Skip to content

Authetication basics

  • Difference between API and Application security
    • In the case of API, authentication is on User's behalf
    • and in application environment, it is the application who take the credentials from the user and it acting on its on behalf. Basically user's authentication is delegated to application.

OAuth 2

  • It is called Delegated Authorization Protocal, since User delegates it's access to the application to act on user's behalf.

  • Actors

    • Users aka Resource Owner
    • Application aka Client
    • API aka Resource Server
    • Authorization Server

  • Bearer Token

    • Carries the security information and user's access information.

    • It flows as Authorization Header in the HTTPS request just as Basic Authorization Headers - Username and Password

    • JWT - JSON Web Token

      • Essentially a token in JSON format and contains information about user and it's access. It is encoded.
      • it has Header, Payload and Verify Signature
        • Header - contains meta information such as algorithm used
        • Payload - has the user related data
        • Verify Signature - this is used to verify the validity of the token and to make sure it came from the trusted party