awesome-authentication

awesome-authentication copied to clipboard

This is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon)

Fundamentals You Must Know

Cryptography

• Assymetric Cryptography
• Digital Signatures : Verifying authenticity of message
• Forward Secrecy : A way to protect against future compromises of private key
• Encryption vs Signing
• Encryption vs Encoding
• Hashing vs Encoding cs Encryption vs Obfuscation

About Tokens

• JWT
• JWT vs Opaque tokens

About Frameworks

• OAuth2.0 - authorization framework to enable third-party application obtain limited access to HTTP service
• OpenIDConnect - authentication on top of OAuth2.0

Web-Security Recommendations

• Authentication cheatsheet by OWASP
• PKCE - Proof Key for Code Exchange by OAuth Public Clients
• The OAuth 2.0 Authorization Framework: Bearer Token Usage

Secure Key Exchange In Public

• Diffie Hellman Key Exchange
• An SO answer to build more understanding around DH algo, signatures, forward secrecy, etc.
• Diffie-Hellman key exchange implementation in node.js

Maintaining Forward Secrecy

• Double Rachet Algo
• Signal protocol specs & implemtation lib in js

Invalidating JWT

• Strategies to invalidate jwt - SO Q&A

• Simply remove the token from the client
• Create a token blacklist
• Just keep token expiry times short and rotate them often
• Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials

A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.

• Discussion: Is refreshing an expired JWT token a good strategy?

Securtity Risks and Criticism of JWT

• JWT attack - signature as MAC
• Recreating JWT validation bypass
• 3 JWT design flaws

• Stop using JWT for sessions and part 2: Why your solution doesn't work
• Why JWTs Suck as Session Tokens
• No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid (including JWT, JWE and JWS)
• https://github.com/shieldfy/API-Security-Checklist/issues/6 with more resources
• Things to Use Instead of JWT
• Branca as an Alternative to JWT?
• Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.)

Implementations(Examples/Demos)

• Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens
• JWT Authentication & Authorization in NodeJs/Express & MongoDB REST APIs(2019)
• JWT+Passport
• JWT+Passport : Code
• JWT+Passport : Guide on DO
• Passport-jwt
• Refreshing token using node-jsonwebtoken
• oAuth2 server with node.js
• oAuth libraries for node.js
• Inspiration: Read Firefox Accounts Code- All services including autyh-server, profile-server Documentation
• oAuth2 server toolkit for node.js
• OAuth2 Server and OpenID Connect Provider written in Go - sdk in all languages
• JavaScript client SDK to communicate with OAuth 2.0 and OpenID Connect providers
• AuthZ lib supports ACL, RBAC, ABAC in Node.js
• Google OpenIDConnect authentication

Useful Tools

• Encode or Decode JWTs
• Learn JWT by reverse engineering