Authentication in simple word is just saying "Who you are😕?" for an Application. Authentication is the first step while developing an application so it is very important to understand it. In previous post we understand What is Authentication & its type.!. In this post, we're going to dive deep and understand various ways to implement authentication.
- ⛑Basic Auth
- 🍪Cookie/Session Based Auth.
- 🌐OpenID Connect
The basic authentication scheme is built into the HTTP protocol. UserID and password are Base64 encoded and send to the server with every subsequent request. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.
For example, to authorize as
xyz:pass the client would send
Authorization: Basic eHl6OnBhc3M=
As it should only be used with HTTPS/SSL or anyone can read the credentials.
In this method, After a user securely authenticates a session ID is generated and stored in the server memory. Then that session ID is stored in the cookie in the client browser. While the user remains logged in, the cookie is sent with every subsequent request.
At each request, the server takes a look at the session cookie to read the session ID. If it matches the data stored in its memory, it sends a response back to the browser letting it know everything’s okay and ready to go.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
JSON web tokens work in a similar way as a bank account number on a cheque, and the signature that’s placed on it to approve the transfer of money with the cheque.
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.