6. External SSO

Using an External IdP

While we can setup our own identity provider, in most cases it’s preferred to use an external provider
An external provider allows us to leverage the accounts/sign in infrastructure from an another organization (like Github)
It makes it a lot easier for users to register for our application as they don’t need to make another account
On top of logging in, we can also access other information from the external IdP (i.e. usernames or emails) but what is offered can change depending on the external IdP

We have lots of options for integrating an external IdP, but instead of implementing sometihng like OAuth 2.0 ourselves we can leverage a library that has implemented this already
Passport is an authentication middleware for Express, it simplifies adding authentication to a web app
Passport supports many strategies for authentication, such as local login (with a regular username and password) or with an external provider like GitHub

When integrating GitHub SSO using Passport, the process involves several steps:

User Initiates Login
- The user clicks “Login with GitHub” on your app.
- They are redirected to GitHub’s login page.
GitHub Authentication
- GitHub prompts the user to log in (if not already logged in) and grant permissions to your app.
GitHub Redirects to Your App
- Once the user approves, GitHub redirects them to your app’s callback URL (configured in GitHub’s OAuth settings) with an authorization code.
Token Exchange
- Your app exchanges the authorization code for an access token using GitHub’s API. This access token allows your app to fetch user data.
User Data Handling
- Passport’s GitHub strategy fetches user data (e.g., username, email, profile ID) from GitHub.
- You decide how to use this data—for example, creating a new user record or matching it with an existing account.
Session Creation
- Once authenticated, Passport saves the user’s ID in the session. This allows the user to remain logged in as they navigate your app.