Three essential authentication mechanisms every web developer must know.



To illustrate HMAC, hash-based message authentication code, I should describe two parties play to create it. One is a cryptography hash function and, another is a cryptography message authentication code (MAC).

First, I should unpack what the hash function is. CHF or cryptography hash function is a mathematical algorithm that maps your data, which can be in arbitrary size, to fixed-sized digit data (called hash or digest). For example, You can copy all text in this article and paste them to the textbox of the sha1-online website to generates sha1 hash code which is something like this “aaf8c18000547f375fde8225c657a93759e1f9ca”. Note that it’s fixed-sized. We have many cryptographic hash functions with different sizes like SHA-1, SHA-224, SHA-256, SHA-512, MD5, MD6, MD4 … etc. Hash functions in communication between two parties play as a mechanism to establish data integrity, it's not used for data authenticity. so it can make us sure that the data have not been changed by another person.

Second, MAC, message authentication code, is a string of bits represented as a symmetric key shared between two parties (sender and receiver), called Tag. it’s sent alongside a pure message(plaintext). it’s just for the authenticity of the message that came from the stated sender. in the MAC, the sender and receiver of a message must agree on the same shared key (secret key) in advance before initiating communications, as it’s the case with symmetric encryption.

HMACs, hash-based message authentication codes, are a recipe for combining hash function and message authentication code, which are almost similar to digital signatures. They both use cryptography keys. And they both use hash functions. The main difference is that digital signatures use asymmetric keys, while HMACs use symmetric keys (no public key).HMAC code does not encrypt the message. Instead, the message (encrypted or not) must be sent alongside the HMAC hash. Parties with the secret key will hash the message again themselves and compare it to the received HMAC code. If the received and computed hashes match, we find the authenticity of the message is valid.


JWT (JSON Web Token) are tokens for sharing some claims. Claims are just some encoded JSON objects that include some information about the user.

For example, after I sign in to a website, information about my account is encoded and passed around to me in a JSON web token. This can enable SSO (Single Sign-On) where I needn’t sign in again to another domain owned by the same company. the information of my account is encrypted and digitally-signed so the information can be passed around securely. There are three main parts of a JWT claim:

  1. Header — The header includes information about how the JWT claims set, the payload, is encoded.

This information indicates that the payload is secured by the HMAC SHA-256 algorithm for integrity protection and type of token which is JWT.

2. Payload — the JWT claims set, the claims can be any arbitrary information but some of them is reserved claims like “iss” (Issuer) Claim, “sub” (Subject) Claim, “aud” (Audience) Claim, “exp” (Expiration Time) Claim, “nbf” (Not Before) Claim, “iat” (Issued At) Claim … etc. for more information you can read this link.

"sub": "",
"role": "admin",

3. Signature — encoding of the header and payload by the algorithm specified in the header.

Pseudo authentication using OAuth

OAUTH, open authorization, is a notarized referral system that can create an access token to grant websites(for example, Medium) or applications(for example, Uber) access to their information on other websites(for example, Google account) without giving them credential information like passwords.

Although OAuth was designed for authorization not to authentication Because the identity provider (like Google) typically (but not always) authenticates the user as part of the process of granting an OAuth access token, it is tempting to view a successful OAuth access token request as an authentication method itself. However, making this assumption can lead to major security flaws.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store