sequenceDiagram
Alice ->> magic.link: auth
magic.link ->> Alice: DID Token
Alice ->> Your Java Backend (Spring-Boot): Login with DID Token
Your Java Backend (Spring-Boot) ->> magic.link: Verify DID Token
magic.link ->> Your Java Backend (Spring-Boot): DID Token is valid
Your Java Backend (Spring-Boot) ->> Alice: signed JWT
This user-service provides a library for Spring-Boot 3 that can be used to integrate with the authentication service from https://magic.link. You can add your own Java Backend that uses his own JWT authentication and combine it. When implemented, the workflow looks as follows:
- Your User of your app wants to login to your application and enters his email adress into the login mask of your frontend.
- An One-Time-Password OTP is being created and shown to the user. At the same time, he gets an email with a login link.
- He clicks the link and gets a prompt to enter the previously shown OTP.
- If the OTP is being provided correctly, the window can be closed. The browser window, that initiated the login will later get logged in.
- The magic.link service returns a decentralized ID Token (DIDT)
- This DIDT then should be propagated to your backend. Your backend should verify the DID Token is valid (through calling the magic.link API) and the issuer is the expected email adress.
- When validated, your backend can issue a JWT and handle it in the response header to your frontend. The user is now authenticated with his email.
- You will need a magic.link account that can be obtained for free.
- You need to implement your own frontend and backend logic (and integrate this library here into your backend). Also checkout the reference implementations (see links down below).
- Optional: If you would like to add users to e.g. mailerLite: a mailerLite account (see description down below).
You can checkout the boilerplate projects / reference implementations that demonstrate the whole workflow. The projects are realized with Spring Boot 3 and React 18:
Checkout the Spring Boot project here and the React project here.
Please note: These projects are not "production ready" and are just illustrating the basic usage.
Also you can see the auth live in action in a demo app here.
The described workflow has a lot of advantages and offers a great user experience:
- Your users don't have to deal with finding and remembering complex passwords, which often times only results in people just writing their passwords to unsecure places.
- You don't have to deal with fake registrations or verifying if the email adress provided is valid.
- You get a TFA out of the box, which adds additional layer of security.
- You don't need users to register explicitly. In the example implementation, a new user is registered automatically, if it doesn't exist yet. However, this is of course dependant on your projects requirements.
- You don't need to deal with 'forgot password' functionality and your users don't have to deal with that also. They can always login, as long as they have access to their email (they always do).
- You don't need to setup infrastructure for sending emails.
- You can collect user mails without hassle.
Yes, this is very secure. However, there is nothing that cannot be hacked / compromised. Also please consider, if your users email account gets hacked, a new password can easily be obtained at the most applications / websites through the 'forgot password' functionality.
There are two Events being send when a user signs in with his email adress:
-
When a user gets registered: UserCreatedEvent
-
When a user logs in: UserLoggedInEvent
You will just need to listen to these Events and do whatever you want with the emails provided.
Checkout the reference implementation, that will listen to the Events and add users to a mailerlite group that is being configured in application.properties file (You will need a mailerLite account).
Don't forget to set event.on.userCreated or event.on.userLoggedIn or both to true if you would like to send the events.