might generate a JWT token from within the dashboard, and its the JWT you might then use as a Bearer token. In general, how you get the JWT token, is left up the the implementer (this can make it easier to integrate that into whatever framework you are using) – Cameron Kerr Apr 07 '21 at 13:00

0 Answers0