Tips, Expertise, Articles and Advice from the Pro's for Your Website or Blog to Succeed
Authentication is one of the core functions of applications on the internet today, one that many developers are familiar with. Yet, actually implementing authentication correctly requires understanding several standards and protocols.
Two of the most important of these authentication standards are OAuth and JWT (JSON Web Tokens).
Auth requirements are quite varied. Therefore any auth solution must provide the ability to customise their APIs. Each solution uses its own terminology for this feature:
Keycloak uses “Implementing an SPI”
OAuth 2.0 is an industry standard for “delegated authorization” which is the ability to provide an application or client access to data or features offered by another app or service. OAuth 2.0 focuses on authorization and is not prescriptive about authentication. OpenID Connect (OIDC) adds a standards-based authentication layer on top of OAuth 2.0.
In this post, we will cover the fundamentals of OAuth 2.0 and OIDC for authentication and authorization. I will discuss two common flows, namely the Implicit Flow and the Authorization Code Flow.
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
The header typically consists of two parts: the type of token, which is JWT, and the hashing algorithm that is used, such as HMAC SHA256 or RSA.
Assume that you are building an application for a hypothetical store chain. Each user of this application is assigned a role, and each role has a defined set of activities that it can perform (technically the API that it can access). Let say this store has the following roles and activities. (Note: this is part our in a series on JWTs security best-practices, parts one, two, and three can be found here, here, and here, respectively.)
We will be implementing authentication with the following tools:
In previous article we have introduced OAuth2.0. In this article let us have a look at JWT.
JSON Web Token (JWT), usually pronounced as “jot,” is an standard () that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. They contain information in terms of claims and are specially used in in space constrained environments such as HTTP. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSAor ECDSA.
This blog is the first installation in a series of security-centered articles that are intended to help Django developers secure their deployments. In this piece, I wish to talk about the security setup required for the secure use of JSON Web Token, an authorization mechanism used while transferring information in REST Frameworks such as Django REST-APIs
With business needs demanding more from web applications, product teams have moved towards light-weight application development for scalability and efficiency. This usually includes building applications that use RESTful web services, which use an Application Programming Interface (API) to interact with other applications and web services. One such popular web framework that supports such an architecture is the Django web framework.