Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Introduction to Application Security

Well done!

You have completed Introduction to Application Security!

Sign up for Treehouse Back to Library
Preview
Video Player
00:00
00:00
00:00
  1. 2x 2x
  2. 1.75x 1.75x
  3. 1.5x 1.5x
  4. 1.25x 1.25x
  5. 1.1x 1.1x
  6. 1x 1x
  7. 0.75x 0.75x
  8. 0.5x 0.5x
Use Up/Down Arrow keys to increase or decrease volume.

Authentication Strategies

5:42 with Alena Holligan and Jared Smith

Authenticating users to your web apps ensures that the wrong people don’t get access to your service. Without strong authentication and proper implementation strategies, your service could be compromised, which means anything from user data could be stolen to even permanent shutdown of the business or organization your web services support.

Now that we know that our communication has been secured, 0:00
we can discuss authentication and authorization methodologies. 0:03
In the world of secure web applications, proper authentication and 0:09
authorization are critical techniques you must master 0:13
in order to protect your systems and users data. 0:17
First, we'll walk through the steps and 0:22
mechanisms involved in authentication before moving on to authorization. 0:24
The first step in authentication is to 0:31
initialize the authentication mechanism itself. 0:33
This is the handshake that verifies with whom the serving is communicating. 0:38
This handshake can be accomplished in different ways. 0:43
Handshake number one, key based authentication, 0:48
such as a user name and password. 0:51
This can be in the form of any unique identifier, the user name, and 0:54
a client known secret, the password. 0:58
This gives you full control over the login process. 1:02
[SOUND] This is a completely valid process to use. 1:05
However, you now have the burden of keeping these details secure and 1:08
away from attackers that would expose those credentials and 1:13
publish them for the world to exploit. 1:17
We'll talk about some best practices in just a few minutes. 1:20
Handshake number two, OAuth. 1:25
Both OAuth 1.0 and OAuth 2.0 are advanced authentication protocols that are used by 1:28
many popular services such as Google, Facebook, Twitter, and GitHub. 1:34
A website will request authentication from this third party service. 1:40
Then the logged in user will verify that they wish to share those details 1:45
with this new site. 1:50
Handshake number three, single-sign-on. 1:51
Instead of being per site, the single-sign-on mechanism is often used in 1:55
enterprise environments to authenticate the same user on different portals or 2:00
organization sites over the same browser session. 2:06
In essence, the identification is passed from one application to another 2:10
without the user having to initialize anything manually. 2:16
This initialization step is technically the only step required for authentication. 2:20
HTTP basic authentication works by using only this step. 2:27
It sends the user name and password with each request. 2:31
This technique is most often used to grab data through a single request. 2:35
If you want to keep a user logged in throughout your site, 2:41
you'll also need to follow step two, which is to store the identification of that 2:44
user on the user's machine, most often referred to as the client. 2:49
Step two, store the identification. 2:55
There are two main ways to store the identification of the client browser, 2:59
sessions and tokens. 3:04
In session-based authentication, the server does all the heavy lifting. 3:06
After the client authentication from step one, 3:11
the server passes a unique identifier to the client. 3:15
This session ID is typically stored in a cookie and 3:19
attached to every subsequent request. 3:22
This session ID is just an identifier, and the server does everything else. 3:25
Associates the identifier with a user account. 3:31
Restricts or 3:34
limits this session to certain operations or a certain time period. 3:35
Invalidates this session if there are security concerns. 3:41
Logs the user's every move on the website. 3:44
I want to point out that sessions can be used to track website visitors without 3:48
authenticating them to a specific user. 3:53
In token-based authentication, no session is stored on a server. 3:57
After the client authentication from step one, the client receives a token. 4:02
This token not only provides a means to identify the client, but 4:07
it also stores additional user information. 4:11
Tokens can also be distributed to external applications 4:15
as a form of authentication across multiple domains. 4:19
Another advantage of using tokens is the ability to revoke tokens at any time, 4:23
and thus restricting access once more. 4:29
You should create a separate token for each application. 4:33
Tokens are used for both OAuth and single sign-on. 4:37
Additionally, you can use tokens even if you write your own authentication. 4:41
The most common implementation is through the use of JSON web tokens, or 4:46
JWT, pronounced jot. 4:51
A JWT is available for use by any language and 4:53
is covered in depth in other Treehouse courses. 4:57
Check the teacher's notes for more information. 5:00
The complexity of authentication is apparent. 5:03
We need to choose the right implementation strategy, the types of libraries we 5:06
will use, and how we will store the data we use for authentication. 5:11
If you're trying to quickly build an application and you don't want to worry 5:16
about the issues that come with storing user credentials, then using a third 5:20
party login service such as Facebook, Google, or GitHub is a great choice. 5:25
If you need to control the login process more in depth, 5:31
then it's completely fine to store your own credentials, but 5:35
you now have the burden of keeping those credentials secure. 5:39