JWT signing: HS256 vs. RS256

With the goal of increasing flexibility for our customers, AuthRocket has added support for JWT signing using the RS256 asymmetric algorithm. We've always offered the HS256 symmetric algorithm, which remains the default.

What's the difference?

HS256 is a symmetric algorithm, meaning there is one secret key shared between AuthRocket and the recipient of the token. The same key is used to both create the signature and to validate it. This key must be kept secret at all times.

If you are developing the app that is receiving the tokens, then you should use HS256. It is more secure, faster, and the token is smaller.

RS256 is an asymmetric algorithm, meaning it uses a public/private key pair. AuthRocket uses the private key for signing and provides you the public key to use to validate the signature.

If you don't have control over the app/client receiving the tokens, then RS256 is a good choice. The key can be used in a browser or mobile app, doesn't have to be secure, and can be shared without compromising security.

We still recommend using a symmetric algorithm any time it's possible since it produces smaller tokens and signs faster. Accordingly, HS256 remains the default, but now you have an alternative for when HS256 isn't right for you.

Details here.

Having trouble deciding which is best for your app?  Tell us a little about your project.  We'd love to help.

New Social Provider: Slack

By now, just about everyone that uses a computer for work, even if only a little bit, is familiar with Slack.  At AuthRocket, we love Slack.  Our team uses it daily for quick communication, sharing notes and screenshots on current projects, and to scour the web for useful industry information.

Odds are you use Slack and it's likely your customers do too.

So we've added Slack to our Social Login provider list.  If you want your users to be able to login to your app using their Slack credentials, you can accomplish that in extremely short order.

All it takes to make it work for your app: Turn on Slack as an auth provider within the AuthRocket UI and visit Slack for a few minutes of setup.

See the details here.

Need help with Social Login?  Tell us what you're up to.  We'd love to help.

AuthRocket Dashboard

Many of the important new features we add are found in the background of AuthRocket.  They have included behavioral changes, streamlines to the UI, ways to make integration even easier, and more.

This update, however, is front and center.  In fact, if you have logged into the AuthRocket UI in the last few days, then you've already seen it.

For those that haven't, we've introduced some helpful metrics to your Realm dashboard.  Realms are versatile containers that hold your Users and groups (Orgs).  Most often, our customers use a Realm to hold an entire app.

Your new Realm dashboard looks like this:

It includes total logins, users created (New User signups, plus Users added via app backend), and failed logins.  We've also included a handy pie graph of the types of Logins: Passwords, Social Logins by provider, etc.

All of this is intended to help you better understand the way your app is being used and to use that understanding to better interact with your Users--perhaps by using User login Events to trigger actions.

A few notes on Events

Every time a User logs into your app, a unique Event is created in AuthRocket.  These Events can be used to trigger actions.

Maybe you'd like to trigger a welcome email to a newly registered User.  Or perhaps in a high-security environment, you want to validate a new User via email.  Because of the way AuthRocket creates and uses Events, you can knock out chores like these in minutes without writing code--all you have to do is turn them on and do a little basic config in the AuthRocket UI.

So Events allow us to deliver important User data to your Realm dashboard and to trigger useful interactions, both with the goal of better User understanding and engagement.

Questions about Events?  Comments?  Drop us a line.

Disabling Signups in LoginRocket

LoginRocket, our ready-to-go logins and signups platform, has always had the ability to selectively enable or disable various features, quickly and easily.  However, when it came to Signups, this included the limitation that Signups via Social Login were always enabled if Logins were enabled.

We're not fans of limitations, so we've improved this.  Now, disabling Signups in LoginRocket disables all signups, including new users using Social Login.

This is a breaking change and old behavior has been preserved for customers with Signups disabled while using Social Auth.  If you are an existing AuthRocket customer and prefer the old behavior, you don't need to do anything.

Changing to the new behavior can be toggled in your LoginRocket settings.

As always, we'd love to hear about your app.  Tell us how we can help you make it better. 

Orgs for LoginRocket

We're always on the hunt for ways to streamline the process of user management.  Our goal is to free you up to focus on your core business, and not on users and passwords.  Unsurprisingly, one of our most popular features is LoginRocket, our hosted logins and signups platform.

For years, LoginRocket has given you the easiest path to building a fully-functioning login page and registering and logging in your users.  Now we're giving you the option of adding an Org (group) and Membership to your registering users.  Configuring this in LoginRocket takes approximately 11 seconds.

In the AuthRocket management UI, go to Settings->LoginRocket and choose to enable signups via LoginRocket.  Then, under "Signup mode", click "Create Users+Orgs+Memberships".

If you want to add default permissions, you can do that as well.

screen2.png

And finally, if you want your Signup page to ask your registering user for an Organization name, then add that field to your signup page on the right.  Setting "Organization name" to "Hide" tells LoginRocket to create an Org and name it after the User.

As always, this works for both password-based signups as well as first-time users using Social Login.

For more info, see Handling Signups

Questions?  We'd love to hear from you