Part 07 - Authentication and Authorization Fundamentals
Part 07 - Authentication and Authorization Fundamentals
● Why is it Important?
● Protects sensitive data, systems, and resources from unauthorized access.
● Example:
● Logging into an email account with a username and password.
● Pros: Simple and widely used. ● Pros: Adds an extra layer of security.
● Cons: Expensive to implement and privacy ● Cons: Requires secure token storage.
concerns. ● Example: Logging into a web app using a
● Example: Unlocking a smartphone with a Google account.
fingerprint.
● User Experience:
● Balancing security with ease of use (e.g., avoiding complex password requirements).
● Emerging Threats:
● AI-powered attacks and deepfake-based impersonation.
● Solution: Stay updated on security trends and use advanced authentication methods.
● Why is it Important?
● Ensures users only access resources they are permitted to use.
● Example:
● An admin can delete user accounts, while a regular user can only view their profile.
● Determines "what you can do." (ID verification) and authorized to access
their room (key card).
● Example: Accessing account details or
making transactions.
● Example: Admins can delete posts, while editors can only edit them.
● Example: Only HR employees can access payroll data during work hours.
● Example: A policy might allow access only if the user is in a specific location.
● Authorization Frameworks:
● OAuth 2.0: A protocol for delegated authorization.
● Authorize access to order history and ● Authorize transactions based on user roles.
payment details. ● Social Media:
● Healthcare: ● Authenticate users and authorize access to
● Authenticate doctors and patients. posts and messages.
● Decentralized Identity:
● Users control their identity data using blockchain technology.
● Definition:
Payload: {"sub": "12345", "name": "John Doe", "role": "admin", "exp": 1735689600}
Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
● A compact, URL-safe token format for securely transmitting information between parties.
● Structure:
● Header: Contains metadata (e.g., token type and signing algorithm).
● Server Validation:
● The server verifies the credentials and generates a JWT:
{
"sub": "12345",
"name": "John Doe",
"role": "user",
"exp": 1735689600
}
● The server verifies the JWT’s signature and checks the payload for permissions.
● Compact:
● JWTs are small and can be easily transmitted via URLs, headers, or cookies.
● Secure:
● The signature ensures the token hasn’t been tampered with.
● Flexible:
● Can include custom claims (e.g., user roles, permissions).
● Token Storage: Storing JWTs securely on the client (e.g., HTTP-only cookies).
● Token Size: Large payloads can increase token size and overhead.
● Best Practices:
● Use short expiration times and refresh tokens for long-lived sessions.
● Python:
● PyJWT library for working with JWTs.
● Java:
● jjwt library for JWT handling.
Decoded Token: {
userId: 12345,
username: "john_doe",
role: "admin",
iat: 1629740222,
exp: 1629743822
}