Awesome authentication
Resources to learn and implement authentication in your application
This is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon) The project is distributed under the MIT License license, first published in 2020. Key topics include: authentication, authentication-backend, authentication-strategy, digital-signature, jwt.
This is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon)
Fundamentals You Must Know
Cryptography
- Assymetric Cryptography
- Digital Signatures : Verifying authenticity of message
- Forward Secrecy : A way to protect against future compromises of private key
- Encryption vs Signing
- Encryption vs Encoding
- Hashing vs Encoding cs Encryption vs Obfuscation
About Tokens
About Frameworks
- OAuth2.0 - authorization framework to enable third-party application obtain limited access to HTTP service
- OpenIDConnect - authentication on top of OAuth2.0
Web-Security Recommendations
- Authentication cheatsheet by OWASP
- PKCE - Proof Key for Code Exchange by OAuth Public Clients
- The OAuth 2.0 Authorization Framework: Bearer Token Usage
Secure Key Exchange In Public
- Diffie Hellman Key Exchange
- An SO answer to build more understanding around DH algo, signatures, forward secrecy, etc.
- Diffie-Hellman key exchange implementation in node.js
Maintaining Forward Secrecy
Invalidating JWT
- Simply remove the token from the client
- Create a token blacklist
- Just keep token expiry times short and rotate them often
- Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials
A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.
Securtity Risks and Criticism of JWT
- Stop using JWT for sessions and part 2: Why your solution doesn't work
- Why JWTs Suck as Session Tokens
- No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid (including JWT, JWE and JWS)
- https://github.com/shieldfy/API-Security-Checklist/issues/6 with more resources
- Things to Use Instead of JWT
- Branca as an Alternative to JWT?
- Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.)
Implementations(Examples/Demos)
- Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens
- JWT Authentication & Authorization in NodeJs/Express & MongoDB REST APIs(2019)
- JWT+Passport
- JWT+Passport : Code
- JWT+Passport : Guide on DO
- Passport-jwt
- Refreshing token using node-jsonwebtoken
- oAuth2 server with node.js
- oAuth libraries for node.js
- Inspiration: Read Firefox Accounts Code- All services including autyh-server, profile-server Documentation
- oAuth2 server toolkit for node.js
- OAuth2 Server and OpenID Connect Provider written in Go - sdk in all languages
- JavaScript client SDK to communicate with OAuth 2.0 and OpenID Connect providers
- AuthZ lib supports ACL, RBAC, ABAC in Node.js
- Google OpenIDConnect authentication
Useful Tools
Contributors
Showing top 1 contributor by commit count.
Related Repositories
pocketbase/pocketbase
Open Source realtime backend in 1 file
better-auth/better-auth
The most comprehensive authentication framework
nextauthjs/next-auth
Authentication for the Web.
authelia/authelia
The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™
heartcombo/devise
Flexible authentication solution for Rails with Warden.
goauthentik/authentik
The authentication glue you need.