Authentication
Terminology
Authentication schemes
Authorization Header
Terminology
| Authentication | Identify a user by email and password. Login and Signup |
|---|---|
| Authorization | Check right to access some resource. |
| Credential | string and password |
Authentication
Cookie/Session based Authentication
Cookie based authentication is sending session ID through cookie. You can also pass a token such as JWT token but I will talk about cookie & session.
// Response Header
Set-Cookie: sessionId="IH2D42IAij082I"
// Request Header
Cookie: sessionId="IH2D42IAij082I"
Signed cookie
res.cookie('name', 'value', {signed: true})
The cookie will still be visible, but it has a signature, so it can detect if the client modified the cookie.
| Disadvantage | |
|---|---|
| Always includes sessionID automatically | Does not work cookie is disable. (smart phone or desktop app or user turned off cookie), |
| Needs to send CSRF token. | |
| Hard to work with Multiple domain. | |
| Hit DB or cache DB every time to find session. |
Token Based Authentication
Token-based authentication, such as OpenID, OAuth, or OpenID Connect, we receive an access_token (and sometimes id_token) from a trusted authority. Usually we want to store it and send it along with HTTP Requests for protected resources.
There are two options to add token.
| Advantage | Disadvantage |
|---|---|
| Works on any device since it is on HTTP header | Needs to add token every time you send request |
| No CSRF required | Needs refresh token and its logic on client and server side to make it secure. |
| Mobile | |
https://stackoverflow.com/questions/37582444/jwt-vs-cookies-for-token-based-authentication
Authentication schemes
| Basic | |
|---|---|
| Bearer | |
| Digest | |
| HOBA | |
| Mutual | |
| AWS4-HMAC-SHA256 |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
Authorization Header
Authentication schemes can be set on Authorization header accordingly.
Authorization: <type> <credentials>
GET / HTTP/1.1
Host: example.org
Authorization: Basic Zm9vOmJhcg==
JWT
What is JWT?
JWT is an encoding standard for tokens that contains a JSON data payload that can be signed. It is not encrypted but encoded since anybody can see it. It consists of 3 parts.
- Header
- typ - should be JWT
- alg - hashing algorithm
- Payload
- Whatever you need to transmit to client.
- Signature Signature validates if header and payload has not changed. Since JWT is base64 encode, payload can be modified easily. Although, JWT provide a little bit secure your application data by matching signature and your data.
Why we need?
Before the JWT being around, a token was just a string as access toke or session id. The server hit a database and validated access token or session id and returns data if it is valid. JWT does not need to access DB to get current user session. The data is encoded and has signature so it is hard to modify JWT.
| Advantage | Disadvantage |
|---|---|
| Make server stateless (since session is not needed) | Data can be seen if you put some. |
| Works well with micro services | Size is big 200 ~ 300KB while you just sending single user_id |
| No need to hit a DB to get session data such as current user. | CPU to compute cryptographic signatures. |
https://qiita.com/TakahikoKawasaki/items/200951e5b5929f840a1f
https://stackoverflow.com/questions/37582444/jwt-vs-cookies-for-token-based-authentication
https://christina04.hatenablog.com/entry/2016/06/07/123000
https://stormpath.com/blog/token-auth-spa
https://auth0.com/blog/cookies-vs-tokens-definitive-guide/
http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
https://medium.com/@rahulgolwalkar/pros-and-cons-in-using-jwt-json-web-tokens-196ac6d41fb4
https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens