knowledge-kitchen

App Authentication - HTTP Basic Auth, Sessions, JWT, and OAuth

Dealing with user accounts.

  1. Overview
  2. Terminology
  3. HTTP Basic Authentication
  4. Sessions
  5. JSON Web Tokens
  6. OAuth
  7. Conclusions

Overview

Concept

Apps that allow users to create accounts must authenticate those users in some way. There are several common techniques for app authentication:

Terminology

Authentication vs authorization

While the two words are often used interchangeably in practice, we can differentiate between authentication and authorization:

Encoding vs. encryption vs. hashing

Encoding is transforming data from its raw state using a particular mapping scheme, where each part of original data is replaced by its correspondant in the mapping. Encoding is used most often to make the data portable between systems. Encoding can easily be reversed if the mapping scheme is known. Encoding is most often done using well-known schemes, such as base64.

Base64 encoding example

Encryption is a process of more securely encoding data, where an attempt is made to keep the mapping scheme unique and private. Encryption is used most often to keep data private. The exact encoding mapping is based on keys that are known only to the parties involved. For example, in symmetric-key encryption, the same key can be used to both encrypt and decrypt the data. In public-key encryption, different keys must be used to encrypt and decrypt the data.

Public-key encryption example

SHA256 hashing example

HTTP Basic Authentication

Concept

While HTTP is a stateless protocol, it does come with a native ability to handle passing authentication credentials between a client and server. This is known as HTTP Basic Authentication.

UML sequence diagram

HTTP Basic Authentication

Considerations

HTTP Basic Authentication has some nice advantages:

Considerations (continued)

HTTP Basic Authentication has some aspects that make it unsuitable for some common app use cases:

Session Authentication

Concept

Because all web browsers support cookies, it is possible for a web browser used by a logged-in user to identify itself to the server with every request by sending a unique ID along with every request. This is called a session cookie.

UML sequence diagram

Session Authentication

Considerations

Session authentication mechanisms have a few features that make them more suitable for web applications.

Considerations (continued)

Despite having several advantages over HTTP Basic Authentication for app developers, sessions have their limitations as well.

JSON Web Token Authentication

Concept

Today’s apps often have multiple interfaces: web, native mobile app clients, desktop app clients, bots, etc, and monolithic servers are increasingly being replaced by cloud microservices. JSON Web Tokens are well-suited for this.

UML sequence diagram

JSON Web Token Authentication

Considerations

JSON Web Tokens (JWT) offer a few benefits over other authentication mechanisms.

Considerations (continued)

As with any authentication scheme, there are limitations and concerns in regard to JWT as well.

OAuth

Concept

OAuth 2.0 is an open standard for delegated access control, i.e. allowing one app or website to access resources contained within another app or website on behalf of a user.

Comparison to JWT

Like JWT, OAuth relies on token exchange between client and server for authorization. But whereas JWT is a token format - specifying what encryption is being used, what access the token grants, and including a cryptographic signature, Oauth does not specify how to create and use these tokens.

Example

For example, here is a sequence diagram showing how apps can use LinkedIn for delegated access control using OAuth:

Linkedin OAuth

Considerations

In practical terms of developing application authentication systems, OAuth is more complex and multilayered than JSON Web Tokens. It provides some flexibiliy in implementation which leads to a wide variety of implementations.

Conclusions

This has been a short survey of common authentication methods.