Security
Digital Signatures
Authentication
Authentication is the process of answering the question "Who are you?" Authentication: A process of determining whether someone or something is, in fact, who or what it is declared to be. It is the process of verifying the identity of a user or system. The goal of authentication is to establish the identity of the user or system requesting access to a resource.
Storing Passwords Securely
Multi-Factor Authentication
OAuth2
OAuth 2.0 is an authorization framework that is defined in RFC 6749. Its main goal is to allow a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.
In order to explain OAuth2, lets take an example. Imagine that you have an application that analyzes the tweets of a user and predicts the personality of the user. In order to analyze the tweets of the user, you need to access the tweets of the user. However, you cannot access the tweets of the user by directly calling the Twitter API. You need to get the permission of the user to access the tweets. This is where OAuth2 comes into play. By utilizing OAuth2, you can check your database whether you have a token for the user or not. If you do not have a token, you can redirect the user to the Twitter login page. This is the first step of the OAuth2 flow. OAuth2 describes the methods and parameters that are used to obtain and use access tokens to access protected resources. After the user logs in to the Twitter, Twitter will ask the user whether the user wants to give permission to your application to access the tweets. If the user accepts, Twitter will redirect the user back to your application.
This is the rough explanation of the OAuth2 flow. There are different flows that are used for different use cases. In this book, we will cover the most common flows such as Authorization Code Flow, Client Credentials Flow and Device Authorization Flow. We will not cover the Implicit Flow and Resource Owner Password Credentials Flow because they are not recommended by OAuth2 anymore.
Lets begin with OAuth2 roles:
- Resource Owner: An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
- Resource Server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
- Client: An application making protected resource requests on behalf of the resource owner and with its authorization
(e.g., a third-party application). There are two types of clients:
- Confidential: Clients capable of maintaining the confidentiality of their credentials (e.g., client ID and client secret).
- Public: Clients incapable of maintaining the confidentiality of their credentials (e.g., client ID and client secret).
- Authorization Server: The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
According to above explanation, the resource owner is the user, the resource server is the Twitter API, the client is your application and the authorization server is the Twitters authorization server. Lets look at different flows of OAuth2.
Authorization Code Flow (Recommended)
Authorization Code Flow with PKCE
Client Credentials Flow
Device Authorization Flow
Refresh Tokens
OAuth2 for Authentication
However, today OAuth2 is not only used for delegated authorization but also for authentication. This is a common misconception, but OAuth2 is not an authentication protocol. It is an authorization protocol that focuses on resource access and delegated authorization.
OpenID Connect
Authorization
Authorization is the process of answering the question "What are you allowed to do?". It is the process of determining whether a user or system has the necessary permissions to access a resource or perform a specific action. Authorization process starts after the authentication process. Once the user or system is authenticated, the authorization process determines what actions the user or system is allowed to perform.
Authorization may be a very complex process. In order to make everthing more clear, lets begin by defining some fundamental terms.