View reading-notes on GitHub

Bearer Authorization

Write the following steps in the correct order:

  1. Register your application to get a client_id and client_secret
  2. Ask the client if they want to sign in via a third party
  3. Make a request to a third-party API endpoint
  4. Redirect to a third party authentication endpoint
  5. Make a request to the access token endpoint
  6. Receive access token
  7. Receive authorization code

What can you do with an authorization code?

  • An authorization code is an alphanumeric password that authorizes its user to purchase, sell or transfer items, or to enter information into a security-protected space.

What can you do with an access token?

  • Access tokens are the thing that applications use to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user’s data. Access tokens must be kept confidential in transit and in storage

What’s a benefit of using OAuth instead of your own basic authentication?

  • It enables apps to obtain limited access (scopes) to a user’s data without giving away a user’s password. It decouples authentication from authorization and supports multiple use cases addressing different device capabilities. It supports server-to-server apps, browser-based apps, mobile/native apps, and consoles/TVs

Document the following Vocabulary Terms.

` Client ID `

A client ID is a unique eight-digit number generated by the depository participants to easily identify their clients. … This client ID number is used to tie up all their services to the specific client. You can use this number to track your investment history.

Client Secret :

Client Secret (OAuth 2.0 client_secret) is a secret used by the OAuth Client to Authenticate to the Authorization Server. The Client Secret is a secret known only to the OAuth Client and the Authorization Server. Client Secret must be sufficiently random to not be guessable

Authentication Endpoint

Endpoint authentication is an authentication mechanism used to verify the identity of a network’s external or remote connecting device. … This method ensures that only valid or authorized endpoint devices are connected to a network. These endpoint devices include laptops, smartphones, tablets and servers.

` Access Token Endpoint`

Access tokens are the thing that applications use to make API requests on behalf of a user. … The token endpoint is where apps make a request to get an access token for a user. This section describes how to verify token requests and how to return the appropriate response and errors.

` Authorization Code`

An authorization code is an alphanumeric password that authorizes its user to purchase, sell or transfer items, or to enter information into a security-protected space.

` Access Token ` : An access token is a tiny piece of code that contains a large amount of data. Information about the user, permissions, groups, and timeframes is embedded within one token that passes from a server to a user’s device

Preview

Which 3 things had you heard about previously and now have better clarity on?

  • inserted on Linked list
  • authentication & authorization
  • Access Token Which 3 things are you hoping to learn more about in the upcoming lecture/demo?
  • JWT.
  • auth0.
  • Bearer Authorization What are you most excited about trying to implement or see how it works?

  • JWT

JWT

JSON Web Token (JWT) : is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA

When should you use JSON Web Tokens?

  • Authorization
  • Information Exchange

JSON Web Token structure

  • Header
  • Payload
  • Signature

How do JSON Web Tokens work?

  • The application or client requests authorization to the authorization server. This is performed through one of the different authorization flows. For example, a typical OpenID Connect compliant web application will go through the /oauth/authorize endpoint using the authorization code flow.
  • When the authorization is granted, the authorization server returns an access token to the application.
  • The application uses the access token to access a protected resource (like an API).

benefits of JSON Web Tokens (JWT)

compared to Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML)

  • As JSON is less verbose than XML, when it is encoded its size is also smaller, making JWT more compact than SAML. This makes JWT a good choice to be passed in HTML and HTTP environments.
  • Regarding usage, JWT is used at Internet scale. This highlights the ease of client-side processing of the JSON Web token on multiple platforms, especially mobile -Security-wise, SWT can only be symmetrically signed by a shared secret using the HMAC algorithm. However, JWT and SAML tokens can use a public/private key pair in the form of a X.509 certificate for signing