Authentication & Authorization
Supported Identity Providers
Domestic (China)
- •WeChat / WeChat Work
- •DingTalk
- •Alipay
International
- •Apple
- •GitHub
- •Microsoft (Azure AD/Personal)
Extended
- •Passkeys (WebAuthn)
- •TOTP 2FA
- •SMS one-tap login
OAuth/OIDC Flow (Code Flow + PKCE)
Initiation
- •User selects "Login with X"
- •Backend generates
stateandnonce - •Frontend includes PKCE
code_challenge - •Redirect to provider
Callback
- •Verify
state/nonce - •Use
code_verifierto exchange tokens - •Extract user info from ID Token/userinfo endpoint
- •Minimal fields: email, avatar, nickname, unique ID
Account Binding
Automatic Binding:
- •Same verified email triggers merge (with user confirmation)
Manual Binding:
- •Users manage multiple providers in "Account & Security"
- •Prevent duplicate accounts
WeChat/No Email:
- •Use
unionid/openidas unique key - •Prompt for email/phone when needed
Data Models
Core Models
- •
User- User profile - •
UserIdentity- Provider linkage (provider/subject/verifiedEmail/linkedAt) - •
Session- Active sessions - •
RefreshToken- Hashed storage with revocation
Security Fields
- •Hashed tokens stored in Redis/MongoDB
- •Token rotation with revocation support
- •Device fingerprinting (lightweight)
Session Management
Tokens
- •Access Token: Short-lived (e.g., 15-60 minutes)
- •Refresh Token: Rolling refresh mechanism
- •Storage: Hashed in database, revocable
Cookies
- •
httpOnly/Secure/SameSite=Lax - •Session cookie for authenticated state
- •CSRF protection
2FA
- •Require for critical operations
- •Optional for regular use
Security Best Practices
Request Validation
- •CSRF tokens
- •PKCE for all OAuth flows
- •
stateandnonceparameters - •Rate limiting on login endpoints
- •Login anomaly detection
Data Minimization
- •Request only email/profile scopes
- •Reject contact/friends list access
- •Cache tokens/user info as needed
- •Regular rotation and cleanup
Compliance
- •GDPR/CCPA/PIPL support
- •Consent management
- •Audit logging
- •Data export/deletion rights
Common Tasks
Add New Provider
- •Register application with provider
- •Add client ID/secret to environment variables
- •Implement OAuth flow handler
- •Update user account binding logic
- •Add UI login button
Account Merge
- •Detect matching verified emails
- •Prompt user for confirmation
- •Merge identities under single user
- •Migrate sessions and preferences
Session Cleanup
- •Implement token revocation on logout
- •Schedule cleanup of expired refresh tokens
- •Audit active sessions in user dashboard