Open reboottime opened 1 year ago
reboottime
commented
1 year ago reboottime
commented
1 year ago The flow of HTTP Basic Authentication
username:password, for example, for username as user123 and its password as secretpassword, the combination is user123:secretpasswordAuthorizationAuthorization header and decodes the Base64-encoded string, and extracts the username and password for authentication string, then compare the username and password pair with the username and password stored in system.
Session-cookie authentication addresses HTTP basic access authentication's inability to track user login status. A session ID is generated to track the user's status during their visit. This session ID is recorded both server-side and in the client’s cookie.
Bellow is the session cookie based interaction flow
JSON Web Tokens (JWTs) and session tokens are both mechanisms used for authentication and authorization in web applications, but they have distinct characteristics and use cases. Here's a comparison of JWT tokens and session tokens:
JWT (JSON Web Token):
Self-Contained: JWTs are self-contained tokens that contain information (claims) in a structured format, typically in JSON. These claims can include user identity, access rights, and other relevant data.
Stateless: JWTs are inherently stateless, meaning the server does not need to maintain any session information. All the necessary information is within the token itself.
Decentralized: JWTs can be generated and signed by an authentication provider or Identity Provider (IdP) but can be verified by any party with the appropriate key. This decentralization can simplify authentication across different services.
Scalability: JWTs are suitable for distributed and microservices architectures, as they do not rely on a centralized session store. Each service can independently verify JWTs.
Expiration: JWTs can include an expiration time (exp claim) to control their validity. Once a JWT expires, it is no longer considered valid.
Use Cases: JWTs are commonly used in Single Sign-On (SSO), OAuth 2.0 authorization, and secure data transmission. They are well-suited for modern, stateless, and distributed application architectures.
Session Token:
Server-Side State: Session tokens typically rely on server-side state management. When a user logs in, a session token is created, and a session is established on the server to store user-specific data and maintain state.
Cookies or URL Parameters: Session tokens are often stored in cookies or passed as URL parameters to maintain user sessions across multiple requests. Cookies are the most common method for web applications.
Session Management: The server manages user sessions and session tokens, tracking user activity, session timeouts, and session cleanup.
Revocation: Session tokens can be revoked server-side, which allows administrators to log out users or terminate their sessions remotely.
Use Cases: Session tokens are commonly used in traditional server-side web applications, where maintaining server-side state is necessary. They are well-suited for monolithic architectures.
Considerations:
In summary, JWTs and session tokens have different characteristics and are used in various contexts based on the specific needs of the application. The choice between them depends on factors such as the architecture, security requirements, and scalability of your application.
reboottime
commented
1 year ago OAuth 2.0 is a protocol that allows you to grant your application permission to access your data on another application.
Let's use the Terrible Pun Joke case, to illustrate how OAuth 2.0 works.
There are three main parties involved in OAuth 2.0:
From the perspective of the Terrible Pun Jokes application, there is a partnership between itself and the gmail client authorization server.
Below is the user's journey when using the Terrible Pun Jokes application:
In above Okta tutorial about OAuth and OPEN ID connect, what has not been mentioned is that there exists some form of trust relationship between the identity provider and the resource server. Perhaps the resource server can directly contact the identity provider to validate the presented code from the client, or the resource server has a verification key to verify the code validity directly.
Bellow is the diagram describes the above statement
reboottime
commented
1 year ago OAuth is designed solely for authorization, allowing one application to grant access to data and features to another application. The OAuth flow provides the client with the necessary keys to access your data but does not reveal any information about the user's identity or characteristics.
OIDC is a layer built on top of OAuth 2.0, enhancing it with functionality related to user authentication and profile information. It enables the retrieval of information about the person who is logged in. For example, sign-in functionality using Google authentication.
SSO, or "Single Sign-On," is an authentication process that allows users to access multiple applications or services using a single set of credentials, such as a username and password. Instead of needing separate login credentials for each application or service, SSO enables you to use the same login credentials for Google Mail and Google Docs, for instance.
The ID token used in OIDC is similar to a JWT token, allowing you to decode encoded information or verify its integrity.
reboottime
commented
1 year ago
When we use various applications and websites, three essential security steps are continuously at play:
Bellow is a diagram where these methods applied in a typical website architecture
Overview
This article revisits the authentication related common senses.