Authentication

and

Authorization

Authentication

The process in which we verify the user is who they say they are. For instance, using a name and a secret phrase (a password) to verify that you are a user.

 

Authorization 

The act of verifying that a user a can do what they are trying to. Example, can godzilla@monster-fights.com request to schedule a new fight. 

 

There are many solutions to this problem.

Cookie-based authentication vs Token-based authentication

Cookies!

- based on sessions

- validated based on domains

- stateful

Tokens

- temporarily valid string based on public/private key 

- decoupled from domains

- stateless

Json Web Token (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Lets build this out

OAuth

OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet.

Implementation!

AuthenticationandAuthorization

By Mark Dewey

AuthenticationandAuthorization

  • 411