Authentication Strategies

Now that we know that our communication has been secured, 0:00 we can discuss authentication and authorization methodologies. 0:03 In the world of secure web applications, proper authentication and 0:09 authorization are critical techniques you must master 0:13 in order to protect your systems and users data. 0:17 First, we'll walk through the steps and 0:22 mechanisms involved in authentication before moving on to authorization. 0:24 The first step in authentication is to 0:31 initialize the authentication mechanism itself. 0:33 This is the handshake that verifies with whom the serving is communicating. 0:38 This handshake can be accomplished in different ways. 0:43 Handshake number one, key based authentication, 0:48 such as a user name and password. 0:51 This can be in the form of any unique identifier, the user name, and 0:54 a client known secret, the password. 0:58 This gives you full control over the login process. 1:02 [SOUND] This is a completely valid process to use. 1:05 However, you now have the burden of keeping these details secure and 1:08 away from attackers that would expose those credentials and 1:13 publish them for the world to exploit. 1:17 We'll talk about some best practices in just a few minutes. 1:20 Handshake number two, OAuth. 1:25 Both OAuth 1.0 and OAuth 2.0 are advanced authentication protocols that are used by 1:28 many popular services such as Google, Facebook, Twitter, and GitHub. 1:34 A website will request authentication from this third party service. 1:40 Then the logged in user will verify that they wish to share those details 1:45 with this new site. 1:50 Handshake number three, single-sign-on. 1:51 Instead of being per site, the single-sign-on mechanism is often used in 1:55 enterprise environments to authenticate the same user on different portals or 2:00 organization sites over the same browser session. 2:06 In essence, the identification is passed from one application to another 2:10 without the user having to initialize anything manually. 2:16 This initialization step is technically the only step required for authentication. 2:20 HTTP basic authentication works by using only this step. 2:27 It sends the user name and password with each request. 2:31 This technique is most often used to grab data through a single request. 2:35 If you want to keep a user logged in throughout your site, 2:41 you'll also need to follow step two, which is to store the identification of that 2:44 user on the user's machine, most often referred to as the client. 2:49 Step two, store the identification. 2:55 There are two main ways to store the identification of the client browser, 2:59 sessions and tokens. 3:04 In session-based authentication, the server does all the heavy lifting. 3:06 After the client authentication from step one, 3:11 the server passes a unique identifier to the client. 3:15 This session ID is typically stored in a cookie and 3:19 attached to every subsequent request. 3:22 This session ID is just an identifier, and the server does everything else. 3:25 Associates the identifier with a user account. 3:31 Restricts or 3:34 limits this session to certain operations or a certain time period. 3:35 Invalidates this session if there are security concerns. 3:41 Logs the user's every move on the website. 3:44 I want to point out that sessions can be used to track website visitors without 3:48 authenticating them to a specific user. 3:53 In token-based authentication, no session is stored on a server. 3:57 After the client authentication from step one, the client receives a token. 4:02 This token not only provides a means to identify the client, but 4:07 it also stores additional user information. 4:11 Tokens can also be distributed to external applications 4:15 as a form of authentication across multiple domains. 4:19 Another advantage of using tokens is the ability to revoke tokens at any time, 4:23 and thus restricting access once more. 4:29 You should create a separate token for each application. 4:33 Tokens are used for both OAuth and single sign-on. 4:37 Additionally, you can use tokens even if you write your own authentication. 4:41 The most common implementation is through the use of JSON web tokens, or 4:46 JWT, pronounced jot. 4:51 A JWT is available for use by any language and 4:53 is covered in depth in other Treehouse courses. 4:57 Check the teacher's notes for more information. 5:00 The complexity of authentication is apparent. 5:03 We need to choose the right implementation strategy, the types of libraries we 5:06 will use, and how we will store the data we use for authentication. 5:11 If you're trying to quickly build an application and you don't want to worry 5:16 about the issues that come with storing user credentials, then using a third 5:20 party login service such as Facebook, Google, or GitHub is a great choice. 5:25 If you need to control the login process more in depth, 5:31 then it's completely fine to store your own credentials, but 5:35 you now have the burden of keeping those credentials secure. 5:39