How does it work?
Assuming you understand how the OpenID Connect flow generally works, this app works quite simply:
- A user clicks "Login with HN"
- On LoginWithHN, the user is given a chance to enter their hackernews username
- LoginWithHN generates a unique one-time-use code that the user must then put into their profile within 5 minutes
- LoginWithHN watches the user's profile until the code shows up
- Once LoginWithHN verifies the users profile contains the code, the user is is considered authenticated (OAuth2 is really about Authorization but we'll ignore that distinction for now).
- The user is shown a consent screen (that AuthZ we were talking about) and the only claims possible will be the
As always with OAuth2, you must handle session creation and management amongst other concerns in your application once a user has shown sufficient authority to assume they own the account in question via LoginWithHN.
How does logging in the second time work?
Since it's pretty tedious to modify your profile every time (and not so great on HN's servers either), the first time you log in you'll be able to add methods for faster future login:
- Time-based One Time Password (TOTP) code
- Attaching an your email address (a code will be sent to you)
Once either of the above methods are specified, the next time you log in you will either be instantly redirected (the login session is still fresh) or the least intrusive login method will be chosen (ex. if you set up a TOTP code *and* an email address, TOTP-based login will be presented).
Does using LoginWithHN cost anything?
LoginWithHN is free for your first 50 registered users. Once your app has found some traction, unlimited users and logins for your app is $6/month, or $60/year (2 months free!).