![\"Squad](\"https://media.giphy.com/media/xUPGcGJJMFeAPhqrfi/giphy.gif\")
The software developer role is among the top 5 remote-oriented jobs in the world. After the pandemic, 92% of people expect to work at least 1 day per week from home, and 80% expect to work at least 3 days from home. Accordingly, fostering an environment and working conditions for software engineers to work remotely is inevitable. In fact, 75% of engineers want to work remotely, primary reasons being the lack of an annoying commute and a better work-life balance .
\nIf companies fail to create an effective remote working environment, their developers will eventually find another employer who can meet their needs to work remotely effectively.
\nThis article will give you 11 tips for managing remote software engineering teams, so you can adjust and improve your hiring, communication, and your team's collective output.
\nThe first and most obvious reason to hire remote developers is that your addressable talent pool is global . Utilizing a recruitment platform allows you to tap into a vast array of talent options. It's actually a good thing you don't have to deal with visas and relocation packages.
\nAnother reason is that many good developers are already in remote jobs. They have become used to a certain remote lifestyle and likely won't change that. As an employer, you must adapt to the growing market of digital nomads.
\nProbably the biggest challenge with managing remote teams is asynchronous communication or a complete lack of communication. This can cause delays, duplicate work, or even wrong requirements being implemented in the product.
\nIn an attempt to counter that, developers sometimes change their working schedules to have a bigger time overlap with their team members. However, this can easily lead to irregular working schedules and overworking.
\nLuckily, you can surmount all these challenges by establishing some rules for the team. Stand-up meetings are a widely practiced SCRUM ceremony and have proven to be a very effective communication method.
\nIt's also a good idea to hire developers who actually have worked in remote roles since they likely have more experience of self-management and are more goal-oriented than work-hours oriented.
\nTrust in the team, frequent communication, and feedback make a huge difference. Next, we're looking at 11 specific tips that you can implement to foster a more effective remote working culture within your software development team.
\nEstablish a stand-up meeting time and make sure to include all team members . Since the team is fully remote, you have to utilize video conferencing or text chat software like Slack to hold a stand-up meeting. This will allow for quick feedback loops on your progress throughout the day while also providing valuable face-to-face interaction with remote employees. A well-run stand-up meeting should take no more than 15 minutes so that participants can still get their work done afterward.
\nSchedule regular communication times during which people can discuss ideas, decisions, and general feelings about what is happening inside of your organization; this could be as small as one hour per week or as frequent as daily depending on what kind of information needs to flow between team members.
\nHowever, be cautious of video fatigue. The team at Solitaired improved their development team output and speed by moving their stand-up meetings to a written format. In the video meetings they had, they started writing email summaries and clearly outlining responsibilities.
\nOne tip for managing remote software development teams is to \"over-communicate.\" What does this mean? Don't just communicate as little as you can, which can create a feeling of insecurity among team members. Communication is critical when managing a remote team because you don't have the same level of informal rapport as in face-to-face interactions.
\nAnother thing you can do is send follow-up emails after VoIP phone calls. This helps to ensure that all points are covered and that nobody has any unanswered questions.
\nOne of the biggest challenges is timezones. You need to decide whether you want a consistent \"common time\" or if it's acceptable for team members to work off-hours . The advantage of common time is that all team members are on at once and can have conversations in real-time , which means more collaboration and less miscommunication.
\nOne of the essential qualities to look for in a software engineer is self-management. You want somebody who can think critically and find solutions instead of being told what to do. Self-managers also can see through other people's advice and execute accordingly; they are not chained by following others' instructions blindly without understanding why they're doing it this way or that.
\nStraightforward onboarding and product vision is a necessity for remote teams. Clear communication about what the team will be working on, how they will work together, and their managers can help reduce confusion among teammates.
\nBy providing clear expectations of roles and responsibilities and establishing an understanding of company goals early on in the process (even as early as employee training), you allow your new employees to hit the ground running with less stress.
\nGoals are more important than the number of hours your team works. You will never get a team to work harder by working them more hours. You don't want your employees to feel like they're on a hamster wheel. Instead, you want your team to pursue goals that inspire results. This is important because research has shown that employees will work harder and report to be 46% more productive when staff goals are aligned with organizational priorities.
\nMake sure your team knows what they're working on: Communicate with your remote teams (or any team) so that everyone is clear about the objectives of their projects. Make a habit out of updating them regularly on progress made or obstacles encountered. This way, you'll avoid getting blindsided when someone emails asking for an update; instead, you can proactively provide updates as they happen.
\nGood tools are a must for remote software engineering teams. These tools should allow for instant messaging, time tracking, file sharing, and scheduling.
\nA few in the list of great remote software engineering team tools are:
\nWhen managing a remote software engineering team, it is crucial to have an onsite person who can connect with the whole team. This person should be able to take over tasks when necessary and provide updates proactively. It will also be helpful for this lead engineer to help celebrate small accomplishments to keep morale high among team members who are far away from one another. One way could be giving rewards to team members who have gone the extra mile or finished a critical job in time. It's good for team morale to give praise publicly, in front of the entire team.
\nWhen managing a remote software engineering team, it is crucial to actively solicit feedback from the group. This will help build trust and understanding among team members. It can also prevent misunderstandings when regular staff members get back onsite or new hires arrive to understand their role within the company and expectations.
\nSince team members on a remote software engineering team lack in person interactions, it is vital to put emphasis on building trust with each other. This can be done through regular conference calls and short meetings for everyone to get acquainted with how they work together.
\nAnother way of building rapport is by providing online tools that allow team members to share thoughts or inputs and provide feedback and encourage self-management among employees who are not always on-site.
\nTo be successful, remote software engineering teams need natural ways of building trust. This includes annual get-togethers for the team to mingle and socialize with one another in a casual setting to chat about their projects on an individual level. This is a great opportunity for team-building activities and events.
\nTeam one-on-one communication is just essential as team cohesion. This allows your team members to talk about any difficulties, they're scared to bring up in group sessions. It's also a good moment to check in with team members about their role and whether it aligns with their overall career ambitions.
\nManaging remote software engineering teams is a critical part of the equation for creating a positive impact in your company. The challenge with handling remote teams can be people, time, or budget constraints. By following these best practices for managing remote software development teams and by investing wisely in your team members' success, you can work through any obstacles you face on the journey to becoming more successful as a business owner or a team lead.
\n","frontmatter":{"date":"July 26, 2021","updated_date":null,"description":"This article will give you 11 tips for managing remote software engineering teams, so you can adjust and improve your hiring, communication, and your team's collective output.","title":"11 Tips for Managing Remote Software Engineering Teams","tags":["Remote Work","Developer","Software Engineering"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.3333333333333333,"src":"/static/b56c12fcaad35ed98c69dce42a2cf52e/14b42/cover.jpg","srcSet":"/static/b56c12fcaad35ed98c69dce42a2cf52e/f836f/cover.jpg 200w,\n/static/b56c12fcaad35ed98c69dce42a2cf52e/2244e/cover.jpg 400w,\n/static/b56c12fcaad35ed98c69dce42a2cf52e/14b42/cover.jpg 800w,\n/static/b56c12fcaad35ed98c69dce42a2cf52e/47498/cover.jpg 1200w,\n/static/b56c12fcaad35ed98c69dce42a2cf52e/0e329/cover.jpg 1600w,\n/static/b56c12fcaad35ed98c69dce42a2cf52e/21d0b/cover.jpg 5184w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Erkki Muuga","github":null,"avatar":null}}}},{"node":{"excerpt":"It is scientifically proven that helping others makes people happy. Probably no one knows this better than the developer community around…","fields":{"slug":"/engineering/loginradius-sponsorship-freecodecamp/"},"html":"It is scientifically proven that helping others makes people happy. Probably no one knows this better than the developer community around the world, which continues to amaze by contributing extensively to free and open source software.
\nAnd there is freeCodeCamp community, a nonprofit started in 2014 by Quincy Larson. It has been helping thousands of aspiring developers learn web development and find their first software jobs. The community features a self-paced learning platform that helps learn various web technologies, including Bootstrap, D3, jQuery, and React, among many others.
\nBeing a nonprofit, freeCodeCamp entirely works based on charitable donations and contributions of developers to maintain its learning platform. In fact, it is so efficient that with every $5 in donation, it can provide more than 250 hours of learning. And it is so effective that some of its alumni work for marquee tech companies like Apple, Google, Microsoft, and Amazon, among others.
\nIn 2013, just a year before freeCodeCamp was established, we founded LoginRadius with a vision to secure every identity on this planet. From our early beginnings, we have developed LoginRadius CIAM to empower developers to build more secure applications and simplify the implementation of customer identity and access management on their production applications to save development and maintenance time. Today, burgeoning startups to Fortune 500 companies trust LoginRadius, and we're now collectively handling 1.17 billion user identities for our customers worldwide.
\nWe are as obsessed as freeCodeCamp to support and enable the developer community to do much more and make this world a better place. And we wanted to continuously help the freeCodeCamp community in any way possible.
\nToday, we are a proud sponsor of freeCodeCamp and supporting the community's developers.
\nSignup here if you're a developer from the freeCodeCamp community. And we'll offer $200 credits so you can leverage LoginRadius CIAM — beyond the free developer tier — to implement highly secure, user-centric customer identity and access management.
\nThis is indeed a moment of joy and pride for everyone at LoginRadius. We would like to extend our gratitude to freeCodeCamp for letting us be a part of its journey in strengthening the developer community.
\nBy the way, if you want to share your expertise with the developer community, please feel free to write for the LoginRadius Blog portal. We have an open for contributions policy so anyone around the world can contribute. Find more details on our public GitHub repo.
\n
In C# 9.0, there are multiple features introduced. One of them is the Init-Only setters property feature. To use this feature, there are two pre-requisite.
\nAfter this setup, you are ready to go with the Init-Only setters property feature.
\nBefore knowing more about this feature, first, we will understand how we are using properties currently in C#.
\npublic int Id { get; set; }This is the way how we are using the properties, but whenever if we don't want to change the value of a property outside of a class and make them readable publicly, then we generally define the property as below.
\npublic int Id { get; private set; }In that case, the Id property can not be set outside of the class, and to set this property, we have to introduce a constructor or a public method that can set the value of the Id field. Like below
\npublic class Company\n{\n public int Id { get; private set; }\n\n public Company(int id) // Constructor\n {\n Id = id;\n }\n public void SetId(int id) //Public method\n {\n Id = id;\n }\n}Below are the problems which arise by using the above method
\nTo fix those issues, In C# 9.0 Init-Only setters property feature was introduced. Have a look at this.
\nInit-Only setters property gives us the flexibility to set the value of a property by using the object initializer as well the property is also immutable. So that will resolve the above issues, which were with the private set property.
\npublic class Company\n{\n public int Id { get; init; }\n}Company comp=new Company{\n Id=1\n}; // It works fine if we initialize hereAs we can, it is perfectly fine to set the value during object initialization.
\npublic class Company\n{\n public int Id { get; init; }\n\n public Company(int id)\n {\n this.Id = Id;\n }\n}We can define the constructor as well to initialize the Init-Only setters property.
\nIf we will try to create a method in the class and want to change the value Init-Only setters property, then it will give us the compile-time error.
\npublic class Company\n{\n public int Id { get; init; }\n\n public void SetId(int Id)\n {\n this.Id = Id; // Compile-time Error\n }\n}In this article, we learned how we are setting the properties in C# currently and the new C# 9.0 feature Init-Only Setters Property. Also, we understood how this feature helps us to set the property value with the object initialization.
\n","frontmatter":{"date":"July 15, 2021","updated_date":null,"description":"In this article, we will talk about Init-Only Setters Property in C#.","title":"C# Init-Only Setters Property","tags":["C#","Properties","Init"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/e2d2c98e4cd2dbf38d3e2ddeaba94705/ee604/coverimage.png","srcSet":"/static/e2d2c98e4cd2dbf38d3e2ddeaba94705/69585/coverimage.png 200w,\n/static/e2d2c98e4cd2dbf38d3e2ddeaba94705/497c6/coverimage.png 400w,\n/static/e2d2c98e4cd2dbf38d3e2ddeaba94705/ee604/coverimage.png 800w,\n/static/e2d2c98e4cd2dbf38d3e2ddeaba94705/f3583/coverimage.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hemant Manwani","github":"hemant404","avatar":null}}}},{"node":{"excerpt":"What is a Content Security Policy (CSP), and why is it important? Overview A Content Protection Policy (CSP) is a security standard that…","fields":{"slug":"/engineering/content-security-policy/"},"html":"What is a Content Security Policy (CSP), and why is it important?
\nA Content Protection Policy (CSP) is a security standard that adds an extra layer of defense in detecting and mitigating certain kinds of attacks, such as Cross-Site Scripting (XSS), clickjacking, and other code injection threats. CSP is a preventative step against attacks that rely on executing malicious material in a trusted web context, as well as other attempts to bypass the same-origin policy.
\nThe CSP's main purpose is to prevent and report XSS attacks. XSS attacks take advantage of the browser's faith in the server's content. Because the browser trusts the source of the material without additional safety measures, the browser runs all code from a trustworthy origin. It is unable to distinguish which code is legal. Thus any injected malicious code is also executed.
\nThe website administrator can reduce the XSS attack using the CSP by defining trusted source sites for the executable scripts. When we use the CSP header, browsers only allow us to run the script from the whitelisted domains and ignore all other scripts.
\nWe can also use the same-origin policy (SOP) header to prevent the website from accessing data from the other origin. Still, Websites need to include lots of assets from external sources like content delivery networks (CDNs), Google Analytics scripts, fonts, styles, comment modules, social media buttons, etc., so for the modern web, we need to use CSP.
\nOne interesting advantage of a content security policy is we can define the permitted protocols. For example, the sites can restrict browsers from loading content over HTTPS. Some browsers, by default, will not connect to HTTPS but using the content security policy, we can enforce browsers to encrypt conversations with your server.
\nSites may also leverage HTTP Strict-Transport-Security headers to ensure that browsers only connect to the site over encrypted routes.
\nAdding the Content-Security-Policy HTTP header to a web page and setting values for it allows you to restrict what resources the user agent is authorized to load for that page. For example, A page that allows loading external CSS or fonts but not allows loading javascript from the external domains.
\nHTTP response headers are generally used to specify the Content-Security-Policy header, but if needed, you can also use HTML meta tags to provide specific CSP directives at the page level.
\nAn example of adding CSP headers is shown below.
\n Content-Security-Policy: default-src 'self'; img-src *; script-src loginradius.com;An example of adding CSP headers in the HTML tags
\n<meta http-equiv="Content-Security-Policy" content="default-src 'self'">Listed below are a couple of CSP directives and their use cases:
\nDefault-src: This directive serves as a fallback for the other CSP fetch directives. For absent directives like media-src and script-src, the user agent looks for the default-src directive's content and uses it.
Script-src: This directive is used to define locations from which external scripts can be loaded.
Img-src: Specifies sources from which images can be retrieved.
Media-src: This directive is used to define locations from which rich media like video can be retrieved.
Object-src: This directive is used to define locations from which plugins can be retrieved.
Font-src: Specifies permitted sources for loading fonts.
manifest-src: A list of acceptable source locations for web manifests. Web manifests are used by users of Progressive Web Applications to download websites and run them like native mobile apps.
frame-ancestors: A list of acceptable URL locations which this website can load in an iFrame.
form-action: A list of acceptable URL target locations where the website can send form data. It's most likely that you want this value set to self as most websites only submit their form data locally. This property is not covered by default-src above, so make sure you set it.
plugin-types: The list of plugin types that can be loaded from the locations in object-src. Likely that you also want to set this to none.
base-uri: The list of URLs that can be used in HTML base tags on your site.
child-src is used to restrict permitted URLs for JavaScript workers and embedded frame contents, including embedded videos. In Level 3, frame-src and worker-src directives can be used instead to control embedded content and worker processes, respectively.
style-src is used to whitelist CSS stylesheet sources. To allow stylesheets from the current origin only, use style-src 'self'.
connect-src specifies permitted origins for direct JavaScript connections that use EventSource, WebSocket, or XMLHttpRequest objects.
You can find a more updated and complete list maintained by Mozilla here.\nMozilla maintains a more up-to-date and comprehensive list, which can be seen here.
\nAll major modern browsers have supported Content Security Policy.
\nMozilla maintains a more up-to-date and comprehensive list for the CSP support in the browser, which can be seen here.
\nThe default-src directive in the below example policy is set to self. This permits the browser to load resources from the site's origin.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">The default-src directive in the below example policy permits the browser to load resources from the trusted domain and all its subdomains.
<meta http-equiv="Content-Security-Policy" content="default-src 'self' *.loginradius.com">The above policy permits the browser to load content from loginradius.com as well as any subdomain under loginradius.com.
\nSuppose you are running an e-commerce site and want to ensure that all resources are only loaded via SSL or HTTPS. The below policy ensures that all of the resources on your website load from TLS.
\n <meta http-equiv="Content-Security-Policy" content="default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'">If you want to allow users of a web application to add images/photos from any source but permits all scripts from trusted sources or specific sources.
\n <meta http-equiv="Content-Security-Policy" content="default-src 'self' img-src *; script-src cdn.loginradius.com;"> The img-src directive allows images to load from anywhere.\nThe script-src directive can only accept executable scripts from cdn.loginradius.com.
If you want to add social widgets like the google+ button, Facebook like, Tweet button on your website, you need to allow external script also like the below policy.
\n<meta http-equiv="Content-Security-Policy" content="default-src 'self' img-src *; script-src cdn.loginradius.com;https://platform.twitter.com; child-src https://plusone.google.com https://facebook.com https://platform.twitter.com;">The Content-Security-Policy-Report-Only Header is a wonderful method to evaluate the effects of a Content-Security-Policy header without really blocking anything on the site. Also, we can get any violation reports using this header. By default, it only sends reports to the developer tools console. If you include a report-to or report-uri directive, it will send a JSON representation of the violation to the provided URI endpoint.
<meta http-equiv="Content-Security-Policy-Report-Only" content="default-src 'self'; report-uri https://report.yourwebsite.com/cspreport;">In the above example, it will not enforce anything. Content-Security-Policy-Report-Only policy only generates reports and sends them to the report URI. The CSP violation report is generated in JSON format.
<meta http-equiv="Content-Security-Policy-Report-Only" content="default-src 'self'; script-src cdn.loginradius.com; report-uri https://report.loginradius.com/cspreport;">In the above example, the policy only allows the script from cdn.loginradius.com.
\n<!DOCTYPE html>\n<html>\n \n<head>\n <title>Content Security Policy</title>\n <script type='text/javascript' src='https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js'></script>\n</head>\n \n<body>\n . . .\n</body>\n \n</html>In the below sample HTML browser trying to download javascript from the other source, but we have allowed javascript src only from the CDN so that the browser will send the following violation report.
\n {\n"csp-report":{\n"document-uri": "https://loginradius.com/test.html",\n"referrer": "",\n"blocked-uri": "https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js",\n"violated-directive": "script-src cdn.loginradius.com",\n"original-policy": "default-src 'self'; script-src cdn.loginradius.com; report-uri https://report.loginradius.com/cspreport;",\n"disposition”: “report"\n}\n}The Content Security Policy will add an additional layer of protection to your web application. CSP is compatible with almost all current browsers and is widely used on the internet as an effective technique for decreasing the threat of cross-site scripting attacks.
\nThe Web Application Security Working Group of the Wide Web Consortium (w3c has already begun work on the specification's next version, Content Security Policy Level 3 and Content Security Policy Level 2 already Candidate Recommendation.
\n","frontmatter":{"date":"July 14, 2021","updated_date":null,"description":null,"title":"Content Security Policy (CSP)","tags":["Secuirty Header","CSP","Content Security Policy"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/72be1a5572db6f2a09fd6baddad74fe9/14b42/content-security-policy.jpg","srcSet":"/static/72be1a5572db6f2a09fd6baddad74fe9/f836f/content-security-policy.jpg 200w,\n/static/72be1a5572db6f2a09fd6baddad74fe9/2244e/content-security-policy.jpg 400w,\n/static/72be1a5572db6f2a09fd6baddad74fe9/14b42/content-security-policy.jpg 800w,\n/static/72be1a5572db6f2a09fd6baddad74fe9/47498/content-security-policy.jpg 1200w,\n/static/72be1a5572db6f2a09fd6baddad74fe9/0e329/content-security-policy.jpg 1600w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"Authentication and user identity management are challenging tasks you are bound to run into when building applications. For example, you…","fields":{"slug":"/engineering/guest-post/user-authentication-in-python/"},"html":"Authentication and user identity management are challenging tasks you are bound to run into when building applications. For example, you will need to create profiles for users, validate provided passwords, implement a password reset functionalities, manage user sessions (sometimes on multiple devices), manage social media authentication, and many others.
\nYou still have to work on other parts of your application, and you might not have a lot of time. A lot of developers might hack their way through authentication, but that could lead to improper implementations. It is not advisable to do this as you can create doorways for cyber-related attacks in your application.
\nIn this tutorial, you will learn how to properly implement user authentication and identity management in a Flask application.
\n\n\nHere for the code alone? Head over to the implementation section of this article or visit this GitHub gist to browse demo code.
\n
User authentication is the process of validating a person’s identity to ascertain that they are who they claim to be. Authentication is achievable using passwords, one-time pins (OTP), biometrics, authentication apps, access tokens, certificates, and many more.
\nUser identity is an entity used to identify a user of an application uniquely. Forms of user identifiers include full names, email addresses, system-generated values, and UUIDs.
\nAn identity provider is a system that helps create, maintain, and manage user identity information. It also provides authentication services to external applications to ease their authentication flow and make it seamless.
\nWhen referring to authentication in Python, we talk about user authentication concerning web applications built with it. Python is actively used in making web applications with many supporting frameworks, including but not limited to Flask, Django, FastAPI, Bottle, and Hug.
\nEvery web application built with Python at one point or another would need to implement user authentication features. This article will cover implementing authentication and proper handling of user identity information using LoginRadius and Flask.
\nLoginRadius is a cloud-based consumer identity and access management (CIAM) platform that allows seamless user authentication and SSO integration into your application. LoginRadius is simple to use, completely secure, and highly customizable.
\nTo proceed with this tutorial, you will need an account with LoginRadius. If you have not created one before now, create one on the LoginRadius website.
\nLogin to your LoginRadius dashboard, then navigate to the app you want to integrate with Python (LoginRadius will set up a free app for you when you create an account).
\nNext, head over to the Configuration tab on the LoginRadius sidebar (left side of the screen).
Your API credentials are located under the API Key And Secret section. Once you have retrieved this, copy the APP Name, API Key, and API Secret and store them somewhere secure and easily retrievable.
LoginRadius requires you to whitelist domains you will be integrating with your app. To whitelist, a domain, scroll down to the Whitelist Your Domain section in the Configuration tab of your app dashboard and add it.
\n\nBy default, LoginRadius whitelists your local computer (localhost).
\n
We need to install the LoginRadius Python SDK. It provides functionalities that allow Python programs to communicate with LoginRadius APIs.
\nIn the terminal, type:
\npip install LoginRadius-v2 requests cryptography pbkdf2First, we need to install the Flask framework from PyPI. In the terminal, type:
\npip install flaskAfter that, create a file named server.py and save the following code in it:
from flask import *\n\napp = Flask(__name__)\napp.config["SECRET_KEY"] = "SECRET_KEY"\n\n\n@app.route("/")\ndef index():\n return "Hello World!"\n\n\nif __name__ == "__main__":\n app.run(debug=True)When you run the server.py script and open your browser, you will get a response similar to the image below:
\n\nNOTE: Don’t forget to replace the <APP_NAME> placeholder with your LoginRadius app name we saved earlier.
\n
To authenticate registered users, you have to redirect them to your IDX page, passing “login” as the AUTH_ACTION.
Update the server.py file with the code below:
@app.route("/login/")\ndef login():\n access_token = request.args.get("token")\n if access_token is None:\n # redirect the user to our LoginRadius login URL if no access token is provided\n return redirect(LR_AUTH_PAGE.format("login", request.base_url))\n\n return "You have successfully logged in!"\n\nWhen LoginRadius successfully authenticates a user, it attaches a
\ntokenparameter to theREDIRECT_URLbefore redirecting your user there. This parameter contains the access token of the user that we authenticated.
In the code above, we redirect users to our LoginRadius login IDX if the token parameter is absent (this means LoginRadius did not redirect the user here). We also set our AUTH_ACTION to “login” and our RETURN_URL to our login page.
We also want to fetch user profiles from the access token given by LoginRadius. It comes in handy when we want to verify if a given access token is valid (or has expired) or just fetch information about the current user.
Update the login route with the code below. We also added a dashboard route where we will redirect users after successful authentication.
@app.route("/login/")\ndef login():\n access_token = request.args.get("token")\n if access_token is None:\n # redirect the user to our LoginRadius login URL if no access token is provided\n return redirect(LR_AUTH_PAGE.format("login", request.base_url))\n\n # fetch the user profile details with their access tokens\n result = loginradius.authentication.get_profile_by_access_token(\n access_token)\n\n if result.get("ErrorCode") is not None:\n # redirect the user to our login URL if there was an error\n return redirect(url_for("login"))\n\n session["user_acccess_token"] = access_token\n\n return redirect(url_for("dashboard"))\n\n\n@app.route("/dashboard/")\ndef dashboard():\n return "You have successfully logged in!"In the code above, we used the authentication.get_profile_by_access_token method from the LoginRadius SDK to fetch our user’s details. If the request was successful and the result does not contain an ErrorCode parameter, we save the access token in the user’s session and redirect them to the dashboard route. But if an error occurs somewhere, e.g., the access token is invalid/expired, we redirect the user back to the login route.
Next, we want to add more functionality to the dashboard route. Instead of just displaying a dummy text, let it show the user information we fetched earlier. Update the dashboard route with the code below:
@app.route("/dashboard/")\ndef dashboard():\n access_token = session.get("user_acccess_token")\n if access_token is None:\n return redirect(url_for("login"))\n\n # fetch the user profile details with their access tokens\n result = loginradius.authentication.get_profile_by_access_token(\n access_token)\n\n if result.get("ErrorCode") is not None:\n # redirect the user to our login URL if there was an error\n return redirect(url_for("login"))\n\n return jsonify(result)Here, we fetched the access token stored in the user’s session earlier, used it to get their details, and rendered the result.
\nInvalidating access tokens means rendering particular access tokens useless and unusable. It comes in handy when we log out users. The LoginRadius SDK provides an auth_in_validate_access_token method that takes in an access token to be invalidated.
To add this to our server, create a logout route with the code below:
@app.route("/logout/")\ndef logout():\n access_token = session.get("user_acccess_token")\n if access_token is None:\n return redirect(url_for("login"))\n\n # invalidate the access token with LoginRadius API\n loginradius.authentication.auth_in_validate_access_token(access_token)\n session.clear()\n\n return "You have successfully logged out!"This article taught us about user authentication, user identity management, and implementing it correctly. In addition, we saw how easy it is to integrate LoginRadius services into a Python application to ease the implementation of authentication and user identity management.
\nThe source code of the demo application is available as a GitHub gist. You can learn more about the LoginRadius Python SDK features from the official documentation.
\n","frontmatter":{"date":"July 07, 2021","updated_date":null,"description":"Learn about user authentication, user identity management, and implementing it correctly into a Python application using LoginRadius.","title":"Implementing User Authentication in a Python Application","tags":["Python","Authentication","Flask"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/9c74b4b9c19fc76911f54b82e0cceb74/14b42/coverImage.jpg","srcSet":"/static/9c74b4b9c19fc76911f54b82e0cceb74/f836f/coverImage.jpg 200w,\n/static/9c74b4b9c19fc76911f54b82e0cceb74/2244e/coverImage.jpg 400w,\n/static/9c74b4b9c19fc76911f54b82e0cceb74/14b42/coverImage.jpg 800w,\n/static/9c74b4b9c19fc76911f54b82e0cceb74/47498/coverImage.jpg 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Solomon Esenyi","github":"LordGhostX","avatar":null}}}},{"node":{"excerpt":"Hi Everyone 👋 !!! Today we are announcing the beta release of LoginRadius CLI. I am very much excited about it. Why LoginRadius CLI…","fields":{"slug":"/engineering/introducing-loginradius-cli/"},"html":"Hi Everyone 👋 !!! Today we are announcing the beta release of LoginRadius CLI. I am very much excited about it.
\nDeveloper Experience plays a crucial role for us. We always think about the ways we can minimize the juggling between a quickstart tutorial, dashboard, and terminal.\nThe LoginRadius CLI will simplify your flow by just using some simple commands to register, login, add site, add social, etc., and enables you to get the job done in very little time without leaving the terminal.
\nCheck out a few examples of how LoginRadius CLI can help manage your Loginradius Dashboard.
\nThis command will help you to log in to the CLI. Once you logged in to the CLI, you can configure all your LoginRadius Applications through CLI.
\nGet your API Credentials in a single command. You can also reset your secret and generate sott using the LoginRadius CLI.
\nYou can update the LoginRadius IDX Page theme from the predefined themes available through LoginRadius CLI.
\n\n\nYou can check out the Theme Customization section in the LoginRadius Dashboard for all the available customization options.
\n
With the help of LoginRadius CLI, you can add social logins to your LoginRadius IDX Page.
\nRun lr --help to get the list of all available commands. Also you can checkout the manual for all the commands supported.
The LoginRadius CLI is available for Windows, macOS, and Linux. Check out the installation on our README.
\nWe hope you’ll love the LoginRadius CLI. And we’re even more excited about the future as we explore what it looks like to build a truly delightful experience with LoginRadius on the command line.
\nWe can’t wait to hear about your experience with LoginRadius CLI, and we’d love your feedback. Please create an issue in our open source repository or discuss what more commands you feel should be there on our community page.
\n\n","frontmatter":{"date":"July 02, 2021","updated_date":null,"description":"LoginRadius CLI helps you to perform basic actions of your LoginRadius Dashboard through the command line. The actions include login, register, logout, email configuration, domain whitelisting, etc.","title":"Introducing LoginRadius CLI","tags":["Authentication","DevTools","CLI","LoginRadius CLI"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/65b9c38d8aa61635972b0d2271c28c36/bc59e/cli.png","srcSet":"/static/65b9c38d8aa61635972b0d2271c28c36/69585/cli.png 200w,\n/static/65b9c38d8aa61635972b0d2271c28c36/497c6/cli.png 400w,\n/static/65b9c38d8aa61635972b0d2271c28c36/bc59e/cli.png 512w","sizes":"(max-width: 512px) 100vw, 512px"}}},"author":{"id":"Mohammed Modi","github":"mohammed786","avatar":null}}}}]},"markdownRemark":{"excerpt":"Google has prepared a roadmap to restrict third-party cookies in Chrome. Since 04 January 2024, Chrome has rolled out third-party cookie…","fields":{"slug":"/engineering/identity-impact-of-google-chrome-thirdparty-cookie-restrictions/"},"html":"Google has prepared a roadmap to restrict third-party cookies in Chrome. Since 04 January 2024, Chrome has rolled out third-party cookie restrictions for 1% of stable clients and 20% of Canary, Dev, and Beta clients.
\nWhat does it mean for user authentication?
\nOn one hand, Google believes third-party cookies are widely used for cross-site tracking, greatly affecting user privacy. Hence, Google wants to phase out (or restrict) supporting third-party cookies in Chrome by early Q2 2025 (subject to regulatory processes).
\nOn the other hand, Google introduced Privacy Sandbox to support the use cases (other than cross-site tracking and advertising) previously implemented using third-party cookies.
\nIn this article, we’ll discuss:
\nThird-party cookie restrictions affect user authentication in three ways, as follows.
\nIf your website or app uses an external Identity Provider (IdP) — like LoginRadius, the IdP sets a third-party cookie when the user authenticates on your app.
\nIf you have multiple apps across domains within your organization and authentication is handled using an IdP (internal or external) with web SSO, you already use third-party cookies to facilitate seamless access for each user using a single set of credentials.
\nIf you have implemented web SSO with one primary domain and multiple sub-domains of the primary domain, third-party cookie restrictions may not apply. For now, Google doesn’t consider the cookies set by sub-domains as third-party cookies, although this stance may change in the future.
\nFor example, you have apps at example.com, travel.example.com, stay.example.com, and web SSO is handled by auth.example.com. In this case, third-party cookie restrictions don’t apply.
Federated SSO is similar to, albeit different from, web SSO. It can handle multiple IdPs and applications—aka., Service Providers (SPs)—spanning multiple organizations. It can also implement authentication scenarios that are usually implemented through web SSO.
\nUsually, authentication is handled on a separate pop-up or page when the user wants to authenticate rather than on the application or website a user visits.
\nFor example, you already use federated SSO if you facilitate authentication for a set of apps through multiple social identity providers as well as traditional usernames and passwords.
\n\n\nNote: It is also possible to store tokens locally, not within cookies. In this case, third-party cookie restrictions won’t affect token-based authentication. However, the restrictions still affect authentication where tokens are stored within third-party cookies (a common and secure method).
\n
Google has been developing alternative features and capabilities for Chrome to replace third-party cookies as part of its Privacy Sandbox for Web initiative.
\nSpecific to authentication, Google recommends the following:
\nCHIPS are a restricted way of setting third-party cookies on a top-level site without making them accessible on other top-level sites. Thus, they limit cross-site tracking and enable specific cross-site functionalities, such as maps, chat, and payment embeds.
\nFor example, a user visits a.com with a map embed from map-example.com, which can set a partitioned cookie that is only accessible on a.com.
If the user visits b.com with a map embed from map-example.com, it cannot access the partitioned cookie set on a.com. It has to create a separate partitioned cookie specific to b.com, thus blocking cross-site tracking yet allowing limited cross-site functionality.
You should specifically opt for partitioned cookies (CHIPS), which are set with partitioned and secure cookie attributes.
\nIf you’re using an external identity provider for your application, CHIPS is a good option to supplant third-party cookie restrictions.
\nHowever, CHIPS may not be ideal if you have a web SSO or federated SSO implementation. It creates separate partitioned cookies for each application with a separate domain, which can increase complexity and create compatibility issues.
\nWith Storage Access API, you can access the local storage in a third-party context through iframes, similar to when users visit it as a top-level site in a first-party context. That is, it gives access to unpartitioned cookies and storage.
\nStorage Access API requires explicit user approval to grant access, similar to locations, camera, and microphone permissions. If the user denies access, unpartitioned cookies and storage won’t be accessible in a third-party context.
\nIt is most suitable when loading cross-site resources and interactions, such as:
\nVerifying user sessions when allowing interactions on an embedded social post or providing personalization for an embedded video.\nEmbedded documents requiring user verification status to be accessible.
\nAs it requires explicit user approval, it is advisable to use Storage Access API when you can’t implement an identity use case with the other options.
\nWith Related Website Sets, you can declare a primary website and associatedSites for limited purposes to grant third-party cookie access and local storage for a limited number of sites.
Chrome automatically recognizes related website sets declared, accepted, and maintained in this open-source GitHub repository: Related Website Sets
\nIt provides access through Storage Access API directly without prompting for user approval, but only after the user interacts with the relevant iframe.
\nIt is important to declare a limited number of domains in related website sets that are meaningful and used for specific purposes. Google may block or suspend any exploitative use of this feature.
\nThe top-level site can also request approval for specific cross-site resources and scripts to Storage Access API using resuestStorageAccessFor() API.
If you’re using an external identity provider for your web application, you can declare the domain of the identity provider in the related set to ensure limited third-party cookies and storage access to the identity provider, thus ensuring seamless user authentication.
\nRelated Website Sets can also work to supplement third-party cookie restrictions in web SSO and federated SSO if the number of web applications (or domains) is limited.
\nFedCM API enables federated SSO without third-party cookies.
\nWith FedCM API, a user follows these steps for authentication:
\nYou can access a user demo of FedCM here: FedCM.
\nFor more information about implementing federated SSO with FedCM API, go through the FedCM developer guide.
\nFirstly, we’re committed to solving our customers' user identity pain points — and preparing for the third-party cookies phase-out is no different.
\nWe’ll implement the most relevant and widely useful solutions to facilitate a smooth transition for our customers.
\nPlease subscribe to our blog for more information. We’ll update you on how we help with the third-party cookie phase-out.
\nThe proposed changes to phase out third-party cookies and suggested alternatives are evolving as Google has been actively collaborating and discussing changes with the border community.
\nMoreover, browsers like Firefox, Safari, and Edge may approach restricting third-party cookies differently than Google does.
\nFrom LoginRadius, we’ll keep you updated on what we’re doing as a leading Customer Identity and Access Management (CIAM) vendor to prepare for the third-party cookie phase-out.
\nTop-level site: It is the primary site a user has visited.
\nFirst-party cookie: A cookie set by the top-level site.
\nThird-party cookie: A cookie set by a domain other than the top-level site. For example, let’s assume that a user has visited a.com, which might use an embed from loginradius.com to facilitate authentication. If loginradius.com sets a cookie when the user visits a.com, it is called a third-party cookie as the user hasn’t directly visited loginradius.com.