CS50 ID is CS50's authentication service at id.cs50.io that lets you authenticate users via HarvardKey, Princeton CAS, or Yale CAS in your own web app or mobile app. Built atop Auth0, CS50 ID is an implementation of OpenID Connect, a "simple identity layer on top of the OAuth 2.0 protocol," which standardizes how you can authenticate users against another service (otherwise known as an identity provider) without asking for their usernames or passwords yourself.
After authenticating a user, CS50 ID will ultimately return an ID token, which is a "digitally signed" JSON object (otherwise known as a JSON Web Token or JWT), inside of which will be these keys (otherwise known as claims):
sub
, a unique identifier for the user;name
, the user's full name, if available; andemail
, the user's email address, if available.
If storing users in a SQLite database, you may assume that sub
will be a UNIQUE
value of type TEXT
with no more than 255 characters.
To integrate CS50 ID into an app, you'll first want to create a client (i.e., register your app) at id.cs50.io. You'll need to provide a Description for your app as well as a Redirection URI, a URL to which CS50 ID should redirect users after authenticating them. Upon creating a client, you'll be provided with a Client Identifier and Client Secret. CS50 ID will also provide you with some OpenID Provider Metadata, which includes a list of endpoints (i.e., URLs). Those values should be all you need to add authentication to your app, particularly if using a library that supports OpenID Connect.
For instance, here are some sample apps for Python, both of which use Authlib:
- Flask, which uses Authlib's Flask OpenID Connect Client
- Django, which uses Authlib's Django OpenID Connect Client
Both apps assume that you've defined three "environment variables", as via the commands below
export CLIENT_ID=...
export CLIENT_SECRET=...
export SERVER_METADATA_URL=...
wherein the value of CLIENT_ID
should be your Client Identifier, the value of CLIENT_SECRET
should be your Client Secret, and the value of SERVER_METADATA_URL
should be that of your OpenID Provider Metadata. And it assumes that you've created a client with a Redirection URI of https://example.com/callback
, where example.com
is your app's domain name.
Because CS50 ID is built atop Auth0, a third-party service, you can actually follow their instructions to get started. No need to sign up for an Auth0 account. Instead, when directed to use the "Auth0 dashboard," log into id.cs50.io instead for your Client Identifier, Client Secret, and more. No need to configure a "Logout URL" either.
If curious, here's how OpenID Connect and, in turn, OAuth2, work:
Odds are a library, though, will automate all of these steps for you!
Within those articles, think of "Auth0 Authorization Server," "Auth0 Tenant," and "Your API" as, collectively, "CS50 ID".
Special thanks to CS50's friends at Auth0 for their support of this app!