[clarle]

Is there a best practice of doing authentication for single-page apps when you don't want to use an external OAuth provider, since a lot of people don't have Twitter/Facebook accounts?

Would you end up writing your own OAuth provider in that case?

[chucknibbleston]

Unless you're providing an API/external access for your users, you can just use authentication internal to your app. It's pretty easy to roll your own (here's a tutorial for doing it in RoR: http://www.aidanf.net/rails_user_authentication_tutorial), but I would recommend using a popular plugin/middleware if you can find it for your language/framework so you don't have to worry as much about security.

For node/Express, passport.js is a good option (but doesn't help you out with the database at all) -- http://passportjs.org/guide/username-password.html

Django has basic user authentication built-in, Ruby on Rails has Devise - https://github.com/plataformatec/devise and AuthLogic - https://github.com/binarylogic/authlogic.

I'd recommend reading the Ruby on Rails security guide about user management to get an idea of some of the challenges in building an authentication system: http://guides.rubyonrails.org/security.html#user-management

If you want to write an OAuth provider here's a great PHP tutorial: http://djpate.com/2011/01/13/how-to-write-a-complete-oauth-p...

[chewxy]

I think the author meant single load (load one page, fetch the rest by async javascript).

But as I've commented, having built edgeyo and Strangers for Dinner and having tested in-page (iframe) and redirected authentication, redirected authentication seems to garner more trust