Skip to main content

OAuth 2.0 vs JWT

JWT replaces the cookie and makes APIs / Web stateless

JWT Token can easily be decoded

JWT has No true logout

Always use: Authorization: Bearer <TOKEN>

Bearer authentication scheme prevents CSRF attacks

sample JWT token includes the following elements.

Header : Algorithm and token type

{
 “alg”: “HS256”,
 “typ”: “JWT”
}

Payload : data

{
  “sub”: “1234567890”,
 “name”: “John Doe”,
 “admin”: true
}

Verify signature:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret  
)

Final output:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
     .     eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9
     .
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Using JWT.IO we can easily decode, verify and generate JWT tokens.

OAuth 2.0:

Authorization Framework:

Support APIs, Web, etc.

OAuth 2.0 Key Components

  1. Authorization Server (Token Factory, e.g. GitHub)
  2. Resource Server (API / Microservice, e.g. GitHub API)
  3. Client  (UI / Mobile / API / Microservice e.g. Login with GitHub )
  4. User (Resource Owner)
  5. User Agent (Device/Browser)
OAuth 2.0 Grant Types
  1. Authorization Code 
    1. Used for User Authorization by Web / Mobile
    2. (e.g. Login with Github UI button -> GitHub for Authorization -> Token to access GitHub APIs on behalf of the user)
    3. Requires Web/Mobile client to register with GitHub and have a client-secret to make token validation, refresh calls
    4. The browser only sees a temp code. The client takes the temp code along with client-secret to get access-token
    5. The client should register the Authorization Server have the client-id/client-secret with it
  2. Client Credentials
    1. Machine-Machine communication
    2.  (Go to GitHub and generate Client ID/Client Secret to access GitHub APIs)
PKCE for single page Apps
https://www.oauth.com/oauth2-servers/single-page-apps/

https://www.oauth.com/


SAML
Single Sign-on Across Sites

2008 had only SAML & Login Forms / cookies
** No way to support Mobile Apps Login
** No way to support Delegated Authorization

OpenID Connect is for Authentication
OAuth 2.0 is for Authorization

What does OpenID Connect add?
  1. ID Token
  2. UserInfo endpoint for getting more user info
  3. A standard set of scopes
  4. Standardized implementation
When to Use OpenID Connect?
  • Form login
  • Single sign-on across sites
  • Mobile App login
  • Delegated authorization (OAuth 2.0)

When using OpenID Connect

Login with Google will go with an extra scope: openid
and will return with extra /userinfo endpoint and openid token for requesting more user profile info






Comments

Post a Comment

Popular posts from this blog

Access multiple Databases in JPA

According to JPA specification we can define multiple "persistence-unit" elements (i.e. like below) in persistence.xml file and can easily refer them inside Dao layers as this. public class PolarDaoImpl {     @PersistenceContext(unitName="PolarPU")     protected EntityManager entityManager; -- } public class BearDaoImpl {     @PersistenceContext(unitName="BearPU")     protected EntityManager entityManager; -- } Checkout sample persistence.xml <?xml version="1.0" encoding="UTF-8"?> <persistence version="2.0" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">     <!-- Database 1 -->     <persistence-unit name="PolarPU" transaction-type="RESOURCE_LOCAL">         <
3 comments
Read more

JPA 2 new feature @ElementCollection explained

@ElementCollection is new annotation introduced in JPA 2.0, This will help us get rid of One-Many and Many-One shitty syntax. Example 1: Stores list of Strings in an Entity @Entity public class Users implements Serializable {     private static final long serialVersionUID = 1L;     @Id     @GeneratedValue(strategy = GenerationType.AUTO)     private Long id;     @ElementCollection     private List<String> certifications = new ArrayList <String> ();     public Long getId() {         return id;     }     public void setId(Long id) {         this.id = id;     }     public List <String> getCertifications() {         return certifications;     }     public void setCertifications(List <String> certifications) {         this.certifications = certifications;     } .. }         Users u = new Users();         u.getCertifications().add("Sun Certified Java Programmer");         em.persist(u); Generated Tables    Users    Co
21 comments
Read more

Reuse JPA Entities as DTO

Note : Major design advantages of JPA Entities are they can detached and used across tiers and networks and later can by merged. Checkout this new way of querying entities in JPA 2.0 String ql = " SELECT new prepclass2.Employee (e.firstname, e.lastname) FROM Employee e "; List<Employee> dtos = em.createQuery(ql).getResultList(); The above query loads all Employee entities but with subset of data i.e. firstname, lastname. Employee entity looks like this. @Entity @Table(name="emp") public class Employee implements Serializable {     private static final long serialVersionUID = 1L;     @Id     @GeneratedValue(strategy = GenerationType.AUTO)     private Long id;     @Column     private String firstname;     @Column     private String lastname;     @Column     private String username;     @Column     private String street;     @Column     private String city;     @Column     private String state;     @Column     private String zipc
11 comments
Read more