Possible methods:
- Sessions
- Tokens
- JSON Web Tokers
- Secured Cookies
- With JSON Web Token. From project provided by Fernando Herrera in Flutter course.
{
"id": "91c2a3b7-ada1-47cf-9d95-7f712ec8fcc9",
"email": "test1@google.com",
"fullName": "Juan Carlos",
"isActive": true,
"roles": [
"admin"
],
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjkxYzJhM2I3LWFkYTEtNDdjZi05ZDk1LTdmNzEyZWM4ZmNjOSIsImlhdCI6MTY5OTQ1NDQ1OCwiZXhwIjoxNjk5NDYxNjU4fQ.YFfuu00K65pYf2ZQOekigKMIVQ4PZT0MbnrkSgMZ5YY"
}- The most simple way to deal with authentication is to use HTTP basic authentication. We use a special HTTP header where we add 'username:password' encoded in base64.
GET / HTTP/1.1
Host: example.org
Authorization: Basic Zm9vOmJhcg==-
Note that even though your credentials are encoded, they are not encrypted! It is very easy to retrieve the username and password from a basic authentication. Do not use this authentication scheme on plain HTTP, but only through SSL/TLS.
- Another way is to use HMAC (hash based message authentication). Instead of having passwords that need to be sent over, we actually send a hashed version of the password, together with more information. Let's assume we have the following credentials: username "username", password "secret".
digest = base64encode(hmac("sha256", "secret", "GET+/users/username/account"))This digest we can send over as a HTTP header:
GET /users/username/account HTTP/1.1
Host: example.org
Authentication: hmac username:[digest]- Right now, the server knows the user "username" tries to access the resource. The server can generate the digest as well, since it has all information.
- Please note that the "password" is not encrypted on the server, as the server needs to know the actual value. This is why te name "secret" is preffered and not a "password".
Nothing.
- OAuth 2.0 (Open Authorization 2.0) is an authorization framework that enables third-party applications to access certain resources on behalf of a user without exposing their credentials.
- It is widely used for secure and delegated access in various scenarios, such as accessing APIs, logging in with third-party accounts, or authorizing applications to perform actions on a user's behalf.
- OAuth 2.0 was intentionally designed to provide authorization without providing user identity and authentication, as those problems have very different security considerations that donβt necessarily overlap with those of an authorization protocol. Treating authentication and identity separately allows the OAuth 2.0 framework to be used as part of building an authentication protocol.
| Role | Description |
|---|---|
| Resource Owner | The user who owns the data or resources being protected. |
| Client | The application seeking access to the user's resources. |
| Authorization Server | The server that authenticates the user and issues access tokens. |
| Resource Server | The server that hosts the protected resources. |
- Authorization Request: The client initiates the process by redirecting the user to the authorization server for authentication. The request includes the desired scope of access and the redirect URI.
- User Authentication: The user provides credentials and grants permission to the client.
- Authorization Grant: The authorization server issues an authorization grant to the client.
- Token Request: The client exchanges the authorization grant for an access token by making a request to the authorization server.
- Token Response: The authorization server validates the request and responds with an access token.
- Accessing Protected Resource: The client presents the access token to the resource server to access the protected resources on behalf of the user.
- Access tokens are short-lived credentials that represent the authorization granted to the client.
- They are used by the client to access protected resources on the resource server.
- Access tokens can have different scopes, indicating the level of access granted.
- Optionally, a refresh token may be issued along with the access token.
- It allows the client to obtain a new access token without requiring the user to re-authenticate.
- Scopes define the specific permissions or access levels granted to the client.
- Clients request specific scopes during the authorization process.
OAuth 2.0 is flexible and widely adopted, making it a standard for securing API access and enabling seamless user authentication and authorization across various applications and services.
- Website Authentication: The Complete Guide with FAQs π
- A Modern Password: 6 Top Tips for A Secure Login Process π
- RESTful API Authentication Basics π
- Authorization vs Authentication π
- OAuth 2.0 Playground π
- What the Heck is OAuth? π
- Whatβs the difference? OAuth 1.0 vs OAuth 2.0 π
- Differences Between OAuth 1 and 2 π
- OAuth 2.0: Benefits and use cases β why? π
- auth0 (teacher):
- Lesson 7 Class Activity Walkthrough π πΊ 22m
- Node (Express) API: Authorization π
- GitHub repo π
- GitHub (Daniel Bark):
- Simplified Oauth 2.0 Tutorial - Example with Node.js π πΊ 11m
- GitHub repo π
- Building OAuth apps π
- Google Worskspace API (People API):
- Google OAuth (Traversy Media):
- Node.js App From Scratch | Express, MongoDB & Google OAuth π πΊ 2h 28m
- GitHub repo π
- Google to MongoDB (Net Ninja):
- OAuth (Passport.js) Tutorial #12 - Saving User to MongoDB π πΊ 10m
- GitHub repo π
- Extra: Google & Passport (Kris Foster):
- NodeJS & Express - Google OAuth2 using PassportJS π πΊ 20m
- Passport Strategy: passport-google-oauth20 π