The process in which we verify the user is who they say they are. For instance, using a name and a secret phrase (a password) to verify that you are a user.
Authorization
The act of verifying that a user a can do what they are trying to. Example, can godzilla@monster-fights.com request to schedule a new fight.
There are many solutions to this problem.
Cookie-based authentication vs Token-based authentication
Cookies!
- based on sessions
- validated based on domains
- stateful
Tokens
- temporarily valid string based on public/private key
- decoupled from domains
- stateless
Json Web Token (JWT)
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Lets build this out
OAuth
OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet.