Auth 101
How can apps remember state?
Sessions
Session is a way to persist state in an application. Sessions usually have duration and identifiers
Tokens
A random session identifier. They are unique per session.
Tokens are used for authentication and verification.
Is this user really who they claim to be?
Does this user have permissions to access this resource?
How can a user prove who they are?
Possession
Inherence
Knowledge
How do we implement a simple authentication?
More questions
- How should we create the session?
- Where do we store the session token?
- How do we end the session?
- How should the client send the token to the server?
Cookies
Small chunks of information created by servers to be placed in the client during a session.
Cookies are automatically included in requests performed by the client
Cookies are the preferred way of storing session information
DO NOT PUT SESSION TOKENS IN THE LOCAL OR SESSION STORAGE
Invalidating a Session
- Delete the session token everywhere
- If security is critical, delete all session tokens for the user
- Make sure that no session will ever use the same token.
How can my app access a user resource in another service/app?
oAuth 2.0
- It is an AUTHORIZATION protocol. Not authentication
- Commonly relies on redirection flows
- The third-party grants the authorization code based on a client ID and client secret
- Each authorization is scoped to certain resources
- It is vital that the a state parameter is generated per flow, to assure that the authorization grant comes from the expected source
So, how can I let my users sign in with other identity providers in my app?
OpenID Connect (OIDC)
- OIDC is built on top of oAuth, and it is an AUTHENTICATION protocol
- Besides the access token, the authorization services returns an ID token (JWT) containing user data
- JWTs are URL-safe, Base64 encoded.
- Not random. They carry information in a JSON payload
- Made up of 3 parts: header.payload.signature
- Can be cryptographically signed (JWK + JWKS)
- Can have its payload encrypted (JWE)
QUESTION: When do you think you should use JWT? What about sessions?
Use JWTs when you need stateless, scalable authentication, like for APIs, SPAs, or microservices. Use sessions when you need server-side security, easy revocation, and fine-grained session control, like in traditional web apps. (SSR?)
— ChatGPT 👀
Public-key Cryptography
You know the drill.
How does it work?
How can a user prove who they are?
Possession
Inherence
Knowledge
What kind of factor is public-key cryptography?
How can I use public-key cryptography to authenticate users?
WebAuthn & Passkeys
- WebAuthn is a specification that prescribes how public-key cryptography can be used in authentication
- "Keys" are credentials in WebAuthn
- Passkeys is a type of WebAuthn credential that allows passwordless authentication
Should I use Passkeys everywhere then? They are so cool!
What do you think? 🙄
What's a good auth strategy in React Router v7?
Resources
Thank you!
I'm Lucas Castro.
Founding engineer at Trinsic. We help people use digital IDs to get their identity verified online more quickly and securely.
I'm also a husband, father, latter-day saint, gamer, and life-long learner.
lucasamonrc.dev