QxControl login uses Google Firebase for authentication and the user database for authorization
Qumulex uses Google Firebase to provide user authentication for QxControl software, whether QxControl is deployed on-premises or in the cloud. This means that there are no default passwords, no passwords stored on on-premises, and no one other than the user ever knows the password. Logging in to QxControl is a two step process:
- Authentication via Firebase
- Authorization via QxControl user database
Authentication - When a user logs in to the QxControl web app, they can choose to login using email/password authentication or via a third party authentication provider like Google. Let's look at the email option. When a user creates a new account, Firebase verifies the email address and stores an irreversible hash of the user's password. When a user attempts to login, the email address and password entered by the user are sent over a secure https connection to the Google Firebase cloud service. If the hash of the incoming password matches the stored value, the user is authenticated. Firebase sends the user's email back in a trusted, signed, industry-standard format called a JSON Web Token (JWT). Because the token is signed, it can not be modified, so we can be sure that the email address contained in the token is "owned" by the user who is attempting to login. If the hash of the incoming password does not match the stored value, Firebase returns an error, and QxControl displays a message indicating that the email/password combination is not valid.
Now let's look at the "login with Google" option. This process will be the same for any third party authentication provider added to those available in QxControl. Rather than the user entering an email and password, the user logs in to the third party authentication provider in their browser (or they may already be logged in). By virtue of that login, a token containing the user's email and signed by the third party authentication provider is sent to Firebase. Firebase validates the token, extracts the user's email, and the process proceeds identically to the email/password case.
Authorization - With the trusted email address contained in the token received from Firebase, QxControl searches its user database - in the cloud for QxCloud systems or on the gateway for QXOP systems - to find a user with a matching email. If found, and that user has been assigned a role in QxControl, the login completes and the user is presented with the QxControl interface appropriate for the user's role and place. If a user matching the trusted email address is not found, or the matched user has not been assigned a role, the login fails and the user is presented a screen informing them they are not authorized.