Registration & sign-in summary
Introduction
Two registration paths are available for Patchworks - whichever you choose determines how users access the platform:
| Registration type | Authentication / authorisation type | Sign-in mechanism | Sign-in process |
|---|---|---|---|
Simple | Basic Auth | Username and password | User accesses the Sign in to Patchworks page. Here, they enter the email address associated with their account, and a password. |
OAuth 2.0 | Google sign-in | User accesses the Sign in to Patchworks page. Here they select the Sign in with Google option for redirection to the Google sign-in page. |
Simple sign-in
Users register for Patchworks with a unique email address and password. Thereafter, these credentials are used to sign into Patchworks:
For further information, please see the Simple registration help page.
Google sign-in
Users register for Patchworks with Google Sign-In. Thereafter, signing into Patchworks is via Google:
OAuth
Google Sign-In is implemented using the OAuth (Open Authorisation) protocol.
Two versions of OAuth are available - OAuth 1.0 and OAuth 2.0. The Patchworks implementation uses OAuth 2.0.
OAuth enables users to log into an application/website (the Client/Consumer - in this case, Patchworks) using account information from another application/website (the Service Provider - in this case, Google) without ever sharing the user’s password. This is known as Secure Delegated Access.
To achieve this, OAuth uses a system of access tokens. An access token authorises temporary access to specific account information - Patchworks requests and stores the following details from Google:
UserID
Name
Email address
Avatar URL
For further information, please see the Google account registration help page.
User journey
The Google sign-in flow for a user is summarised below:
The user accesses the Patchworks login page.
The user selects Sign in with Google.
Patchworks redirects the user to the Google Sign-In page. Here, the user is informed what information they will share with Patchworks by signing in to Google.
The user enters their Google account credentials. If sign-in is successful: - The Google Authorisation Server issues an access token to Patchworks. - Patchworks requests required data from Google, presenting the access token for authentication. - Google returns the requested resources (provided that the access token is valid).
The user is returned to Patchworks and is logged into the dashboard.
User roles & permissions
Within Patchworks, user accounts are associated with a role. This role determines the level of access that users have within the Patchworks dashboard (subject to the active subscription tier). For more information please see the Roles & permissions page.
Passwords can never be viewed or accessed by users, irrespective of their role. For further information please see the Password control section.
Password control
Passwords can never be viewed or accessed by users, irrespective of their role.
Managing your own password
Any logged-in user can change their password by selecting the Change password option associated with their avatar (in the top right-hand corner of the dashboard).
For further information please see: Changing your password.
Managing passwords for other users
Users associated with the client admin role can trigger a password reset for any users in their company profile, via the Patchworks dashboard. For more information please see our Triggering a password reset for another user page.
Password reset links are valid for 24 hours. After this, another password reset must be triggered so a new link is emailed.
Passwords are never set on behalf of other users.
Forgotten passwords
Users can reset their password via a Forgot your password link - this link is always available at the bottom of the Sign in to Patchworks page:
Selecting this option displays a Reset Password page, where the user can enter their email address and trigger a password reset email:
The password reset email includes a link for the user to follow and reset their password.
Password reset links are valid for 24 hours. After this, another password reset must be triggered so a new link is emailed.
Google sign-in passwords
If a user registers their Patchworks account with Google sign-In, they won’t be aware of a ‘Patchworks password’ because they always sign in with Google credentials.
However, if a password reset is triggered for a Google sign-In user, they still receive a password reset email, which can be used to set a Patchworks password.
This does not affect the person’s Google sign-in, it just means they can choose to log in via Google or enter their email address and Patchworks password (simple sign-in).
Password requirements
When setting a password for simple sign-in, the following rules apply:
A minimum length of 8 characters
At least 1 lowercase letter (a - z)
At least 1 uppercase letter (A - Z)
At least 1 number (0 - 9)
At least 1 special character (!, $, #, or %)
Password validation includes checks to determine if the password specified for registration or reset is compromised.
Checks are made using the haveibeenpwned.com service with the k-anonymity model, to determine if a password has been leaked. If a specified password is found to be compromised, it cannot be used and you will be prompted to try again.
Password expiry
Patchworks passwords do not expire.
Users who sign in via Patchworks simple sign-in can choose to reset their password any time, from the Patchworks sign-in page.
Alternatively, users with a Client Admin role can trigger password resets for other users in their company profile.
Password storage
Patchworks passwords are stored in an encrypted AWS database.
External access
We have already noted that OAuth2 is used to authorise access to Patchworks via Google sign-in. In this scenario, Patchworks requests an access token from Google; once a token is received, it is used to request the required user information for the sign-in process.
However, OAuth2 is also used for clients who wish to access Patchworks services via a Patchworks API endpoint. In this scenario, Patchworks provides an access token to clients, which is used to authenticate API requests.
For further information please see our API help pages.
Last updated
