Notes

• Authentication in Golang with JWTs
• Cookies vs Tokens: The Definitive Guide
• The Ins and Outs of Token Based Authentication | Scotch
• Enterprise APIs and OAuth: Have it All
• Secure your users’ passwords from the browser on

Authentication Protocols

• Basic access authentication - Wikiwand
• Digest access authentication - Wikiwand

• Secure Remote Password protocol - Wikiwand

• Anatomy of a zero-knowledge web application - Clipperz, register your creations on the blockchain

Access-Control-Allow-Origin: * does not allow requests to supply credentials like HTTP authentication, client-side SSL certificates, or cookies. ?

Server Based

Server generates session token and send to client via cookie. The session token acts as a bearer token and is used to look up login/session info in memory or datastore.

• On Securing Web Session Ids | hueniverse
• expressjs/session: Simple session middleware for Express

Asymmetric Key

• BrowserAuth.net using asymmetric-key for web

• substack/trust-log: manage trust over time

• mafintosh/ghsign: Sign/verify data using your local ssh private key and your public key from Github

Token Based

“Server Based” and “Token Based” could be a misnomer. Some articles says server-based auth bind a client to a specific server but this is not actually true. We can setup a in-memory datastore shared by a bunch of app servers to look up the token upon a client request. And tokens in token-based auth may as well be stored in cookies. It’s just that all session info are embedded in the token in token-based auth.

• The Ins and Outs of Token Based Authentication | Scotch
• Best practices for token-based authentication in REST API - Google Groups.desktop
• Token Based Authentication for Single Page Apps (SPAs) - Stormpath User Management API
• Token-Based Authentication With AngularJS & NodeJS - Tuts+ Code Tutorial
• Cookies are bad for you: Improving web application security - sitr.us
• Cookies vs Tokens. Getting auth right with Angular.JS
• 10 Things You Should Know about Tokens
• Stop using JWT for sessions - joepie91’s Ramblings
• Stop using JWT for sessions, part 2: Why your solution doesn’t work - joepie91’s Ramblings
• A Token Walks into a SPA - YouTube
• hapijs/hapi-auth-cookie: Cookie authentication plugin is actually a token based authentication
• roblevintennis-passport-api-tokens · GitHub
• Goodbye Short Sessions: a proposal for using service-workers to improve cookie management on the web | Web Updates - Google Developers

There are three ways to send your access token in a request.

• In an HTTP Authorization header (always works)
• In the URL query string (only works with GET requests)
• In the request body (only works for POST & PUT when body is URL-encoded)

Bearer token clients

• angular-token-auth/auth.client.js at master · auth0-blog/angular-token-auth
• talis/bearhug-angular: Response interceptor for elegant bearer-token handling for angular’s $http service
• AuthorizationServer/callback.cshtml at master · IdentityModel/AuthorizationServer
• sahat/satellizer: Token-based AngularJS Authentication

Questions

Token based auth allows for RBAC (Role-Based Access Control), but other method can support RBAC as well (with a session lookup)

replay attack with bearer token OAuth 2.0 (without Signatures) is Bad for the Web | hueniverse - OAuth Bearer Tokens are a Terrible Idea | hueniverse - auth0/node-auth0: Node.js client library for the Auth0 platform. - node-auth0/examples/nodejs-regular-webapp at master · auth0/node-auth0 - node-auth0/examples/nodejs-api at master · auth0/node-auth0 - auth0/cookie-jwt-auth why store back to cookie? - auth0/spa-jwt-authentication-tutorial - JavaScript - Adding authentication to your React Flux app - repo - Critical vulnerabilities in JSON Web Token libraries

vs OAuth

OAuth vs JWT vs OpenID OAuth2 token is opaque, JWT can be used JWT: 2 years later - OAuth 2 VS JSON Web Tokens: How to secure an API - Seedbox Technologies | Les Technologies Seedbox - 谈谈OAuth1,OAuth2异同 | Litten的博客 - 兔子，胡萝卜与OAuth的故事 | Litten的博客

Single Sing On (SSO)

• Implement Single Sign On Authentication

• Lock: Single Sign On & Token Based Authentication - Auth0

• auth0/lock - CSS

• auth0/lock-passwordless

OAuth1

• The OAuth Bible
• OAuth | hueniverse

• 1.0 RFC 5849 - The OAuth 1.0 Protocol

• OAuth and OAuth WRAP: defeating the password anti-pattern | Ars Technica Deprecated for 2.0

OAuth2

• OAuth - Wikiwand
• The OAuth Bible
• OAuth / FrontPage
• OAuth Community Site
• RFC 6749 - The OAuth 2.0 Authorization Framework
• RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
• Egor Homakov: OAuth2: One access_token To Rule Them All
• OpenID | hueniverse
• OAuth | hueniverse
• Designing a Secure REST (Web) API without OAuth
• upload client public key (securely) to server (kind of like passwordless SSH)
• dogeared/OZorkAuth

In the Wild

• OAuth | GitHub Developer Guide
• Using OAuth 2.0 to Access Google APIs | Google Identity Platform | Google Developers
• Using OAuth 2.0 for Google APIs | 9bit Studios

boo OAuth2

• RealtimeConf - “OAuth 2.0 - Looking Back and Moving On” by Eran Hammer on Vimeo
• OAuth 2.0 and the Road to Hell | hueniverse
• On Leaving OAuth | hueniverse
• The problem with OAuth for Authentication. | Thread Safe

Libraries

• prose-gatekeeper · GitHub passport hapi-bell

And much more…

JWT

• JWT is the spec for how a non-opaque token should be created. This allows token receiver to parse the token and receive meta without database query.
• JSON Web Token - Wikiwand
• RFC 7515 - JSON Web Signature (JWS)
• RFC 7516 - JSON Web Encryption (JWE)
• RFC 7517 - JSON Web Key (JWK)
• RFC 7518 - JSON Web Algorithms (JWA)
• RFC 7519 - JSON Web Token (JWT)
• RFC 7520 - JOSE Cookbook

JWT = header.claim.signature

var myHeaders = {
    "alg": "HS256", //denotes the algorithm (shorthand alg) used for the  signature is HMAC SHA-256
    "typ": "JWT" //denotes the type (shorthand typ) of token this is
}

var myClaims = {
    "sub": "tom@stormpath.com",
    "name": "Tom Abbott",
    "role": "user"
}

var headers = base64URLencode(myHeaders);
var claims = base64URLencode(myClaims);
var payload = header + "." + claims;

var signature = base64URLencode(HMACSHA256(payload, secret));

var encodedJWT = payload + "." + signature;

• MNUG 2014.08.13 - Lightning talk: JWT: JSON Web Token - YouTube

• Introduction to JWT (JSON Web Token) - Securing apps & services - YouTube

• NodeJS Tutorial | APIs Strike Back: The Rise of JSON Web Tokens - YouTube

Demo with Express

• Using JSON Web Tokens as API Keys
• Blacklisting JSON Web Token API Keys
• Refresh Tokens
• auth0/node-jsonwebtoken
• auth0/nginx-jwt
• auth0/jwt-as-api-keys

• JSON Web Token Tutorial: Example using AngularJS & Laravel | Toptal JWT primer, comparison with server based authentication ttkalec/laravel5-angular-jwt: Simple Laravel 5/Angular app that shows how to use the most basic JWT authentication

• dwyl/learn-json-web-tokens

• The Anatomy of a JSON Web Token | Scotch

• Authenticate a Node.js API with JSON Web Tokens | Scotch

• Authentication with Node.js, JWTs, and Oracle Database | JavaScript and Oracle

• Securing node.js RESTful services with JWT Tokens | Richard Astbury’s Blog

• Use JWT The Right Way! - Stormpath User Management API

JWT primer, tips for security

• Build Secure User Interfaces Using JSON Web Tokens (JWTs) - Stormpath User Management API

• Using Stormpath for OAuth 2.0 and Access/Refresh Token Management - Stormpath

• Where to Store your JWTs - Cookies vs HTML5 Web Storage - Stormpath User Identity API JWT primer, tips for storage and CSURF Conclusion: Store the JWT in HttpOnly; Secure cookie. Add xsrfToken to JWT for CSURF protection.

Oz

• Auth to See the Wizard | hueniverse
• hueniverse/oz: Web Authorization Protocol
• hueniverse/hawk
• What’s Hawk and how to use it?
• geek/OAuth
• geek/oz: Web Authorization Protocol