Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All About Authentication

All About Authentication

Sharing to GDS-ACE Software Engineering Chapter - Feb 26, 2021

5b8b508988c0e489eb6d85d006cb839d?s=128

Samantha Wong

February 26, 2021
Tweet

More Decks by Samantha Wong

Other Decks in Programming

Transcript

  1. All About Auth Tokens, Sessions and Redirects Or, What We

    Learned Building an Auth Common Service in GoBusiness
  2. Why We Started This Journey us SPCP Necessity is the

    Mother of Production
  3. Auth(entication) V. Auth(orization) Verifies entity identity Entity access

  4. Authentication vs Authorization According to auth0 Source: https://auth0.com/docs/flows Salt Beef

  5. OpenID Connect (OIDC) - OAuth OAuth 2.0 OpenID Connect

  6. OIDC

  7. OAUTH 2.0

  8. SPCP us user

  9. SPCP us user

  10. SPCP us user auth -wra pper

  11. SPCP us user auth -wra pper us us us us

  12. SPCP us user auth -wra pper us us us us

  13. SPCP us user auth-wrapper gobiz-auth us us us us

  14. But wait, doesn’t SPCP have SSO?

  15. Taken from SPCP OIDC Interface Specifications v1.5

  16. SPCP us user us us us us

  17. SPCP us user gobiz-auth us us us us

  18. What’s in a Token - Types of JWTs - Why

    have a refresh and an access token and where to put them
  19. JWTs JWT JWS JWE

  20. JWT JWS JWE

  21. ID, Refresh and Access Tokens - Short-lived - About direct

    access to resources - Longer-lived - Allows one to refresh access tokens Source: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
  22. Can we do without some kind of server-side storage?

  23. SPCP us user gobiz-auth us us us us

  24. SPCP us user gobiz-auth us us us us

  25. No, we can’t log users out.

  26. Eager Server Validation vs Offline Token Validation Why one or

    the other? = Supporting no concurrent users
  27. Hypothetically, /refresh: refreshes your access token /verify: verifies whether an

    access token is still valid
  28. Do we always need a refresh, and an access token?

  29. Modes of (Client-Side) Session Elongation A. Calling /refresh on every

    backend call B. Frontend will call /refresh periodically
  30. Between the Storages Type Local Storage Session Storage Cookie GlobalThis

    Space Size 5MB (at least) 5MB (at least) 4KB (max) Browser Storage Properties Domain access Domain access Domain and subdomain access Domain access Removal Clear browsing data Close tab Set Expiration Clear browsing data
  31. None
  32. Standard Ways to Protect a Cookie httpOnly flag (prevents client-side

    access; for server-side cookies) SameSite=strict (prevents CSRF) secure=true (only sends cookies on HTTPS protocol)
  33. Backend vs Frontend Calls User-identifying vs Server-identifying Authentication vs Authorization

    What’s Secure, Anyway? Encryption vs Masking vs Hashing
  34. User Requirements - Coming back to the login page to

    be auto-redirected to a post-login landing page if currently logged in. - If you already had a login page open - clicking on login button should through-train into the application. - Should a user be logged in when they open a different tab in the same browser? - Will determine where you store your session token - in localStorage, globalThis, Redux, Cookies (more work needed)
  35. Why All The Redirects, Anyway - Different Authenticating Service (for

    e.g. SPCP) - Mysterious, it is
  36. Puzzles Non Comprendo - “Protocol Fatigue” - Why do we

    need so many standards/protocols? - How are they different? - What differing functions do they serve? - Do people earn money when they make a new standard? - What qualifies as a “new standard”? - What is the meaning of life?
  37. [Optional] Errors - Why don’t people recognize you as being

    authenticated
  38. The End