Authentication

From BC$ MobileTV Wiki
Jump to: navigation, search

Authentication is the verification of user credentials, to ensure that a party claiming a certain identity is authentic (i.e. the person or organization IS who they say they are).


Specifications

Web3 Tokens

[1] [2] [3] [4] [5] [6] [7] [8] [9]


JWT

JSON Web Tokens (JWT).

[10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53]

OpenID


WebAuthn

Web Authentication (WebAuthn) is a web standard published by the W3C and is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

[55] [56] [57] [58] [59] [60] [61]


WebFinger

[62] [63] [64] [65]


WebID

[66] [67]


Kerberos

[68] [69] [70] [71]

SIP

Social Login

BASIC

[79]

DIGEST

HTTP Digest authentication is a step up from Basic authentication, both in the level of the protection it offers and its complexity. The following is an example "Digest authentication" HTTP header:

WWW-Authenticate: Digest realm="digest realm", qop="auth", nonce="1415713971682:2ffba5083baf438b90d2986cc77ae793", opaque="C4DAF43F253C0AFA5F006908F5595C8F"
  • Digest Authentication walkthrough:

[80] [81] [82] [83] [84]

Tools


Resources

[85]


Tutorial


External Links


References

  1. Web3.js -- "Ethereum Blockchain Developer" crash course: https://www.dappuniversity.com/articles/web3-js-intro | PLAYLIST
  2. Web3 Token is a new way to authenticate users in a hybrid dApps using signed messages (code examples in JS): https://reposhub.com/javascript/misc/bytesbay-web3-token.html
  3. You don’t need JWT anymore: https://medium.com/@bytesbay/you-dont-need-jwt-anymore-974aa6196976
  4. How to send ERC20 token using Web3 API?: https://ethereum.stackexchange.com/questions/24828/how-to-send-erc20-token-using-web3-api
  5. Get total amount of tokens received from a specific address using Web3.js: https://stackoverflow.com/questions/69602206/get-total-amount-of-tokens-received-from-a-specific-address-using-web3-js
  6. Web3.js integration example to Theta Blockchain: https://docs.thetatoken.org/docs/web3-stack-web3js
  7. Web3 wallet XDEFI unveils utility token as it sets sights on Metamask: https://coinrivet.com/web3-wallet-xdefi-unveils-utility-token-as-it-sets-sights-on-metamask/
  8. Web3 Token origins -- BitTorrent & BTT explained: https://academy.aaxspace.com/en/web3-tokens-bittorrent-btt-explained/
  9. The Top Web3 Projects To Watch: https://academy.aaxspace.com/en/the-top-web3-projects-to-watch/
  10. The JSON Web Token Toolkit: https://github.com/ticarpi/jwt_tool (useful for testing, tweaking and cracking JSON Web Tokens)
  11. JWT Attack Playbook: https://github.com/ticarpi/jwt_tool/wiki
  12. Critical vulnerabilities in JSON Web Token libraries: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
  13. JWT pentesting, API discovery, the present and future of OpenAPI: https://apisecurity.io/issue-88-jwt-pentesting-api-discovery-present-future-openapi/?utm_campaign=APISecurity newsletter&utm_medium=email&_hsmi=89744566&_hsenc=p2ANqtz-8O2HJjAvf2hHEilaDiVbDQ0kDJnbUde9RRYORelqLC2KG04GyjWx_-AXZQxFz83x0WbFnKCVks7xxDqhL7OqQjKLMqkA&utm_content=89743832&utm_source=hs_email
  14. 5 Easy Steps to Understanding JSON Web Tokens (JWT): https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
  15. Using JWT to Secure a Stateless API World: https://dzone.com/articles/using-jwt-to-secure-a-stateless-api-world
  16. Stop Using JWTs as Session Tokens: https://dzone.com/articles/stop-using-jwts-as-session-tokens
  17. Using Postman for JWT Authentication on Adobe I/O: https://medium.com/adobe-io/using-postman-for-jwt-authentication-on-adobe-i-o-7573428ffe7f
  18. JWT Use Cases: https://medium.com/@robert.broeckelmann/jwt-use-cases-bb94e4e70949
  19. Blacklisting JSON Web Token API Keys: https://auth0.com/blog/blacklist-json-web-token-api-keys/
  20. Should JWT be stored in localStorage or cookie?: https://stackoverflow.com/questions/34817617/should-jwt-be-stored-in-localstorage-or-cookie (neither for best security... instead create an Access JWT in-memory only, and, a Refresh Session JWT in "HttpOnly"-flagged Cookie for persistence)
  21. Where to Store your JWTs – Cookies vs HTML5 Web Storage: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
  22. Is it safe to store a JWT in sessionStorage?: https://security.stackexchange.com/questions/179498/is-it-safe-to-store-a-jwt-in-sessionstorage
  23. The Ultimate Guide to handling JWTs on frontend clients (GraphQL): https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/
  24. Sending JWT with Service Clients: http://docs.servicestack.net/jwt-authprovider#sending-jwt-with-service-clients
  25. JWT tokens & security – working principles and use cases: https://www.vaadata.com/blog/jwt-tokens-and-security-working-principles-and-use-cases/
  26. Another Round of JWT.io and JWT Debugger Extension Updates: https://auth0.com/blog/more-jwt-io-and-jwt-debugger-extension-updates/
  27. A Look at The Draft for JWT Best Current Practices: https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/
  28. JSON WEB TOKEN (JWT) explained: https://flaviocopes.com/jwt/
  29. What is a JSON Web Token (and how is it better than Cookies) - visual explanation?: https://robmclarty.com/blog/what-is-a-json-web-token
  30. Hacking Json Web Token Signature.: https://github.com/onsecru/jwt-hacking-challenges
  31. How JSON Web Token (JWT) Secures Your API: https://dzone.com/articles/how-json-web-token-jwt-secures-your-api (how you can secure an API using JSON Web Tokens)
  32. Add Secure Token Authentication (JWTs) to Your Java App: https://dzone.com/articles/add-secure-token-authentication-to-your-java-app
  33. Secure JAX-RS APIs With Eclipse MicroProfile JSON Web Token: https://www.eclipse.org/community/eclipse_newsletter/2020/august/2.php
  34. Json Web Token -- How to Secure a Spring Boot REST API: https://dzone.com/articles/json-web-token-how-to-secure-spring-boot-rest-api
  35. Spring Boot Security + JWT Hello World Example: https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world
  36. How to Best Leverage JWTs for API Security: https://www.youtube.com/watch?v=Eq-LiFJbvXo
  37. AppSec California 2020 conference -- Are You Properly Using JWTs? (by Dmitry Sotnikov): https://www.youtube.com/watch?v=M3jA0bGDCso
  38. PenTest Academy -- Hacking JWT Tokens - Blind SQLi: https://blog.pentesteracademy.com/hacking-jwt-tokens-blind-sqli-efa2799f0e95
  39. Burp Suite -- plugins - JSON Web Token Attacker: https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61
  40. Base64 -- "java.lang.IllegalArgumentException: Illegal character" when encoding/decoding JWTs: https://stackoverflow.com/questions/28584080/base64-java-lang-illegalargumentexception-illegal-character
  41. Illegal base64 character 5f, Illegal base64 character 2d and java.util.Base64: https://adam-bien.com/roller/abien/entry/illegal_base64_character_5f_illegal
  42. Decode Base64 data in Java: https://stackoverflow.com/questions/469695/decode-base64-data-in-java
  43. JSON Web Token (JWT) -- Authorization vs Authentication: https://stackoverflow.com/questions/48386407/json-web-token-jwt-authorization-vs-authentication (includes example for handling "permissions list" in JWT)
  44. JSON Web Token(JWT) vs Opaque Token: https://medium.com/@piyumimdasanayaka/json-web-token-jwt-vs-opaque-token-984791a3e715
  45. JSON Web Token -- 8 Easy Steps to Understand and Implement JWT: https://www.bemyaficionado.com/json-web-token/ | SRC
  46. 7 Ways to Avoid JWT Security Pitfalls: https://42crunch.com/7-ways-to-avoid-jwt-pitfalls/
  47. The hard parts of JWT security nobody talks about: https://pragmaticwebsecurity.com/articles/apisecurity/hard-parts-of-jwt.html
  48. Creating a JWT Authentication Web API in 5 Minutes: https://dzone.com/articles/creating-a-jwt-authentication-web-api-in-5-minutes
  49. Delegating JWT Validation for Greater Flexibility: https://dzone.com/articles/delegating-jwt-validation-for-greater-flexibility
  50. Safely Handling JWTs: https://dev.to/oneadvanced/safely-handling-jwts-5d49
  51. How to Use JWT Securely: https://dzone.com/articles/how-to-use-jwt-securely (Java examples)
  52. Stop Using JSON Web Tokens For Authentication - Use Stateful Sessions Instead: https://betterprogramming.pub/stop-using-json-web-tokens-for-authentication-use-stateful-sessions-instead-c0a803931a5d
  53. Deep dive into self-contained tokens and JWTs (VIDEO): https://www.youtube.com/watch?v=O3G1pigc3zQ (by Neil Madden, the fellow who "wrote the book" or a book that is, on "API Security in action")
  54. Web Authentication in Firefox for Android: https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/
  55. wikipedia: WebAuthn
  56. What is WebAuthn?: https://www.okta.com/blog/2019/03/what-is-webauthn/
  57. Introduction to WebAuthn API: https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285
  58. Practical passwordless authentication comes a step closer with WebAuthn: https://arstechnica.com/gadgets/2018/04/practical-passwordless-authentication-comes-a-step-closer-with-webauthn/
  59. Microsoft support for WebAuthn: https://github.com/Microsoft/webauthn/
  60. Yubiko Security Key support for WebAuthn: https://www.yubico.com/authentication-standards/webauthn/
  61. Okta help center -- docs on support for FIDO2 Web Authentication (WebAuthn): https://help.okta.com/en/prod/Content/Topics/Security/mfa-webauthn.htm
  62. wikipedia: WebFinger
  63. What is WebFinger, and why is it used?: https://docs.joinmastodon.org/spec/webfinger/
  64. Okta developer -- API docs - WebFinger: https://developer.okta.com/docs/reference/api/webfinger/
  65. WebFinger overview & example: https://www.packetizer.com/ws/webfinger/
  66. wikipedia: WebID
  67. W3C -- Foaf+ssl: https://www.w3.org/wiki/Foaf%2Bssl
  68. wikipedia: Kerberos (protocol)
  69. Microsoft -- Kerberos Authentication - support overview: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
  70. Kerberos overview: https://www.geeksforgeeks.org/kerberos/
  71. What Is Kerberos, How Does It Work, and What Is It Used For?: https://www.simplilearn.com/what-is-kerberos-article
  72. Social Login with Facebook and Twitter: https://helpx.adobe.com/experience-manager/6-5/communities/using/social-login.html
  73. Login with Google Account using PHP: https://www.codexworld.com/login-with-google-api-using-php/
  74. Login with Facebook using PHP: https://www.codexworld.com/login-with-facebook-using-php/
  75. Login with Twitter using PHP: https://www.codexworld.com/login-with-twitter-using-php/
  76. Twitter external sign-in setup with ASP.NET Core: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/twitter-logins?view=aspnetcore-2.2
  77. Add Microsoft Account Login to Your App: https://auth0.com/docs/connections/social/microsoft-account
  78. Apple Developer Sign-In Button Instructions Raising Eyebrows: https://www.mediapost.com/publications/article/336656/apple-developer-sign-in-button-instructions-raisin.html
  79. lighttpd Web Server on a Raspberry Pi using mod_auth: https://jacobsalmela.com/2014/05/25/password-protect-a-lighttpd-web-server-on-a-raspberry-pi-using-mod-auth/
  80. Hacking Web Authentication – Part 1: https://resources.infosecinstitute.com/authentication-hacking-pt1/
  81. Hacking Web Authentication – Part 2: https://resources.infosecinstitute.com/hacking-web-authentication-part-2/
  82. What is Digest Authentication?: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778868(v=ws.10)?redirectedfrom=MSDN
  83. IIS - configure Digest Authentication: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/digestauthentication
  84. WDigest -- Clear-Text Passwords in Memory FIX: https://www.wilbursecurity.com/2017/10/wdigest-clear-text-passwords/
  85. 6 JavaScript User Authentication Libraries for 2019: https://blog.bitsrc.io/6-javascript-user-authentication-libraries-for-2019-6c7c45fbe458
  86. PHP Docs -- HTTP Authentication: http://www.php.net/manual/en/features.http-auth.php
  87. HTTP Basic Authentication PHP: https://www.techflirt.com/http-basic-authentication-php#apache-mod-cgi-basic-auth
  88. Oracle -- Database-Based Authentication for PHP Apps, Part 1: http://www.oracle.com/technology/pub/articles/mclaughlin-phpid1.html
  89. Google unveils 5yr Roadmap for strong Authentication: http://www.zdnet.com/google-unveils-5-year-roadmap-for-strong-authentication-7000015147/

See Also

OpenID | SSO | Cookies | JWT | Authorization | Passwords