Authentication

Authentication is the verification of user credentials, to ensure that a party claiming a certain identity is authentic (i.e. the person or organization IS who they say they are).

Specifications

Web3 Tokens

• Web3 Tokens: https://github.com/bytesbay/web3-token
• Web3.js: https://github.com/ChainSafe/web3.js | NPM

^{[1] [2] [3] [4] [5] [6] [7] [8] [9]}

JWT

JSON Web Tokens (JWT).

• IETF -- RFC-7519 - JSON Web Token (JWT) spec: https://tools.ietf.org/html/rfc7519
• wikipedia: JSON_Web_Token#Standard_fields
• JWT debugger tool: https://jwt.io/
• The Anatomy of a JSON Web Token: http://scotch.io/tutorials/the-anatomy-of-a-json-web-token
• JSON Web Token -- Security for Applications: http://dzone.com/articles/json-web-token-security-for-applications
• Cookies vs Tokens -- The Definitive Guide: https://auth0.com/blog/cookies-vs-tokens-definitive-guide/
• From JSON Web Token to Single Sign-On Part 1 -- Creating the Token: http://dzone.com/articles/from-json-web-token-to-single-sign-on-part-1-creat-1
• OAuth 2 VS JSON Web Tokens -- How to secure an API: http://www.seedbox.com/en/blog/2015/06/05/oauth-2-vs-json-web-tokens-comment-securiser-un-api/
• PHP Authorization with JWT (JSON Web Tokens): http://www.sitepoint.com/php-authorization-jwt-json-web-tokens/
• Understanding JWT (with Java examples): https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html
• Token Authentication for Java Applications: http://stormpath.com/blog/token-auth-for-java
• Create a RESTful API with authentication using Web API and Jwt: https://developerhandbook.com/c-sharp/create-restful-api-authentication-using-web-api-jwt/
• JWT plugins/extensions: FireFox | Chrome

^{[10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53]}

OpenID

• OpenID

WebAuthn

Web Authentication (WebAuthn) is a web standard published by the W3C and is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography.

• W3C - WebAuthn: https://www.w3.org/TR/webauthn/ | v2.0 | v3.0 (in draft)
• WebAuthn: https://webauthn.guide | DEMO #1 | DEMO #2 (aims to be a better alternative for securing our sensitive data online)
• MozDev -- WebAuthn API: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API^[54]

^{[55] [56] [57] [58] [59] [60] [61]}

WebFinger

• WebFinger protocol: https://webfinger.net/ | SRC

^{[62] [63] [64] [65]}

WebID

• WebID spec: http://www.w3.org/2005/Incubator/webid/spec/ | DOCS

^{[66] [67]}

Kerberos

• Kerberos: https://web.mit.edu/Kerberos/

^{[68] [69] [70] [71]}

SIP

• SIP - Session Initiation Protocol: http://tools.ietf.org/html/rfc3261

Social Login

• wikipedia: Social login^[72]
• Google dev docs — Integrating Google Sign-In into your web app: https://developers.google.com/identity/sign-in/web/sign-in^[73]
• Facebook dev docs — “Connect” SDK: https://developers.facebook.com/docs/facebook-login/^[74]
• Twitter dev docs — Login with Twitter button: https://developer.twitter.com/en/docs/twitter-for-websites/log-in-with-twitter/login-in-with-twitter.html^[75][76]
• Microsoft dev docs — Login with Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app^[77]
• Apple dev docs -- Sign In with Apple guidelines: https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple/overview/^[78]

BASIC

• HTTP Basic & Digest Authentication: http://tools.ietf.org/html/rfc2617

^[79]

DIGEST

HTTP Digest authentication is a step up from Basic authentication, both in the level of the protection it offers and its complexity. The following is an example "Digest authentication" HTTP header:

WWW-Authenticate: Digest realm="digest realm", qop="auth", nonce="1415713971682:2ffba5083baf438b90d2986cc77ae793", opaque="C4DAF43F253C0AFA5F006908F5595C8F"

• Digest Authentication walkthrough:

^{[80] [81] [82] [83] [84]}

Tools

• WebFinger client: http://webfingerclient-dclinton.appspot.com/

Resources

• OpenID project: http://openid.net
• WebID project: http://webid.info/
• WebFinger project: http://code.google.com/p/webfinger/ (Web Discovery for Identities, making email addresses readable again)
• OWASP - Guide to Authentication: https://www.owasp.org/index.php/Guide_to_Authentication
• OWASP Authentication (CHEAT SHEET): https://www.owasp.org/index.php/Authentication_Cheat_Sheet
• User Authentication Best Practices Checklist: https://dzone.com/articles/user-authentication-best-practices-checklist
• Form Authentication for Mobile Applications: http://www.securitypronews.com/it/applicationdevelopment/spn-19-20031121FormAuthenticationforMobileApplications.html

• PHP Login System with Admin Features: http://evolt.org/PHP-Login-System-with-Admin-Features?from=350&comments_per_page=50
• Integrated Windows Authentication in Java: http://spnego.sourceforge.net

^[85]

Tutorial

• The definitive guide to form-based website authentication: https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication
• How Authentication Works: http://computer.howstuffworks.com/computer-user-authentication-channel.htm
• HTTP authentication with PHP: https://www.php.net/manual/en/features.http-auth.php
• How can I use Basic HTTP Authentication in PHP?: https://stackoverflow.com/questions/4150507/how-can-i-use-basic-http-authentication-in-php#4150636^[86][87][88]
• Authenticate from PHP to a SOAP Web Service using X.509 Certificates: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/4586
• HTTP authentication logout via PHP: https://stackoverflow.com/questions/449788/http-authentication-logout-via-php
• How Digest Authentication Works: https://technet.microsoft.com/en-us/library/cc780170%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
• Cookies vs Tokens - The Definitive Guide: https://auth0.com/blog/cookies-vs-tokens-definitive-guide/
• How to do HTTP Basic Auth in Ajax: https://coderseye.com/2007/how-to-do-http-basic-auth-in-ajax.html
• How do I connect to a URL using Basic authentication (JAVA)?: http://www.avajava.com/tutorials/lessons/how-do-i-connect-to-a-url-using-basic-authentication.html
• JAX-RS Tip of the Day - Basic Authentication with JDBC: http://javaevangelist.blogspot.ca/2012/07/jax-rs-tip-of-day-basic-authentication.html
• How to handle user login/logout in browser multiple tab?: https://stackoverflow.com/questions/21692644/how-to-handle-the-user-logout-in-browser-multiple-tab
• Session Management in Java - HttpServlet, Cookies, URL Re-Writing: http://www.journaldev.com/1907/java-session-management-servlet-httpsession-url-rewriting
• How login works with JSP full example: http://met.guc.edu.eg/OnlineTutorials/JSP%20-%20Servlets/Full%20Login%20Example.aspx
• Login & Registration example in JSP (with Sessions): http://www.javaknowledge.info/login-and-registration-example-in-jsp-with-session/
• Handle Windows Authentication in Selenium Webdriver: http://learn-automation.com/handle-windows-authentication-using-selenium-webdriver/
• Firebase Authentication With the Firebase 3.0 SDK and Auth0 Integration: http://dzone.com/articles/firebase-authentication-with-the-firebase-30-sdk-a (excellent example of Web Service security, since acquisition & re-architecture by Google)^[89]
• Firebase – Authentication using AngularJS: https://kieldev.wordpress.com/2017/02/08/firebase-authentication-using-angularjs/
• The Lazy Developer's Guide to Authentication With Vue.js: https://dzone.com/articles/the-lazy-developers-guide-to-authentication-with-v-1
• Making a HTTP GET request with HTTP-Basic authentication: https://stackoverflow.com/questions/7732634/making-a-http-get-request-with-http-basic-authentication
• Fetching custom Authorization header from incoming PHP request: https://stackoverflow.com/questions/2902621/fetching-custom-authorization-header-from-incoming-php-request
• Apache 2.4 + PHP-FPM and Authorization headers: https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers/17490827#17490827
• Apache -- basic authentication before rewrite: https://stackoverflow.com/questions/2606435/apache-basic-authentication-before-rewrite
• Authenticate against PHP applications with cURL or Postman: https://nehalist.io/authenticate-against-php-applications-with-curl-or-postman/
• Password Cracker - Generating Passwords: https://towardsdatascience.com/password-cracker-generating-passwords-with-recurrent-neural-networks-lstms-9583714a3310
• Device Authentication -- Notify User of Login From New Device or Location: https://dzone.com/articles/notify-user-of-login-from-new-device-or-location | SRC (large series of tutorials with code samples)
• Use Client Certificate Authentication With Java and RestTemplate: https://dzone.com/articles/use-client-certificate-authentication-with-java-an
• Integrating Spring Boot and React With Spring Security & React JSX - Basic and JWT Authentication: https://dzone.com/articles/integrating-spring-boot-and-react-with-spring-secu-1
• Add Secure Token Authentication (JWTs) to Your Java App: https://dzone.com/articles/add-secure-token-authentication-to-your-java-app

External Links

• wikipedia: Authentication
• wikipedia: Basic access authentication
• wikipedia: Digest access authentication
• wikipedia: Multi-factor authentication
• Joseph Smarr at Web 2.0 on the New “Open Stack”: http://therealmccrea.com/2008/09/19/joseph-smarr-at-web-20-on-the-new-open-stack/
• W3C Cryptography example - delegated authentication: http://www.w3.org/2000/10/swap/test/crypto/
• AuthBridge (old SSO effort by Carnegie Melon before SSO term was coined): http://www.net.cmu.edu/authbridge/
• 5 Features Your Login System Must Have: http://davidwalsh.name/5-features-login-system
• Dev Security -- Authentication Is More Important Than Ever in 2017: https://dzone.com/articles/authentication-is-more-important-than-ever-in-2017 (SFA-Email/Username/Password, 2FA-Email/Password/SMS/PhoneCall, MFA-Email/Password/PhoneCall/SMS/Biometric)
• The use of digital identities for strong authentication — PKI and FIDO: https://medium.com/@michael.queralt/a-happy-path-to-the-use-of-digital-identities-for-authentication-derived-credentials-and-fido-32f2f8cd002

References

1. ↑ Web3.js -- "Ethereum Blockchain Developer" crash course: https://www.dappuniversity.com/articles/web3-js-intro | PLAYLIST
2. ↑ Web3 Token is a new way to authenticate users in a hybrid dApps using signed messages (code examples in JS): https://reposhub.com/javascript/misc/bytesbay-web3-token.html
3. ↑ You don’t need JWT anymore: https://medium.com/@bytesbay/you-dont-need-jwt-anymore-974aa6196976
4. ↑ How to send ERC20 token using Web3 API?: https://ethereum.stackexchange.com/questions/24828/how-to-send-erc20-token-using-web3-api
5. ↑ Get total amount of tokens received from a specific address using Web3.js: https://stackoverflow.com/questions/69602206/get-total-amount-of-tokens-received-from-a-specific-address-using-web3-js
6. ↑ Web3.js integration example to Theta Blockchain: https://docs.thetatoken.org/docs/web3-stack-web3js
7. ↑ Web3 wallet XDEFI unveils utility token as it sets sights on Metamask: https://coinrivet.com/web3-wallet-xdefi-unveils-utility-token-as-it-sets-sights-on-metamask/
8. ↑ Web3 Token origins -- BitTorrent & BTT explained: https://academy.aaxspace.com/en/web3-tokens-bittorrent-btt-explained/
9. ↑ The Top Web3 Projects To Watch: https://academy.aaxspace.com/en/the-top-web3-projects-to-watch/
10. ↑ The JSON Web Token Toolkit: https://github.com/ticarpi/jwt_tool (useful for testing, tweaking and cracking JSON Web Tokens)
11. ↑ JWT Attack Playbook: https://github.com/ticarpi/jwt_tool/wiki
12. ↑ Critical vulnerabilities in JSON Web Token libraries: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
13. ↑ JWT pentesting, API discovery, the present and future of OpenAPI: https://apisecurity.io/issue-88-jwt-pentesting-api-discovery-present-future-openapi/?utm_campaign=APISecurity newsletter&utm_medium=email&_hsmi=89744566&_hsenc=p2ANqtz-8O2HJjAvf2hHEilaDiVbDQ0kDJnbUde9RRYORelqLC2KG04GyjWx_-AXZQxFz83x0WbFnKCVks7xxDqhL7OqQjKLMqkA&utm_content=89743832&utm_source=hs_email
14. ↑ 5 Easy Steps to Understanding JSON Web Tokens (JWT): https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec
15. ↑ Using JWT to Secure a Stateless API World: https://dzone.com/articles/using-jwt-to-secure-a-stateless-api-world
16. ↑ Stop Using JWTs as Session Tokens: https://dzone.com/articles/stop-using-jwts-as-session-tokens
17. ↑ Using Postman for JWT Authentication on Adobe I/O: https://medium.com/adobe-io/using-postman-for-jwt-authentication-on-adobe-i-o-7573428ffe7f
18. ↑ JWT Use Cases: https://medium.com/@robert.broeckelmann/jwt-use-cases-bb94e4e70949
19. ↑ Blacklisting JSON Web Token API Keys: https://auth0.com/blog/blacklist-json-web-token-api-keys/
20. ↑ Should JWT be stored in localStorage or cookie?: https://stackoverflow.com/questions/34817617/should-jwt-be-stored-in-localstorage-or-cookie (neither for best security... instead create an Access JWT in-memory only, and, a Refresh Session JWT in "HttpOnly"-flagged Cookie for persistence)
21. ↑ Where to Store your JWTs – Cookies vs HTML5 Web Storage: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
22. ↑ Is it safe to store a JWT in sessionStorage?: https://security.stackexchange.com/questions/179498/is-it-safe-to-store-a-jwt-in-sessionstorage
23. ↑ The Ultimate Guide to handling JWTs on frontend clients (GraphQL): https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/
24. ↑ Sending JWT with Service Clients: http://docs.servicestack.net/jwt-authprovider#sending-jwt-with-service-clients
25. ↑ JWT tokens & security – working principles and use cases: https://www.vaadata.com/blog/jwt-tokens-and-security-working-principles-and-use-cases/
26. ↑ Another Round of JWT.io and JWT Debugger Extension Updates: https://auth0.com/blog/more-jwt-io-and-jwt-debugger-extension-updates/
27. ↑ A Look at The Draft for JWT Best Current Practices: https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/
28. ↑ JSON WEB TOKEN (JWT) explained: https://flaviocopes.com/jwt/
29. ↑ What is a JSON Web Token (and how is it better than Cookies) - visual explanation?: https://robmclarty.com/blog/what-is-a-json-web-token
30. ↑ Hacking Json Web Token Signature.: https://github.com/onsecru/jwt-hacking-challenges
31. ↑ How JSON Web Token (JWT) Secures Your API: https://dzone.com/articles/how-json-web-token-jwt-secures-your-api (how you can secure an API using JSON Web Tokens)
32. ↑ Add Secure Token Authentication (JWTs) to Your Java App: https://dzone.com/articles/add-secure-token-authentication-to-your-java-app
33. ↑ Secure JAX-RS APIs With Eclipse MicroProfile JSON Web Token: https://www.eclipse.org/community/eclipse_newsletter/2020/august/2.php
34. ↑ Json Web Token -- How to Secure a Spring Boot REST API: https://dzone.com/articles/json-web-token-how-to-secure-spring-boot-rest-api
35. ↑ Spring Boot Security + JWT Hello World Example: https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world
36. ↑ How to Best Leverage JWTs for API Security: https://www.youtube.com/watch?v=Eq-LiFJbvXo
37. ↑ AppSec California 2020 conference -- Are You Properly Using JWTs? (by Dmitry Sotnikov): https://www.youtube.com/watch?v=M3jA0bGDCso
38. ↑ PenTest Academy -- Hacking JWT Tokens - Blind SQLi: https://blog.pentesteracademy.com/hacking-jwt-tokens-blind-sqli-efa2799f0e95
39. ↑ Burp Suite -- plugins - JSON Web Token Attacker: https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61
40. ↑ Base64 -- "java.lang.IllegalArgumentException: Illegal character" when encoding/decoding JWTs: https://stackoverflow.com/questions/28584080/base64-java-lang-illegalargumentexception-illegal-character
41. ↑ Illegal base64 character 5f, Illegal base64 character 2d and java.util.Base64: https://adam-bien.com/roller/abien/entry/illegal_base64_character_5f_illegal
42. ↑ Decode Base64 data in Java: https://stackoverflow.com/questions/469695/decode-base64-data-in-java
43. ↑ JSON Web Token (JWT) -- Authorization vs Authentication: https://stackoverflow.com/questions/48386407/json-web-token-jwt-authorization-vs-authentication (includes example for handling "permissions list" in JWT)
44. ↑ JSON Web Token(JWT) vs Opaque Token: https://medium.com/@piyumimdasanayaka/json-web-token-jwt-vs-opaque-token-984791a3e715
45. ↑ JSON Web Token -- 8 Easy Steps to Understand and Implement JWT: https://www.bemyaficionado.com/json-web-token/ | SRC
46. ↑ 7 Ways to Avoid JWT Security Pitfalls: https://42crunch.com/7-ways-to-avoid-jwt-pitfalls/
47. ↑ The hard parts of JWT security nobody talks about: https://pragmaticwebsecurity.com/articles/apisecurity/hard-parts-of-jwt.html
48. ↑ Creating a JWT Authentication Web API in 5 Minutes: https://dzone.com/articles/creating-a-jwt-authentication-web-api-in-5-minutes
49. ↑ Delegating JWT Validation for Greater Flexibility: https://dzone.com/articles/delegating-jwt-validation-for-greater-flexibility
50. ↑ Safely Handling JWTs: https://dev.to/oneadvanced/safely-handling-jwts-5d49
51. ↑ How to Use JWT Securely: https://dzone.com/articles/how-to-use-jwt-securely (Java examples)
52. ↑ Stop Using JSON Web Tokens For Authentication - Use Stateful Sessions Instead: https://betterprogramming.pub/stop-using-json-web-tokens-for-authentication-use-stateful-sessions-instead-c0a803931a5d
53. ↑ Deep dive into self-contained tokens and JWTs (VIDEO): https://www.youtube.com/watch?v=O3G1pigc3zQ (by Neil Madden, the fellow who "wrote the book" or a book that is, on "API Security in action")
54. ↑ Web Authentication in Firefox for Android: https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/
55. ↑ wikipedia: WebAuthn
56. ↑ What is WebAuthn?: https://www.okta.com/blog/2019/03/what-is-webauthn/
57. ↑ Introduction to WebAuthn API: https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285
58. ↑ Practical passwordless authentication comes a step closer with WebAuthn: https://arstechnica.com/gadgets/2018/04/practical-passwordless-authentication-comes-a-step-closer-with-webauthn/
59. ↑ Microsoft support for WebAuthn: https://github.com/Microsoft/webauthn/
60. ↑ Yubiko Security Key support for WebAuthn: https://www.yubico.com/authentication-standards/webauthn/
61. ↑ Okta help center -- docs on support for FIDO2 Web Authentication (WebAuthn): https://help.okta.com/en/prod/Content/Topics/Security/mfa-webauthn.htm
62. ↑ wikipedia: WebFinger
63. ↑ What is WebFinger, and why is it used?: https://docs.joinmastodon.org/spec/webfinger/
64. ↑ Okta developer -- API docs - WebFinger: https://developer.okta.com/docs/reference/api/webfinger/
65. ↑ WebFinger overview & example: https://www.packetizer.com/ws/webfinger/
66. ↑ wikipedia: WebID
67. ↑ W3C -- Foaf+ssl: https://www.w3.org/wiki/Foaf%2Bssl
68. ↑ wikipedia: Kerberos (protocol)
69. ↑ Microsoft -- Kerberos Authentication - support overview: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
70. ↑ Kerberos overview: https://www.geeksforgeeks.org/kerberos/
71. ↑ What Is Kerberos, How Does It Work, and What Is It Used For?: https://www.simplilearn.com/what-is-kerberos-article
72. ↑ Social Login with Facebook and Twitter: https://helpx.adobe.com/experience-manager/6-5/communities/using/social-login.html
73. ↑ Login with Google Account using PHP: https://www.codexworld.com/login-with-google-api-using-php/
74. ↑ Login with Facebook using PHP: https://www.codexworld.com/login-with-facebook-using-php/
75. ↑ Login with Twitter using PHP: https://www.codexworld.com/login-with-twitter-using-php/
76. ↑ Twitter external sign-in setup with ASP.NET Core: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/twitter-logins?view=aspnetcore-2.2
77. ↑ Add Microsoft Account Login to Your App: https://auth0.com/docs/connections/social/microsoft-account
78. ↑ Apple Developer Sign-In Button Instructions Raising Eyebrows: https://www.mediapost.com/publications/article/336656/apple-developer-sign-in-button-instructions-raisin.html
79. ↑ lighttpd Web Server on a Raspberry Pi using mod_auth: https://jacobsalmela.com/2014/05/25/password-protect-a-lighttpd-web-server-on-a-raspberry-pi-using-mod-auth/
80. ↑ Hacking Web Authentication – Part 1: https://resources.infosecinstitute.com/authentication-hacking-pt1/
81. ↑ Hacking Web Authentication – Part 2: https://resources.infosecinstitute.com/hacking-web-authentication-part-2/
82. ↑ What is Digest Authentication?: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778868(v=ws.10)?redirectedfrom=MSDN
83. ↑ IIS - configure Digest Authentication: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/digestauthentication
84. ↑ WDigest -- Clear-Text Passwords in Memory FIX: https://www.wilbursecurity.com/2017/10/wdigest-clear-text-passwords/
85. ↑ 6 JavaScript User Authentication Libraries for 2019: https://blog.bitsrc.io/6-javascript-user-authentication-libraries-for-2019-6c7c45fbe458
86. ↑ PHP Docs -- HTTP Authentication: http://www.php.net/manual/en/features.http-auth.php
87. ↑ HTTP Basic Authentication PHP: https://www.techflirt.com/http-basic-authentication-php#apache-mod-cgi-basic-auth
88. ↑ Oracle -- Database-Based Authentication for PHP Apps, Part 1: http://www.oracle.com/technology/pub/articles/mclaughlin-phpid1.html
89. ↑ Google unveils 5yr Roadmap for strong Authentication: http://www.zdnet.com/google-unveils-5-year-roadmap-for-strong-authentication-7000015147/

See Also

OpenID | SSO | Cookies | JWT | Authorization | Passwords