Introduction

to

Authentication

Objectives

  • Define one way password hashing

  • Define JSON Web Tokens (JWT)

One Way Hashing

Converting data into a fixed length hash string.  You can only recreate the hash if you know the original data.

Applicable for saving passwords on your server

One Way Hashing Example

password

bcrypt

$2a$10$9Mconplm8A780pY6iB2q.eBwkdldFbnz2tSH2uqHEi5B9KTpR3O8.

Sign In (Authentication)

password

bcrypt

$2a$10$9Mconplm8A780pY6iB2q.eBwkdldFbnz2tSH2uqHEi5B9KTpR3O8.

$2a$10$9Mconplm8A780pY6iB2q.eBwkdldFbnz2tSH2uqHEi5B9KTpR3O8.

Saved In DB:

Equal??

Trouble With Passwords

Users do not want to enter their passwords on every page

We need some proof that you have logged in in the past

JWT (JSON Web Token)

A web standard for storing signed data

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.

eyJ1c2VySWQiOiIxMjM0In0.

kud-czcx6yOSSQgB0lKbibHNFmlAJwrV8iRQ1Ha-r-Q

Header:

Payload:

Signature:

We can use JWTs as proof that you've logged in before

JWT Format

JWT (JSON Web Token)

Creating a token

Sending JWT To Server

HTTP Header

Authorization: Bearer <JWT>

Authentication

VS

Authorization

Objectives

  • Differentiate authentication vs authorization

  • Define authorization

Authentication IS NOT

Authorization

Just because you are signed in, it does not mean you are authorized to do any action in the application

Authentication is verifying who you are

Authorization

Verifying that a user has the permission to take a specific action

Example:

POST /users/1234/messages

Authorization: Bearer <JWT>

{ "text": "userId in token should match route" }

Only user 1234 should be allowed

Your

Turn

Warbler

Messaging

Final Project

Authentication in

Warbler