Consulting during Corona: An Expert’s POV
About implementing OAuth 2.0 and OpenID authentication protocols, starting a project remotely during COVID-19, and developing on the Microsoft stack in 2020
Interview with senior developer Steffen Jørgensen, currently on assignment at Mølholm Forsikring
Mølholm Forsikring (part of Gjensidige Forsikring) has brought on consultant Steffen Jørgensen to take charge of the integration of a new authentication system and to update the current protocols with OAuth 2.0 and OpenID Connect. A vital assignment where Mølholm needed a specialist consultant with hands-on experience in that particular area, who would be able to step in and help them with their tight development schedule.
Auth protocols, flows and finding a way around new and old technology
Steffen’s job is to implement OAuth 2.0 and OpenID Connect, something which he has previously had great success doing with “NemID” (at eBoks). NemID is currently the biggest and most common login solution for Danish Internet banks, government websites and other private companies, and every citizen with a personal ID number relies on it.
In in his role at Mølholm, Steffen is responsible for integrating against a Single-Sign-On server, enabling users who log on to Gjensidige to automatically log on to Mølholm as well.
“When you login to Gjensidige and Mølholm, then it is via NemID in Denmark. Gjensidige has an SSO server, which Mølholm’s web application needs to integrate against. The SSO server will handle the complete logon flow for the user, so that when the user is logged onto Gjensidige the user is automatically also logged in on Mølholm. The integration with the SSO server is using the OAuth 2.0 and OpenID Connect protocol, which today is the go-to and almost de facto standard for logon processes.”
OpenID Connect (OIDC) is an authentication protocol, based on OAuth 2.0 family of specifications. You can obtain JSON Web Tokens using auth flows that conform to the OAuth 2.0 specifications. OAuth 2.0 centers around resource access and sharing; OIDC is an identity layer on top of OAuth 2.0. The JSON Web Tokens – also called JWT’s – contain so-called claims, that can be used by the application (or relying party) to authorize what the user can and cannot do, and provide basic information about the user or other relevant data for the relying party.
When it comes to OAuth 2.0 and OpenID Connect, there are many different authorization flows to consider, and it is essential to select the right one for the specific use case:
“There are a ton of different types of logins supported by this protocol. Users might opt to log in via browser, in a regular web application, but it could also be a SPA (edit: Single-Page App) or even use a native app on their phone to login. Furthermore, the protocol also supports authentication for server-to-server calls, where a server essentially has to authenticate itself with another server to use a specific API. All these different types of client integration have vastly different security challenges, and it is critical to choose the correct login flow and implementing it correctly in order to keep the security tight. This all adds a lot of complexity as it requires a good understanding of the different client scenarios to set it up correctly.”
Mølholm’s starting point is a monolith structure, which is always a challenge when you are coming on board as an external consultant:
“When you come on board as a freelancer to develop solutions for the classic monolith structure, it can be a little overwhelming, since all the logic resides in the same application. On the other hand, if it is a microservice architecture, then it is much easier to get an overview of what each service is doing. In the initial discovery phase, it is crucial to be aware of the specific technology you are working with. Often you have to get down in the nitty-gritty of it all if the framework is not the newest version. Therefore, in the planning phase of the project, you have to take into account the specific version of the framework you are working in because there might be limitations on what that version can do compared to the newest version of the same technology."
He continues:
“For instance, I have worked a lot with .NET Core, which is newer and therefore also has much better support for OIDC compared to an ASP.NET MVC web application. Setting up login flows in the latter is more manual and time-consuming, since the components you have in .NET Core simply are not available there. This makes it a little more tricky, and with security, there is already a tiny margin for error.”
Starting a new assignment during COVID-19
For Steffen, the biggest challenge of the project was not the technical aspect. Instead, it was starting a new project in a new organization right when the coronavirus shut down the world.
Normally, for a high-end consultant, a certain degree of remote work is expected. It is a very independent role in nature, and with today’s technology, the consultant doesn not need to be working on location. Still, when high-end external consultants are brought on to help with complex projects, it all starts with getting the lay of the land of the company/organization in question, and that process involves a lot of face-to-face meetings with necessary stakeholders.
But COVID-19 turned all that upside down. In addition, to high pressure, tight deadlines, steep learning curve – the usual routine for an external consultant – there was now a new and unprecedented factor in the mix, which required additional flexibility and adaptability even for an external consultant:
“During this project, I have had to navigate the stakeholders of two merged companies located in two different countries and on top of this doing it all 100% remote due to the COVID-19 lockdown. The lockdown brought an extra layer of complexity to the communication aspect. And with the Danish team situated in Odense and the parent organization of Gjensidige in Norway, the coronavirus definitely made the job a little more challenging.
Essentially, you could say, I have been learning to navigate two different cultures at the same time.”
Steffen started the project right when the coronavirus shut down the entire world, forcing everyone to work from remote if they were lucky enough to do so. And while external consultants are used to working independently and can be considered naturals in working remotely, according to Steffen, the importance of physical meetings especially in the crucial start phase of a project is not to be understated:
“You could say it is a bit of a lone ranger assignment. It is the first time I have worked a project exclusively from remote. I have no problem with the remote format, it certainly comes with the job, and as long as I have access to the required documentation, then I am self-sufficient and able to deliver. Still, the effect of COVID-19 has made me more aware of how much I appreciate the occasional face-to-face meetings. In fact, I find myself making it a priority to always use a webcam as a way to elevate remote meetings to a more normal human level of interaction with stakeholders.”
According to Steffen, COVID-19 has emphasized the importance of holding meetings face to face in order to build rapport, as it boosts morale and helps in times when everyone is scrambling to deliver:
“As people, we are skilled at reading body language. Reading the mood, ‘did he get what I just said, is a joke appropriate here?’, and so on. The process of building social relations is a big challenge when you are working remotely. But I believe it is worth the effort and investment; it needs to be a priority because we are human beings, not robots. Regular human interaction earns you a bit leeway or builds a sort of credit with other people which translates into trust, and that is incredibly useful when workloads peak and everyone is feeling the pressure.”
Developing on the Microsoft stack in 2020
During the project Steffen has leveraged his expert knowledge of the Microsoft stack. Prior to his freelance career, Steffen worked as a backend developer at 3 (telecommunications and internet service provider) for almost a decade. He is a senior .NET developer and a skilled backend specialist who masters the full development stack and has substantial experience in the requirement analysis process with the client:
“I have always worked in the backend and Microsoft is a dominating force in that area and has been for many years with .NET being the go-to platform for many developers. Add to the mix that Denmark is a ‘Microsoft country’, with significant demand for developers with competences in the Microsoft stack, and you have all of these things, which when put together have played a role in putting me on my particular path.”
Microsoft is in a pretty good spot these days. They are continuously coming out with new software solutions on multiple fronts and have a massively popular cloud solution in Azure. This also means that developing on the Microsoft stack these days is quite exciting:
“With the risk of sounding like a Microsoft guy, I like what they are doing these days and the overall approach they have to developing new solutions. You can see that they are trying to think out of the box, they are at the forefront of new exciting technology, and going up against the other big boys, such as Google, Amazon, Facebook, etc. Competition is fierce, and of course, there might be a few misses along the way, but that is good in my book. It is proof that they are taking risks and pushing the envelope for new technology, which will result in better solutions down the line.”
Microsoft is having significant success with .NET Core, its newest open-source, cross-platform and modular implementation of .NET. While the .NET framework is still more widely used, a survey conducted by StackOverflow for 2020 shows that .NET Core is the “most-loved” non-web framework amongst developers followed by Torch/PyTorch and Flutter.
”.NET Core is awesome. I like that they have gone with the open-source and cross-platform model for .NET Core. The speed at which they are updating and coming out with new versions is also excellent. Microsoft is doing a great job aligning their tech stack to the move towards the microservices architecture. And since .NET Core is platform-agnostic, it is also a perfect fit for being used in continuous deployment using containers. The goal is to be able to put your program in a container, upload it to the cloud somewhere, and not even think about whether the server is running Windows or Linux. It is entirely irrelevant, as it is not tied to any of them.”
”And when it comes to performance, .NET Core is superior to the old .NET framework. This aligns perfectly with today’s requirements to the modern architectures. Microservices, if that is what you are building, need to be scalable and highly efficient at solving the task they have been designated to solve. This solves the bottleneck problems that classic monolith architecture often suffers under.”
Microsoft’s future challenger to the all-mighty JavaScript
Another trending topic within the Microsoft universe, which Steffen is very enthusiastic about is Blazor, a new cross-platform web UI framework that is taking the fight to JavaScript. It is a free, open-source web framework that allows developers to create web apps using C# and HTML:
“Blazor is Microsoft’s challenger to Angular, React and Vue. It completely takes JavaScript out of the equation, which has been the de facto language used on the browser/client level until now. Instead, Blazor provides the ability to develop the frontend logic using C#. This means that you can keep all your code in one language and get the benefits of using all the normal development processes and tools, i.e. TDD, unit tests.“
Blazor comes in two versions: server-side and client-side:
“Currently there are two versions of Blazor available: Server-side Blazor and WebAssembly Blazor. Server-side Blazor runs all code on the server and communicates with the browser using SignalR. This works really well, loads fast, and SignalR is a battle-tested approach to browser-server communication. But due to the nature of SignalR, there can be problems with scalability with this approach.
WebAssembly Blazor takes a radically different approach. Here all the required .NET DLL’s are downloaded to the client and then runs directly on the client using WebAssembly (Wasm). This is a massive advantage as the application still works if the connection to the server is lost, except for sending and receiving new data obviously. It even enables the application to be a progressive web app, where the user installs the application on the device like a native app.”
But while there are advantages, Microsoft still has one hurdle left to overcome if Blazor is to be competitive with JavaScript:
“The big drawback is that the initial download size can be quite big. The first production release of Blazor WebAssembly (released May 2020) has a download size of just under 2 MB. Depending on your internet connection, this might be an issue due to the time it takes the application to fully load on the client. This can be an issue for some users, even though most users in the western world, have fairly fast internet connections available. If they can make the download of the framework smaller and thereby overcome the problem of speed, then they could have a winner on their hands in the form of Blazor.”
“Overall, it is pretty cool to be a developer on the Microsoft stack these days, and I am excited to see how the development of Blazor will turn out and whether it will end up a hit, and become the new go-to platform in its niche.”
Who
Steffen Jørgensen is a senior .NET developer with more than ten years of experience in the Microsoft stack. His main strengths lie in the backend and in the requirement analysis process with the client. He has strong agile experience, with four years of experience as a Scrum Master in addition to four years of implementing agile processes as a Team Lead.
