0% found this document useful (0 votes)
11 views32 pages

Part 07 - Authentication and Authorization Fundamentals

The document provides an overview of authentication and authorization fundamentals, defining authentication as the process of verifying user identity and authorization as determining user access to resources. It discusses various authentication methods, their pros and cons, challenges in authentication, and best practices for both authentication and authorization. Additionally, it covers tools and technologies like JWTs, their structure, usage, benefits, challenges, and real-world applications.

Uploaded by

3sfr3sfr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
11 views32 pages

Part 07 - Authentication and Authorization Fundamentals

The document provides an overview of authentication and authorization fundamentals, defining authentication as the process of verifying user identity and authorization as determining user access to resources. It discusses various authentication methods, their pros and cons, challenges in authentication, and best practices for both authentication and authorization. Additionally, it covers tools and technologies like JWTs, their structure, usage, benefits, challenges, and real-world applications.

Uploaded by

3sfr3sfr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Advanced Web Programming

Part 07 – Authentication and


Authorization Fundamentals
Dr. Amjad AbuHassan

1/5/2025 Dr. Amjad AbuHassan 1


Understanding Authentication
and Authorization

1/5/2025 Dr. Amjad AbuHassan 2


Authentication and Authorization
● Definition of Authentication:
● Confirms who the user is.
● Examples: Logging in with a username/password, biometric scans, social login (Google, FB).
● Definition of Authorization:
● Defines what resources the user can access once authenticated.
● Examples: Access control lists (ACL), role-based access control (RBAC).
● Key Difference:
● Authentication verifies identity.
● Authorization sets permissions.
1/5/2025 Dr. Amjad AbuHassan 3
Introduction to Authentication
● What is Authentication?
● The process of verifying the identity of a user, device, or system.

● Ensures that the entity is who or what it claims to be.

● Why is it Important?
● Protects sensitive data, systems, and resources from unauthorized access.

● Builds trust in digital interactions.

● Example:
● Logging into an email account with a username and password.

1/5/2025 Dr. Amjad AbuHassan 4


Authentication Methods
● 1. Password-based Authentication: ● 2. Multi-factor Authentication (MFA):
● Users provide a secret password to verify ● Requires two or more verification factors
their identity. (e.g., password + SMS code).

● Pros: Simple and widely used. ● Pros: Adds an extra layer of security.

● Cons: Vulnerable to weak passwords, ● Cons: Can be inconvenient for users.


phishing, and brute force attacks. ● Example: Using Google Authenticator for
● Example: Logging into a social media logging into a bank account.
account.

1/5/2025 Dr. Amjad AbuHassan 5


Authentication Methods cont.
● 3. Biometric Authentication: ● 4. Token-based Authentication:
● Uses unique biological traits (e.g., ● Uses tokens (e.g., JWTs, OAuth) to verify
fingerprint, facial recognition). identity.

● Pros: Highly secure and user-friendly. ● Pros: Scalable and stateless.

● Cons: Expensive to implement and privacy ● Cons: Requires secure token storage.
concerns. ● Example: Logging into a web app using a
● Example: Unlocking a smartphone with a Google account.
fingerprint.

1/5/2025 Dr. Amjad AbuHassan 6


Challenges in Authentication
● Security Risks:
● Weak passwords, and phishing attacks.

● Example: Hackers using stolen credentials to access accounts.

● Solution: Enforce strong password policies and use MFA.

● User Experience:
● Balancing security with ease of use (e.g., avoiding complex password requirements).

● Example: Users may forget passwords if they are too complex.

● Solution: Implement passwordless authentication or biometrics.

1/5/2025 Dr. Amjad AbuHassan 7


Challenges in Authentication cont.
● Scalability:
● Managing authentication for millions of users in large systems.

● Example: A global e-commerce platform handling user logins.

● Solution: Use scalable authentication services like Auth0 or Okta.

● Emerging Threats:
● AI-powered attacks and deepfake-based impersonation.

● Example: Hackers using AI to mimic a user’s voice for authentication.

● Solution: Stay updated on security trends and use advanced authentication methods.

1/5/2025 Dr. Amjad AbuHassan 8


Introduction to Authorization
● What is Authorization?
● Granting or denying access to specific resources or actions based on user permissions

● Determines what an authenticated user can do.

● Why is it Important?
● Ensures users only access resources they are permitted to use.

● Prevents unauthorized actions (e.g., deleting files, accessing sensitive data).

● Example:
● An admin can delete user accounts, while a regular user can only view their profile.

1/5/2025 Dr. Amjad AbuHassan 9


Authentication vs. Authorization
● Authentication: ● Key Difference:
● Confirms "who you are." ● First Authentication, then authorization.

● Example: Logging into a bank account.


● Real-World Example:
● Authorization: ● A hotel guest is authenticated at check-in

● Determines "what you can do." (ID verification) and authorized to access
their room (key card).
● Example: Accessing account details or
making transactions.

1/5/2025 Dr. Amjad AbuHassan 10


Authorization Models
● 1. Role-Based Access Control (RBAC):
● Users are assigned roles (e.g., admin, editor, viewer) with specific permissions.

● Example: Admins can delete posts, while editors can only edit them.

● Pros: Simple and easy to manage.

● Cons: Inflexible for complex scenarios.

1/5/2025 Dr. Amjad AbuHassan 11


Authorization Models cont.
● 2. Attribute-Based Access Control (ABAC):
● Access is granted based on attributes (e.g., user department, time of day).

● Example: Only HR employees can access payroll data during work hours.

● Pros: Highly flexible and granular.

● Cons: Complex to implement and manage.

1/5/2025 Dr. Amjad AbuHassan 12


Authorization Models cont.
● 3. Policy-Based Access Control (PBAC):
● Uses policies to define access rules.

● Example: A policy might allow access only if the user is in a specific location.

● Pros: Combines the best of RBAC and ABAC.

● Cons: Requires advanced policy management tools.

1/5/2025 Dr. Amjad AbuHassan 13


Authentication Best Practices
● Use strong, unique passwords and enforce password policies.
● Implement multi-factor authentication (MFA).
● Regularly update and patch authentication systems.
● Monitor for suspicious login attempts.

1/5/2025 Dr. Amjad AbuHassan 14


Authorization Best Practices
● Follow the principle of least privilege (grant minimal necessary access).
● Use role-based or attribute-based access control.
● Regularly review and update permissions.
● Log and audit access to sensitive resources.
● Example: A bank reviewing employee access to customer data annually.

1/5/2025 Dr. Amjad AbuHassan 15


Tools and Technologies
● Authentication Tools:
● Auth0: A platform for managing user authentication.

● Okta: Provides identity and access management solutions.

● Firebase Authentication: A Google service for app authentication.

● Authorization Frameworks:
● OAuth 2.0: A protocol for delegated authorization.

● OpenID Connect: A layer on top of OAuth 2.0 for authentication.

● JWT (JSON Web Tokens): A compact way to securely transmit information.

1/5/2025 Dr. Amjad AbuHassan 16


Real-World Applications
● E-commerce: ● Banking:
● Authenticate users for secure transactions. ● Use MFA for added security.

● Authorize access to order history and ● Authorize transactions based on user roles.
payment details. ● Social Media:
● Healthcare: ● Authenticate users and authorize access to
● Authenticate doctors and patients. posts and messages.

● Authorize access to sensitive patient


records.

1/5/2025 Dr. Amjad AbuHassan 17


Emerging Trends
● Passwordless Authentication:
● Uses biometrics or magic links instead of passwords.

● Example: Logging into an app with a fingerprint or facial recognition.

● Zero Trust Architecture:


● Assumes no user or device is trusted by default.

● Example: Continuously verifying user identity and device security.

1/5/2025 Dr. Amjad AbuHassan 18


Emerging Trends cont.
● AI and Machine Learning:
● Detects anomalies and prevents unauthorized access.

● Example: Using AI to flag suspicious login attempts.

● Decentralized Identity:
● Users control their identity data using blockchain technology.

● Example: Storing identity information on a blockchain for secure access.

1/5/2025 Dr. Amjad AbuHassan 19


JSON Web Tokens (JWTs)

1/5/2025 Dr. Amjad AbuHassan 20


What is a JWT?
Header: {"alg": "HS256", "typ": "JWT"}

● Definition:
Payload: {"sub": "12345", "name": "John Doe", "role": "admin", "exp": 1735689600}
Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

● A compact, URL-safe token format for securely transmitting information between parties.

● Commonly used for authentication and authorization in web applications.

● Structure:
● Header: Contains metadata (e.g., token type and signing algorithm).

● Payload: Contains claims (e.g., user ID, roles, expiration time).

● Signature: Ensures the token’s integrity (created using a secret key).

1/5/2025 Dr. Amjad AbuHassan 21


How JWTs Work
● User Login: The user provides credentials (e.g., username and password).
● Server Validation: The server verifies the credentials and generates a JWT.
● Token Issuance: The JWT is sent to the client and stored (e.g., in localStorage or
cookies).
● Token Usage: The client includes the JWT in the Authorization header of
subsequent requests.
● Server Verification: The server verifies the JWT’s signature and extracts the
payload to authorize the request.

1/5/2025 Dr. Amjad AbuHassan 22


Step-by-Step Flow
● Login Request:
● The user sends a POST request with their credentials:

{ "username": "john_doe", "password": "securepassword123" }

● Server Validation:
● The server verifies the credentials and generates a JWT:
{
"sub": "12345",
"name": "John Doe",
"role": "user",
"exp": 1735689600
}

1/5/2025 Dr. Amjad AbuHassan 23


Step-by-Step Flow cont.
{
● Token Issuance: "token":
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NSIsIm
5hbWUiOiJKb2huIERvZSIsInJvbGUiOiJ1c2VyIiwiZXhwIjoxNzM1Njg5Nj
● The server sends the JWT to the client: AwfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o"
}
● Accessing Protected Resources:
● The client includes the JWT in the Authorization header:

● Server Verification: GET /api/protected-resource HTTP/1.1


Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

● The server verifies the JWT’s signature and checks the payload for permissions.

● If valid, the server returns the requested resource.

1/5/2025 Dr. Amjad AbuHassan 24


Benefits of Using JWTs
● Stateless:
● The server doesn’t need to store session data, making it scalable.

● Compact:
● JWTs are small and can be easily transmitted via URLs, headers, or cookies.

● Secure:
● The signature ensures the token hasn’t been tampered with.

● Flexible:
● Can include custom claims (e.g., user roles, permissions).

1/5/2025 Dr. Amjad AbuHassan 25


Challenges and Best Practices
● Challenges:
● Token Expiry: JWTs must have an expiration time to prevent misuse.

● Token Storage: Storing JWTs securely on the client (e.g., HTTP-only cookies).

● Token Size: Large payloads can increase token size and overhead.

● Best Practices:
● Use short expiration times and refresh tokens for long-lived sessions.

● Encrypt sensitive data in the payload if necessary.

● Use strong signing algorithms (e.g., HS256 or RS256).

1/5/2025 Dr. Amjad AbuHassan 26


Tools and Libraries for JWTs
● Node.js:
● jsonwebtoken library for creating and verifying JWTs.

● Python:
● PyJWT library for working with JWTs.

● Java:
● jjwt library for JWT handling.

1/5/2025 Dr. Amjad AbuHassan 27


jsonwebtoken Setup and Installation
● Install the jsonwebtoken Library:
● Run the following command in your Node.js project:

npm install jsonwebtoken

● Import the Library:

1/5/2025 Dr. Amjad AbuHassan 28


Creating a JWT
● jwt.sign() creates a JWT with the
payload, secret key, and options.
● The payload contains user
information
(e.g., userId, username, role).
● The expiresIn option sets the Generated Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMzQ1LCJ
1c2VybmFtZSI6ImpvaG5fZG9lIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjI
token’s expiration time. 5NzQwMjIyLCJleHAiOjE2Mjk3NDM4MjJ9.XbPfbIHMI6arZ3Y922BhjWgQzW
XcXNrz0ogtVhfEd2o

1/5/2025 Dr. Amjad AbuHassan 29


Verifying a JWT
● jwt.verify() checks the token’s
validity and decodes it.
● If the token is invalid or
expired, an error is thrown.

Decoded Token: {
userId: 12345,
username: "john_doe",
role: "admin",
iat: 1629740222,
exp: 1629743822
}

1/5/2025 Dr. Amjad AbuHassan 30


Decoding a JWT (Without Verification)
● jwt.decode() extracts the payload
without verifying the token’s
signature.
● Use this only for debugging or
Decoded Token (Unverified): {
when verification is handled userId: 12345,
username: "john_doe",
elsewhere. role: "admin",
iat: 1629740222,
exp: 1629743822
}

1/5/2025 Dr. Amjad AbuHassan 31


Real-World Use Case

1/5/2025 Dr. Amjad AbuHassan 32

You might also like