Advanced Web Programming

Part 07 – Authentication and

Authorization Fundamentals
Dr. Amjad AbuHassan

1/5/2025 Dr. Amjad AbuHassan 1

Understanding Authentication
and Authorization

1/5/2025 Dr. Amjad AbuHassan 2

Authentication and Authorization
● Definition of Authentication:
● Confirms who the user is.
● Examples: Logging in with a username/password, biometric scans, social login (Google, FB).
● Definition of Authorization:
● Defines what resources the user can access once authenticated.
● Examples: Access control lists (ACL), role-based access control (RBAC).
● Key Difference:
● Authentication verifies identity.
● Authorization sets permissions.
1/5/2025 Dr. Amjad AbuHassan 3
Introduction to Authentication
● What is Authentication?
● The process of verifying the identity of a user, device, or system.

● Ensures that the entity is who or what it claims to be.

● Why is it Important?
● Protects sensitive data, systems, and resources from unauthorized access.

● Builds trust in digital interactions.

● Example:
● Logging into an email account with a username and password.

1/5/2025 Dr. Amjad AbuHassan 4

Authentication Methods
● 1. Password-based Authentication: ● 2. Multi-factor Authentication (MFA):
● Users provide a secret password to verify ● Requires two or more verification factors
their identity. (e.g., password + SMS code).

● Pros: Simple and widely used. ● Pros: Adds an extra layer of security.

● Cons: Vulnerable to weak passwords, ● Cons: Can be inconvenient for users.

phishing, and brute force attacks. ● Example: Using Google Authenticator for
● Example: Logging into a social media logging into a bank account.
account.

1/5/2025 Dr. Amjad AbuHassan 5

Authentication Methods cont.
● 3. Biometric Authentication: ● 4. Token-based Authentication:
● Uses unique biological traits (e.g., ● Uses tokens (e.g., JWTs, OAuth) to verify
fingerprint, facial recognition). identity.

● Pros: Highly secure and user-friendly. ● Pros: Scalable and stateless.

● Cons: Expensive to implement and privacy ● Cons: Requires secure token storage.
concerns. ● Example: Logging into a web app using a
● Example: Unlocking a smartphone with a Google account.
fingerprint.

1/5/2025 Dr. Amjad AbuHassan 6

Challenges in Authentication
● Security Risks:
● Weak passwords, and phishing attacks.

● Example: Hackers using stolen credentials to access accounts.

● Solution: Enforce strong password policies and use MFA.

● User Experience:
● Balancing security with ease of use (e.g., avoiding complex password requirements).

● Example: Users may forget passwords if they are too complex.

● Solution: Implement passwordless authentication or biometrics.

1/5/2025 Dr. Amjad AbuHassan 7

Challenges in Authentication cont.
● Scalability:
● Managing authentication for millions of users in large systems.

● Example: A global e-commerce platform handling user logins.

● Solution: Use scalable authentication services like Auth0 or Okta.

● Emerging Threats:
● AI-powered attacks and deepfake-based impersonation.

● Example: Hackers using AI to mimic a user’s voice for authentication.

● Solution: Stay updated on security trends and use advanced authentication methods.

1/5/2025 Dr. Amjad AbuHassan 8

Introduction to Authorization
● What is Authorization?
● Granting or denying access to specific resources or actions based on user permissions

● Determines what an authenticated user can do.

● Why is it Important?
● Ensures users only access resources they are permitted to use.

● Prevents unauthorized actions (e.g., deleting files, accessing sensitive data).

● Example:
● An admin can delete user accounts, while a regular user can only view their profile.

1/5/2025 Dr. Amjad AbuHassan 9

Authentication vs. Authorization
● Authentication: ● Key Difference:
● Confirms "who you are." ● First Authentication, then authorization.

● Example: Logging into a bank account.

● Real-World Example:
● Authorization: ● A hotel guest is authenticated at check-in

● Determines "what you can do." (ID verification) and authorized to access
their room (key card).
● Example: Accessing account details or
making transactions.

1/5/2025 Dr. Amjad AbuHassan 10

Authorization Models
● 1. Role-Based Access Control (RBAC):
● Users are assigned roles (e.g., admin, editor, viewer) with specific permissions.

● Example: Admins can delete posts, while editors can only edit them.

● Pros: Simple and easy to manage.

● Cons: Inflexible for complex scenarios.

1/5/2025 Dr. Amjad AbuHassan 11

Authorization Models cont.
● 2. Attribute-Based Access Control (ABAC):
● Access is granted based on attributes (e.g., user department, time of day).

● Example: Only HR employees can access payroll data during work hours.

● Pros: Highly flexible and granular.

● Cons: Complex to implement and manage.

1/5/2025 Dr. Amjad AbuHassan 12

Authorization Models cont.
● 3. Policy-Based Access Control (PBAC):
● Uses policies to define access rules.

● Example: A policy might allow access only if the user is in a specific location.

● Pros: Combines the best of RBAC and ABAC.

● Cons: Requires advanced policy management tools.

1/5/2025 Dr. Amjad AbuHassan 13

Authentication Best Practices
● Use strong, unique passwords and enforce password policies.
● Implement multi-factor authentication (MFA).
● Regularly update and patch authentication systems.
● Monitor for suspicious login attempts.

1/5/2025 Dr. Amjad AbuHassan 14

Authorization Best Practices
● Follow the principle of least privilege (grant minimal necessary access).
● Use role-based or attribute-based access control.
● Regularly review and update permissions.
● Log and audit access to sensitive resources.
● Example: A bank reviewing employee access to customer data annually.

1/5/2025 Dr. Amjad AbuHassan 15

Tools and Technologies
● Authentication Tools:
● Auth0: A platform for managing user authentication.

● Okta: Provides identity and access management solutions.

● Firebase Authentication: A Google service for app authentication.

● Authorization Frameworks:
● OAuth 2.0: A protocol for delegated authorization.

● OpenID Connect: A layer on top of OAuth 2.0 for authentication.

● JWT (JSON Web Tokens): A compact way to securely transmit information.

1/5/2025 Dr. Amjad AbuHassan 16

Real-World Applications
● E-commerce: ● Banking:
● Authenticate users for secure transactions. ● Use MFA for added security.

● Authorize access to order history and ● Authorize transactions based on user roles.
payment details. ● Social Media:
● Healthcare: ● Authenticate users and authorize access to
● Authenticate doctors and patients. posts and messages.

● Authorize access to sensitive patient

records.

1/5/2025 Dr. Amjad AbuHassan 17

Emerging Trends
● Passwordless Authentication:
● Uses biometrics or magic links instead of passwords.

● Example: Logging into an app with a fingerprint or facial recognition.

● Zero Trust Architecture:

● Assumes no user or device is trusted by default.

● Example: Continuously verifying user identity and device security.

1/5/2025 Dr. Amjad AbuHassan 18

Emerging Trends cont.
● AI and Machine Learning:
● Detects anomalies and prevents unauthorized access.

● Example: Using AI to flag suspicious login attempts.

● Decentralized Identity:
● Users control their identity data using blockchain technology.

● Example: Storing identity information on a blockchain for secure access.

1/5/2025 Dr. Amjad AbuHassan 19

JSON Web Tokens (JWTs)

1/5/2025 Dr. Amjad AbuHassan 20

What is a JWT?
Header: {"alg": "HS256", "typ": "JWT"}

● Definition:
Payload: {"sub": "12345", "name": "John Doe", "role": "admin", "exp": 1735689600}
Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

● A compact, URL-safe token format for securely transmitting information between parties.

● Commonly used for authentication and authorization in web applications.

● Structure:
● Header: Contains metadata (e.g., token type and signing algorithm).

● Payload: Contains claims (e.g., user ID, roles, expiration time).

● Signature: Ensures the token’s integrity (created using a secret key).

1/5/2025 Dr. Amjad AbuHassan 21

How JWTs Work
● User Login: The user provides credentials (e.g., username and password).
● Server Validation: The server verifies the credentials and generates a JWT.
● Token Issuance: The JWT is sent to the client and stored (e.g., in localStorage or
cookies).
● Token Usage: The client includes the JWT in the Authorization header of
subsequent requests.
● Server Verification: The server verifies the JWT’s signature and extracts the
payload to authorize the request.

1/5/2025 Dr. Amjad AbuHassan 22

Step-by-Step Flow
● Login Request:
● The user sends a POST request with their credentials:

{ "username": "john_doe", "password": "securepassword123" }

● Server Validation:
● The server verifies the credentials and generates a JWT:
{
"sub": "12345",
"name": "John Doe",
"role": "user",
"exp": 1735689600
}

1/5/2025 Dr. Amjad AbuHassan 23

Step-by-Step Flow cont.
{
● Token Issuance: "token":
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsIm
5hbWUiOiJKb2huIERvZSIsInJvbGUiOiJ1c2VyIiwiZXhwIjoxNzM1Njg5Nj
● The server sends the JWT to the client: AwfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o"
}
● Accessing Protected Resources:
● The client includes the JWT in the Authorization header:

● Server Verification: GET /api/protected-resource HTTP/1.1

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

● The server verifies the JWT’s signature and checks the payload for permissions.

● If valid, the server returns the requested resource.

1/5/2025 Dr. Amjad AbuHassan 24

Benefits of Using JWTs
● Stateless:
● The server doesn’t need to store session data, making it scalable.

● Compact:
● JWTs are small and can be easily transmitted via URLs, headers, or cookies.

● Secure:
● The signature ensures the token hasn’t been tampered with.

● Flexible:
● Can include custom claims (e.g., user roles, permissions).

1/5/2025 Dr. Amjad AbuHassan 25

Challenges and Best Practices
● Challenges:
● Token Expiry: JWTs must have an expiration time to prevent misuse.

● Token Storage: Storing JWTs securely on the client (e.g., HTTP-only cookies).

● Token Size: Large payloads can increase token size and overhead.

● Best Practices:
● Use short expiration times and refresh tokens for long-lived sessions.

● Encrypt sensitive data in the payload if necessary.

● Use strong signing algorithms (e.g., HS256 or RS256).

1/5/2025 Dr. Amjad AbuHassan 26

Tools and Libraries for JWTs
● Node.js:
● jsonwebtoken library for creating and verifying JWTs.

● Python:
● PyJWT library for working with JWTs.

● Java:
● jjwt library for JWT handling.

1/5/2025 Dr. Amjad AbuHassan 27

jsonwebtoken Setup and Installation
● Install the jsonwebtoken Library:
● Run the following command in your Node.js project:

npm install jsonwebtoken

● Import the Library:

1/5/2025 Dr. Amjad AbuHassan 28

Creating a JWT
● jwt.sign() creates a JWT with the
payload, secret key, and options.
● The payload contains user
information
(e.g., userId, username, role).
● The expiresIn option sets the Generated Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMzQ1LCJ
1c2VybmFtZSI6ImpvaG5fZG9lIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjI
token’s expiration time. 5NzQwMjIyLCJleHAiOjE2Mjk3NDM4MjJ9.XbPfbIHMI6arZ3Y922BhjWgQzW
XcXNrz0ogtVhfEd2o

1/5/2025 Dr. Amjad AbuHassan 29

Verifying a JWT
● jwt.verify() checks the token’s
validity and decodes it.
● If the token is invalid or
expired, an error is thrown.

Decoded Token: {
userId: 12345,
username: "john_doe",
role: "admin",
iat: 1629740222,
exp: 1629743822
}

1/5/2025 Dr. Amjad AbuHassan 30

Decoding a JWT (Without Verification)
● jwt.decode() extracts the payload
without verifying the token’s
signature.
● Use this only for debugging or
Decoded Token (Unverified): {
when verification is handled userId: 12345,
username: "john_doe",
elsewhere. role: "admin",
iat: 1629740222,
exp: 1629743822
}

1/5/2025 Dr. Amjad AbuHassan 31

Real-World Use Case

1/5/2025 Dr. Amjad AbuHassan 32