This course will be retired on July 14, 2025.
Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Start a free Courses trial
to watch this video
Let's take a look at how authentication works and how we can combine key based authentication and HTTP cookies to leverage a tried-and-true approach for implementing user authentication.
Authentication Handshake Options
Key based authentication isn't the only authentication handshake option that's available.
OAuth/OAuth2/OpenID
Millions of users are now interacting with each other using social media services like Facebook and Twitter. Instead of asking users to create yet-another-profile we can use Facebook and Twitter (and others) to authenticate users.
The benefits of this approach include:
- This will increase the likelihood of users using your web app
- Users don't have to remember another set of credentials
- Relieves you from the responsibility of protecting a user's credentials
Single Sign-On (SSO)
Typically used by enterprises or medium to large companies, users are able to sign-on once using their company credentials. These credentials are automatically passed to each authorized application so that users get access to a suite of applications without having to sign-on to each individually.
For more information about authentication handshake options, see Treehouse's Introduction to Application Security course.
Cookies vs Tokens
Cookies are often compared to tokens, but this is like comparing apples to oranges.
JWTs (JSON Web Token) or tokens are like session IDs: both are used to keep user state. And cookies are like headers: both can be used to transmit the JWT or session ID to the server with each request from the client. Sessions typically use cookies and JWTs typically use headers, but this isn't a requirement or rule.
ASP.NET Identity embraces this idea of separation between state and state persistence. When using Identity, state is represented by a token. The token format is proprietary but can be customized. State persistence can be done via cookies or headers, allowing you as the developer to choose whichever is most appropriate for your application.
Additional Learning
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up