The Backend Playbook

Appearance

Zitadel

We use Zitadel to handle authentication and authorization in our applications. Zitadel provides a modern, secure, and flexible solution for managing user access while allowing for easy integration with external identity providers.

Authentication

Frontend

The frontend handles authentication directly using the OAuth2 PKCE (Proof Key for Code Exchange) flow. This ensures a secure exchange of tokens without exposing sensitive credentials.

  • Session Management: The frontend is responsible for managing the user session, including handling token storage and renewal.
  • Security: OAuth2 PKCE adds an additional layer of security by mitigating the risk of interception attacks during the authentication process.

Backend

The backend does not directly handle authentication but focuses on validating the access token received from the frontend. Zitadel provides public keys, which are rotated periodically, to verify the authenticity of these tokens.

  • Token Validation: The backend validates the access tokens against the rotated public keys provided by Zitadel, ensuring the token’s integrity and validity.
  • Decoupled Design: By offloading token management to the frontend and Zitadel, the backend remains lean and focused on its core responsibilities.

Authorization

Authorization is managed through roles which can be optionally defined in Zitadel. Access tokens issued by Zitadel include the necessary claims to determine a user’s permissions. Roles & Permissions can also be managed and stored directly in the Backend.

  • Role-Based Access Control (RBAC): User roles and permissions can be configured in Zitadel and enforced across the application.
  • Scalability: Zitadel’s model allows for fine-grained control, making it suitable for applications with complex access requirements.

External Identity Providers

Zitadel supports seamless integration with a wide range of external identity providers (IDPs), such as Google, GitHub, and more. This makes it easier for users to sign in using their existing accounts.

  • Convenient Sign-Up: Users can sign up or log in with external IDPs, reducing the friction of account creation.
  • Enterprise Support: Organizations can integrate their corporate IDPs for streamlined employee access.

Custom Authentication Flows

For scenarios requiring bespoke authentication processes, Zitadel provides the flexibility to implement custom flows. These flows can include custom UI designs and tailored logic to meet specific business needs.

  • Custom UI: Fully customizable authentication interfaces can be built to align with branding and UX requirements.
  • Extensibility: Zitadel’s APIs allow for the creation of unique workflows, ensuring compatibility with specialized use cases.

By leveraging Zitadel, we ensure our applications offer secure, user-friendly, and scalable authentication and authorization solutions.