what is meant by Authentication ?
Understanding about web Authentication methods
Thinking about authentication, the first picture comes our mind is a login page submitting data to back-end and cross checking it with a data in a DB? Well, though it covers the bare bones of an authentication system. There is more to it which we would discuss in the rest of the Article..
what is meant by Authentication ?
Authentication is the process of recognizing a user’s identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are compared to those on a file in a database of the authorized user’s information on a local operating system or within an authentication server.
Authentication Types
- Basic Authentication
- Cookie Based Authentication
- Token Based Authentication
Basic Authentication
Basic Authentication is the simplest authentication mechanism to authenticate access to resources over HTTP. The credentials are send in the request headers.
How does it work?
- User submits the credentials
- The username and password are concatenated into a single string:
username:password
- Encodes the string using
base64
algorithm - Set it in the Authorization header with
Basic
keyword and send it along each HTTP Request.
Stateful vs Stateless Authentication
Stateful : Authentication session can be revoked
Stateless : Authentication session can’t be revoked
Cookie Based Authentication
The cookie Based Authentication is also known as session based authentication.in this method the user is assigned some unique identifier and this identifier is stored on the server in memory.Client sends this session id in all the requests and server uses it to identify the user.
How does it work?
- Client sends the login request
- Server validates the credentials, creates a session and stores it in memory assigned to current user and returns back the generated session id
- Client receives the session id and stores it in a cookie
- Client sends next requests with the current session id in its storage
- when the user logs out , the session is destroyed (cookie removed + session removed from the server) and same session id cannot be reused
Always use HttpOnly cookies
To mitigate the possibility of XSS attacks always use the
HttpOnly
flag when setting cookies. This way they won't show up indocument.cookies
Token Based Authentication
Token Based authentication (also called bearer authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.Instead of sending username and password over for authentication we use a server generated token.
Types of Token Based authentication
- JSON Web Tokens (JWT)
- Open Authorization (OAuth)
- Single Sign On (SSO)
JSON Web Tokens (JWT)
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
How does it work?
- User submits a username and password
- Server validates and returns a JWT token
- Use the token to allow future requests
JSON Web Token structure
JSON Web Tokens consist of three parts separated by dots (.
), which are:
- Header
- Payload
- Signature
Therefore, a JWT typically looks like the following.
xxxxx.yyyyy.zzzzz
Let’s break down the different parts.
1 . Header
The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Then, this JSON is Base64Url encoded to form the first part of the JWT.
2. Payload
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
The payload is then Base64Url encoded to form the second part of the JSON Web Token.
3. Signature
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
Open Authorization (OAuth)
Open Authorization is an advanced version of Token based authorization. Often we use Facebook/Google/Twitter to sign-in to an application. These are the examples of Open Authorization.
How does it work?
- User sends an authentication request to Google/Facebook.
- On finding that the user has an account on Google, the Google server responds with an authorization grant.
- The requesting application uses the authorization grant access specific information.
- On gaining the permission, the app generates an access token.
- The client then uses the access token to access a resource.
Single Sign On (SSO)
Single Sign On (SSO) is also a advanced Authentication strategy that allows a user to login with single username and password to access several services.Google is a classic example of SSO .when we login to Gmail and get to use all the GDrive apps that comes along with it.
How does it work?
- Enter the single username/password that you use for corporate access.
- The SSO solution requests authentication from the identity provider or authentication system that your company uses. It verifies your identity and notifies the SSO solution.
- The SSO solution passes authentication data to the website and returns you to that site.
- After login, the site passes authentication verification data with you as you move through the site to verify that you are authenticated each time you go to a new page.