90
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 01 Jul 2023
90 points (97.9% liked)
Web Development
3430 readers
11 users here now
Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development
What is web development?
Web development is the process of creating websites or web applications
Rules/Guidelines
- Follow the programming.dev site rules
- Keep content related to web development
- If what you're posting relates to one of the related communities, crosspost it into there to help them grow
- If youre posting an article older than two years put the year it was made in brackets after the title
Related Communities
- !html@programming.dev
- !css@programming.dev
- !uiux@programming.dev
- !a11y@programming.dev
- !react@programming.dev
- !vuejs@programming.dev
- !webassembly@programming.dev
- !javascript@programming.dev
- !typescript@programming.dev
- !nodejs@programming.dev
- !astro@programming.dev
- !angular@programming.dev
- !tauri@programming.dev
- !sveltejs@programming.dev
- !pwa@programming.dev
Wormhole
Some webdev blogs
Not sure what to post in here? Want some web development related things to read?
Heres a couple blogs that have web development related content
- https://frontendfoc.us/ - [RSS]
- https://wesbos.com/blog
- https://davidwalsh.name/ - [RSS]
- https://www.nngroup.com/articles/
- https://sia.codes/posts/ - [RSS]
- https://www.smashingmagazine.com/ - [RSS]
- https://www.bennadel.com/ - [RSS]
- https://web.dev/ - [RSS]
founded 1 year ago
MODERATORS
SSO has already been mentioned, but expanding on that for those that aren't familiar:
When you have a big organization with lots of people that needs to access maybe dozens of sites to do their work, it quickly becomes a nightmare to manage. You'd have to invite the user on dozens of sites, you can't easily control their access, it's easy to forget about some accesses. You have to care about users using a good enough password, make sure to sign up with their work email, etc.
Enter SSO. The company maintains a central directory for their users, where they can enforce password policies, enforce the use of 2FA authentication, and can out users into groups which grants them access and permissions to external services. So they can make say, a "developers" group and it gives you access to a testing AWS environment, read only access to logs in DataDog, access to some settings in Cloudflare, etc. They put your user into that group and you automatically get access to all that.
Of course at that point, you don't have a password for any of those sites. But you need a way to log in. So that's why the login process is multistep: you first enter your email and submit that. From there, the site can determine if you belong to an SSO organization and redirect you to the SSO flow where you'll authorize the log in and your company can also grant or deny the access to that site through your company email account. And then you're in, no password required because supposedly you're already logged in to your company email or logged in as a side effect of logging in to a company computer.
If you have a regular account, then the site can prompt you for your password, and optionally your 2FA code. They could just put all 3 fields on the same page, but at that point you don't know if the user needs a password, or if they need an MFA code as well.
Plus, if you don't have an account at all, it can then show you a registration page to enter the rest of your details, so you don't even need a separate registration flow either.
To add to this... Sites that initially show both the username and password fields can get very confusing when using SSO. Dropbox used to be like this - It'd show both fields, but as soon as you entered an email address that uses SSO, it'd hide the password field. Sometimes the request would fail and so it'd still show the password field, but no passwords are valid for an SSO account, so it'd just look broken.
Once I learned how this was implemented I now only enter a@company.com into the email since it’s going to redirect to a company sso anyway.