Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Authenticating users to your web apps ensures that the wrong people don’t get access to your service. Without strong authentication and proper implementation strategies, your service could be compromised, which means anything from user data could be stolen to even permanent shutdown of the business or organization your web services support.
Documentation
-
JSON Web Tokens (JWT)
- Treehouse: Building a JWT, by Alena Holligan
-
Single-Sign-On
-
OAuth
-
OAuth 2.0
-
HTTP Basic Auth
Now that we know that our
communication has been secured,
0:00
we can discuss authentication and
authorization methodologies.
0:03
In the world of secure web applications,
proper authentication and
0:09
authorization are critical
techniques you must master
0:13
in order to protect your systems and
users data.
0:17
First, we'll walk through the steps and
0:22
mechanisms involved in authentication
before moving on to authorization.
0:24
The first step in authentication is to
0:31
initialize the authentication
mechanism itself.
0:33
This is the handshake that verifies
with whom the serving is communicating.
0:38
This handshake can be
accomplished in different ways.
0:43
Handshake number one,
key based authentication,
0:48
such as a user name and password.
0:51
This can be in the form of any unique
identifier, the user name, and
0:54
a client known secret, the password.
0:58
This gives you full control
over the login process.
1:02
[SOUND] This is a completely
valid process to use.
1:05
However, you now have the burden of
keeping these details secure and
1:08
away from attackers that would
expose those credentials and
1:13
publish them for the world to exploit.
1:17
We'll talk about some best
practices in just a few minutes.
1:20
Handshake number two, OAuth.
1:25
Both OAuth 1.0 and OAuth 2.0 are advanced
authentication protocols that are used by
1:28
many popular services such as Google,
Facebook, Twitter, and GitHub.
1:34
A website will request authentication
from this third party service.
1:40
Then the logged in user will verify
that they wish to share those details
1:45
with this new site.
1:50
Handshake number three, single-sign-on.
1:51
Instead of being per site, the
single-sign-on mechanism is often used in
1:55
enterprise environments to authenticate
the same user on different portals or
2:00
organization sites over
the same browser session.
2:06
In essence, the identification is
passed from one application to another
2:10
without the user having to
initialize anything manually.
2:16
This initialization step is technically
the only step required for authentication.
2:20
HTTP basic authentication
works by using only this step.
2:27
It sends the user name and
password with each request.
2:31
This technique is most often used to
grab data through a single request.
2:35
If you want to keep a user
logged in throughout your site,
2:41
you'll also need to follow step two, which
is to store the identification of that
2:44
user on the user's machine,
most often referred to as the client.
2:49
Step two, store the identification.
2:55
There are two main ways to store
the identification of the client browser,
2:59
sessions and tokens.
3:04
In session-based authentication,
the server does all the heavy lifting.
3:06
After the client
authentication from step one,
3:11
the server passes a unique
identifier to the client.
3:15
This session ID is typically
stored in a cookie and
3:19
attached to every subsequent request.
3:22
This session ID is just an identifier,
and the server does everything else.
3:25
Associates the identifier
with a user account.
3:31
Restricts or
3:34
limits this session to certain
operations or a certain time period.
3:35
Invalidates this session if
there are security concerns.
3:41
Logs the user's every move on the website.
3:44
I want to point out that sessions can be
used to track website visitors without
3:48
authenticating them to a specific user.
3:53
In token-based authentication,
no session is stored on a server.
3:57
After the client authentication from
step one, the client receives a token.
4:02
This token not only provides
a means to identify the client, but
4:07
it also stores additional
user information.
4:11
Tokens can also be distributed
to external applications
4:15
as a form of authentication
across multiple domains.
4:19
Another advantage of using tokens is
the ability to revoke tokens at any time,
4:23
and thus restricting access once more.
4:29
You should create a separate token for
each application.
4:33
Tokens are used for
both OAuth and single sign-on.
4:37
Additionally, you can use tokens even
if you write your own authentication.
4:41
The most common implementation is
through the use of JSON web tokens, or
4:46
JWT, pronounced jot.
4:51
A JWT is available for
use by any language and
4:53
is covered in depth in
other Treehouse courses.
4:57
Check the teacher's notes for
more information.
5:00
The complexity of
authentication is apparent.
5:03
We need to choose the right implementation
strategy, the types of libraries we
5:06
will use, and how we will store
the data we use for authentication.
5:11
If you're trying to quickly build
an application and you don't want to worry
5:16
about the issues that come with storing
user credentials, then using a third
5:20
party login service such as Facebook,
Google, or GitHub is a great choice.
5:25
If you need to control the login
process more in depth,
5:31
then it's completely fine to
store your own credentials, but
5:35
you now have the burden of
keeping those credentials secure.
5:39
You need to sign up for Treehouse in order to download course files.
Sign up