Skip to content

Instantly share code, notes, and snippets.

@taniarascia

taniarascia/auth.md

Last active February 11, 2024 23:16
Show Gist options
  • Star 35 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save taniarascia/a2d35af43ce133de20ac0a8c72558fea to your computer and use it in GitHub Desktop.
Save taniarascia/a2d35af43ce133de20ac0a8c72558fea to your computer and use it in GitHub Desktop.
Download ZIP
JavaScript Authentication & Authorization Book/Course
Raw
auth.md

Authentication in Real-World Web Apps with JavaScript

Outline of ideas, concepts to cover, potential projects to write.

Setup Idea

  • Book with a video for each chapter.

Prerequisites/Overview

  • HTML, CSS, JavaScript
  • Front end/client side (Browser)
  • Back end/server side (Node)
  • REST APIs
  • HTTP codes

Concepts

  • Authorization (AuthZ)
  • Authentication (AuthN)
  • Cryptography
  • Headers
  • Sessions
  • JSON Web Tokens (JWT)
  • Identity Provider (IDP)
  • Cross-origin resource sharing (CORS)
  • Single sign on (SSO)
  • Multi-factor authentication (MFA)

Vulnerabilities

  • Leaking sensitive data
  • Storing unencrypted passwords
  • Cross-site request forgery (CSRF/XSRF)
  • Cross-site scripting (XSS)

Persistence

  • Cookies
    • HTTP Only/Secure/SameSite
  • Web Storage
    • Local Storage
    • Session Storage

Specifications/Protocols/Terms/Standards

  • OAuth 2.0
    • Client-side app
      • Proof Key for Code Exchange (PKCE)
      • Implicit grant
    • Server-side app
      • Authorization Code Flow (Authorization Code grant)
  • OpenID Connect (OIDC)
  • System for Cross-domain Identity Management (SCIM)
  • Role-based access control (RBAC)

Project

  • Create a full-stack application
    • Simple front end
    • Node/Express back end
    • Implements sign up, log in, log out, reset password
    • Login 1: Custom username/password login
    • Login 2: OAuth 2.0/OIDC with Google/Twitter/GitHub as the SSO IDP (Google OIDC, Google OAuth 2.0)
    • Ability to associate SSO to an existing user
    • Different roles (admin, user, maybe one more)

Topics to Cover

  • When to use different strategies (for example, PKCE in a client-side only app, session cookies for a BE+FE on the same subdomain, etc).
@Codeindeed
Copy link

Wow looking up to read them soon

@creative-cranels
Copy link

Awesome! Looking forward to read it (: good luck!!!
https://aaronparecki.com/oauth-2-simplified/
This article made me easier to understand oauth2

@JamesOkunlade
Copy link

Really looking forward to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment