Authentication in simple word is just saying "Who you are😕?" for an Application. Authentication is the first step while developing an application so it is very important to understand it. In previous post we understand What is Authentication & its type.!. In this post, we're going to dive deep and understand various ways to implement authentication.
What we're going to discuss
- ⛑Basic Auth
- 🍪Cookie/Session Based Auth.
- 🔑JWT
- 🌐OpenID Connect
⛑Basic Auth
The basic authentication scheme is built into the HTTP protocol. UserID and password are Base64 encoded and send to the server with every subsequent request. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.
For example, to authorize as xyz:pass the client would send
Authorization: Basic eHl6OnBhc3M=
As it should only be used with HTTPS/SSL or anyone can read the credentials.
🍪Cookie/Session Based Auth.
In this method, After a user securely authenticates a session ID is generated and stored in the server memory. Then that session ID is stored in the cookie in the client browser. While the user remains logged in, the cookie is sent with every subsequent request.
At each request, the server takes a look at the session cookie to read the session ID. If it matches the data stored in its memory, it sends a response back to the browser letting it know everything’s okay and ready to go.
🔑JWT
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
JSON web tokens work in a similar way as a bank account number on a cheque, and the signature that’s placed on it to approve the transfer of money with the cheque.
🌐OpenID Connect
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Top comments (4)
Hey nice article and topic u have chosen to explain,It was indeed good.
But In your Session/Cookie based method,
U mentioned in the picture that session ID is validated against Database.
But in your explanation u mentioned it as Session ID storage in server memory and respond with Cookie.
So basically all I'm saying from my understanding after reading it,picture says one thing and explanation says other. So it's little bit misleading
Ok, let me simplify it for you. When a session ID is created on the server side it is stored on memory-based DB like Redis/Memcached because of their high read & write. And Cookie is just a wrapper on which we store the session ID because the browser sends cookies with every subsequent request. When the server receives a request it unwrapped the cookies and extract session ID check against memory-based DB and tada🎉 you are authenticated
useful article
JWT tokens could have been explained a bit more in detail.