In a typical login scenario, a user would first authenticate by entering a username and password. Once their identity is confirmed, the system would then check what permissions that user has, based on the authorization rules that have been set up.
What are the concepts and tools used in software engineering to make this working?
This article summarizes all basics and some in-depth key points for you in all the scenarios list below.
- If my project is small and simple, only frontend (light weighted node.js server), I don’t have a backend team with flask app or java sprint boot app, I just want to add some login pages.
- If my project is middle size and has a backend team to provide some api to support my front-end application, and they do authentication.
- If my project is a part of a big project, we have different components talking to different backend, we do micro-service architecture on both frontend and backend.
For all these cases, we could use third party identity platform, either open source or paid commercial ones to save some effort on our side, or built by ourselves. Just follow the 3B principle -> can we borrow ? if not, can we buy? if not, we build.
First thing, let us start with some basic concepts.
What are the main authentication mechanisms?
1. Password-Based Authentication: This is the most common form of authentication. In this method, the user is required to enter a username and password. The server then validates the entered password against a stored password associated with that username.
2. Two-Factor Authentication (2FA): This method requires the user to provide two forms of identification. Usually, it’s something the user knows (like a password) and something the user has (like a one-time passcode sent to their phone).
3. Multi-Factor Authentication (MFA): Similar to 2FA but requires more than two forms of identification. This might include biometric data like a fingerprint or facial recognition, in addition to a password and a one-time passcode.
4. Certificate-Based Authentication: In this method, a client presents a digital certificate to prove its identity. The server then verifies the certificate against a trusted Certificate Authority.
5. Biometric Authentication: Involves the use of unique biological characteristics like fingerprints, voice, facial recognition, iris or retinal patterns, etc.
6. Token-Based Authentication: This involves generating a token upon successful login, which is then used to authenticate subsequent requests. JWT (JSON Web Tokens) is a popular form of token-based authentication.
7. Single Sign-On (SSO): A method where a user logs in with a single ID and password to gain access to a multitude of different systems without being prompted for different usernames and passwords.
8. OAuth/OpenID Connect: These are open standards for token-based authentication and authorization which are widely used in web, mobile and API security.
For communication between frontend and backend apps, token-based authentication is the mainstream for HTTPS. Naturally, the next question is -
What are the ways to send auth tokens?
1. Basic Authentication: This is a simple authentication scheme built into the HTTP protocol. The client sends the username and password, separated by a single colon (“:”) and base64-encoded, in the Authorization header.
2. Digest Authentication: This is a method of HTTP authentication that applies a cryptographic hashing function to a password before sending it over the network, which is safer than Basic Authentication.
3. Cookies: Cookies can be used to store session identifiers (tokens) that can be used to authenticate a client. This is most common in traditional web applications, where a session ID is stored in a cookie and sent with each request to the server.
4. URL Parameters: Tokens can be sent as parameters in the URL or in the body of HTTP requests. This is less secure and not generally recommended, as URLs can be stored in logs or browser history.
5. OAuth 2.0: While not a way of sending tokens per se, OAuth 2.0 defines several “flows” or methods for obtaining tokens, which are then usually sent as Bearer tokens.
6. Bearer Tokens: A Bearer Token is an arbitrary token that is given to the client and can be used without any additional secret or key. The client sends this token in the Authorization header of HTTP requests. The word “Bearer” indicates that the client only needs to ‘bear’ the token to access the resources. No additional proof or cryptographic material is required. However, this also means that if the Bearer Token is stolen, it can be used by anyone to access the resources it protects.
Remember, the security of these methods can vary significantly. Bearer tokens are generally considered a secure and standard way to handle token-based authentication, especially if the connection is encrypted with HTTPS. Regardless of the method you choose, it’s important to ensure the security of your users’ data.
To digger a bit deeper,
What are the token formats used in these methods?
1. Opaque Tokens: These are tokens that contain no readable information about the user. They are simply identifiers that the server can use to look up the token information stored on the server side. This approach is common when using OAuth2 with the Authorization Code flow.
2. PASETO (Platform-Agnostic SEcurity TOkens): PASETO is an alternative to JWT proposed to address some of the criticisms of JWT, such as its numerous optional features that can lead to security issues if misused. PASETO offers similar functionality to JWT but with a smaller, more secure set of options.
3. Macaroons: Macaroons are a format for bearer tokens that originated at Google. They are similar to cookies and provide a way to encode caveats that specify the conditions under which a token is valid.
4. SAML (Security Assertion Markup Language): SAML assertions can sometimes be used as bearer tokens, although this is less common than using SAML for Single Sign-On scenarios. SAML is XML-based and typically more verbose than something like JWT.
5. SWT (Simple Web Token): SWT is another token format that was used in some early versions of Azure Active Directory, but it is less common today.
6. JWT (JSON Web Tokens): JWT is a specific format of token that is often used as a Bearer Token. JWTs contain JSON data that is digitally signed, allowing the receiver to verify that the data has not been tampered with. The JSON data usually contains information (or “claims”) about the user, as well as metadata like the issuer and expiration time of the token. JWTs are often used in Bearer Token scenarios, where the client presents the JWT in the Authorization header of HTTP requests.
JWT (JSON Web Tokens) is indeed one of the most popular token formats used for Bearer tokens, especially in OAuth2 and OpenID Connect scenarios.
Finally, we will put all Lego pieces together -
What are the popular commercial/open source third party library, service providers?
Build by yourself for understanding purpose or a very simple backend service with auth feature:
1. Python flask stack:
· Flask: Flask is a lightweight web application framework. It is highly adaptable and can be used in a wide variety of applications.
· Flask-JWT-Extended: Flask-JWT-Extended extends Flask-JWT to add support for additional features like fresh tokens, token revoking, and token blacklisting. This library makes it simple to add JWT token based authentication to Flask apps.
· Flask-SQLAlchemy: Flask-SQLAlchemy is an extension for Flask that simplifies the use of SQLAlchemy with Flask by providing helpful defaults and extra helpers that make it easier to accomplish common tasks.
· Flask-Migrate: Flask-Migrate is a wrapper for Alembic, a database migration framework for SQLAlchemy. It gives you the ability to create, modify, and delete database tables.
· pyjwt: pyjwt is a Python library which allows you to encode, decode, verify signatures, and perform other operations on JWTs.
· Flask-CORS: If you’re building an API and you want to allow cross-origin requests, you’ll need to use Flask-CORS. This library handles the server side of CORS for you.
2. Java spring boot stack:
· Spring Boot Starter Web: This is a starter for building web applications, including RESTful applications, using Spring MVC. It uses Tomcat as the default embedded container.
· Spring Boot Starter Security: This starter adds security features to your application, like authentication and authorization. It is highly customizable and integrates well with Spring MVC.
· Spring Boot Starter Data JPA: This is a starter for using Spring Data JPA with Hibernate. It simplifies database operations and supports a wide variety of databases.
· Spring Boot Starter Validation: This is a starter for using Java Bean Validation with Hibernate Validator.
· JJwt: JJWT is a Java library providing end-to-end JSON Web Tokens creation and verification. It’s a simple and easy-to-use library for creating JWTs.
· MySQL Connector Java (or any other JDBC driver): This library is necessary for connecting to a MySQL database from your Spring Boot application.
More complicated open Source frameworks:
1. FreeIPA: FreeIPA is an integrated security information management solution combining Linux, 389 Directory Server, MIT Kerberos, NTP, DNS, and Dogtag (Certificate System). It offers features such as centralized authentication, authorization, and account information.
2. OpenIAM: OpenIAM provides a comprehensive solution for identity management, access management, identity governance, and password self-service. It provides a robust set of REST APIs and supports various standards such as SAML, SCIM, SPML, and more.
3. CAS (Central Authentication Service): CAS is an enterprise multilingual single sign-on solution for the web and attempts to be a comprehensive platform for your authentication and authorization needs.
4. Gluu: Gluu offers an open-source IAM platform that includes features like single sign-on, two-factor authentication, and access management. It’s designed to help organizations deliver a central authentication and authorization service.
5. Shibboleth: Shibboleth is a web-based single sign-on system that provides identity federation and SSO solutions. It uses SAML protocol and offers identity provider (IdP) and service provider (SP) software.
6. WSO2 Identity Server: WSO2 Identity Server is an API-driven open-source IAM product designed to help you build effective customer identity and access management (CIAM) solutions. It supports protocols such as OpenID Connect, SAML, and XACML.
7. Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. It is developed and primarily maintained by Red Hat. It is a comprehensive solution for managing authentication and authorization in a wide variety of applications and services.
Commercial ones:
1. Auth0: Auth0 provides a universal authentication and authorization platform for web, mobile, and legacy applications. It supports a variety of identity providers, including social networks and enterprise identity systems, which can be seamlessly integrated with minimal code.
2. Microsoft Azure Active Directory (Azure AD): Azure AD is Microsoft’s cloud-based IAM service. It provides features like single sign-on, multi-factor authentication, and identity protection. Azure AD is deeply integrated with Microsoft’s suite of cloud services like Office 365 and Microsoft Teams.
3. Ping Identity: Ping Identity offers a suite of solutions for single sign-on, multi-factor authentication, and API security. Ping is used by many large organizations for its enterprise-level capabilities.
4. Duo Security (now owned by Cisco): Duo Security provides a trusted access platform to secure organizations. It provides solutions for two-factor authentication, endpoint security, and secure single sign-on.
5. ForgeRock: ForgeRock offers a comprehensive digital identity platform to securely identify, connect, and manage users, devices, and things. It can handle complex use cases for consumers, employees, and IoT devices.
6. OneLogin: OneLogin’s cloud identity platform comes with a catalogue of pre-integrated apps for single sign-on, and it supports multi-factor authentication, lifecycle management, and other features.
7. Okta: Okta is a commercial product that is primarily provided as a cloud-based service (SaaS), although they do offer options for on-premise deployment. Okta provides a range of products, including single sign-on (SSO), multi-factor authentication (MFA), active directory (AD) and LDAP integration, and more. Okta can use standards like OAuth 2.0, OpenID Connect, and SAML to provide its services.
That’s it!
