Authentication Explained: Basic, Bearer, OAuth2, JWT, and SSO

Before you can limit access to a system, you need to know who is asking for access. This is where authentication comes in. It checks if the person or system trying to get into your app is real. This post will explain how apps handle authentication. We'll go from basic methods to more complex ones like:

• Bearer tokens
• OAuth2
• JWT tokens
• Access and refresh tokens
• Single sign-on (SSO)

What is Authentication?

Authentication answers the question: "Who is the user?" and "Are they allowed to use this system?". When someone tries to log in, the system checks their identity. If the identity is confirmed, the system gives them access. If not, the system denies the request.

Authentication is the first step before authorization. Authorization is covered in a different post. Before you can see data or do anything on a service, the system needs to know who you are.

Types of Authentication

Here are the different types of authentication:

1. Basic Authentication
This is the simplest type of authentication. It uses a username and password. When you log in, your username and password are put together and encoded using Base64.

Base64 is a simple way to encode data, but it is easy to decode. Because it's easily decoded, basic authentication is not secure unless used with HTTPS. Even then, it's rarely used except for internal tools within a company.

2. Bearer Tokens
Bearer tokens are more secure than basic authentication. Instead of sending your username and password, you send an access token with each request.

When the client wants to use resources, they send the token with their request. The API then checks the token. If the token is valid, the API sends the requested data.

Bearer tokens are now standard, especially for APIs. They are fast and don't store sessions. This makes it easier to scale APIs.

3. OAuth2 and JWT
OAuth2 is a protocol that lets users log in through a trusted provider like Google or GitHub.

Here's how it works:

1. A user wants to access your resources.
2. They choose to log in with Google.
3. Google sends your app a JWT (JSON Web Token). This token has information about the user.

A JWT token has data like the user ID, email, username, and when the token expires. It's a signed object that your app sends to the API. The API uses this information to authenticate the user.

JWTs are stateless, like bearer tokens. This means you don't need to store sessions between requests. Each request can be done separately.

4. Access and Refresh Tokens
Modern systems use two types of tokens:

• Access tokens: These are short-lived and expire quickly.
• Refresh tokens: These are long-lived and expire much later.

Access tokens are used for API calls. When you want to get data from the API, you send the access token.

Refresh tokens are used to get new access tokens. When the access token expires, you use the refresh token to get a new one. This happens behind the scenes, so users stay logged in. This also keeps the system secure, because the access token is renewed often.

Keep refresh tokens on the server side for security.

5. Single Sign-On (SSO) and Identity Protocols
Single sign-on (SSO) lets users log in once and access multiple services. For example, when you log into Google, you can use Gmail, Drive, and Calendar.

SSO uses protocols like SAML or OAuth2. OAuth2 is now more common for modern apps that let you log in with Google, GitHub, or other providers. It is modern and uses JSON. SAML is older and uses XML. SAML is still used in older systems and companies that use Salesforce or internal dashboards.

These identity protocols define how apps share user login information securely.

Authentication vs. Authorization

Authentication is just the first step. It tells you who the user is and if they can access your service. After authentication, there is authorization.

Authorization tells you what resources the user can access. It defines what the user can do in your system.

Conclusion

Understanding the different types of authentication is important for building secure applications. From basic authentication to single sign-on, each method has its pros and cons. By choosing the right authentication method, you can protect your system and provide a better user experience.