User Authentication Mode in Reshift
A detailed guide on how user authentication model works in reshift
Reshift integrates with all the major source code repository providers; GitHub, and Bitbucket. Due to the integration with these vendors, Reshift offloads responsibility of user credentials to these providers. Reshift does not store or transmits any user credentials, all user login and access happens on the client side (in-browser) and only between the client and the source code service provider. Outlined below is the authentication flow for the Reshift login process with a code repository service provider, following the OAuth2 authorization grant flow.
- Reshift through the browser will redirect the user to the OAuth server (GitHub, or Bitbucket)
- The user approves authorization of the application (reshift) with limited access
- The user is redirected back to Reshift with an authorization code
- Reshift then exchanges the authorization code for an access token to gain access on behalf of the user.
Note: The access token is a short-lived access for permissions on behalf of the user. Users have full control to revoke access to that access token through the source code provider’s website. Additionally, once the access token expires, Reshift will not be able to use that access token to access the service provider for data on behalf of the user.
Reshift integrates with all major source code repository providers; GitHub, Bitbucket and GitLabs. This integration offloads the responsibility of user credentials to the source repository providers. Reshift, supports Two-Factor Authentication (2FA), through the providers, during OAuth2 credential negotiation. As in the above section:
- Reshift will redirect the user to the service provider’s website to grant access
- The service provider will, if enabled, provide 2FA during the authentication and grant process
The two important points to note is that 2FA is supported by GitHub, Bitbucket and GitLabs. Reshift delegates authentication and the supported workflow of 2FA, alleviating the need to store sensitive information about user credentials within its own internal infrastructure.