auth_architecture_research.md

awesome-authentication

This is compilation of research on authentication using JWT

Fundamentals You Must Know

Cryptography

• Assymetric Cryptography
• Digital Signatures : Verifying authenticity of message
• Forward Secrecy : A way to protect against future compromises of private key
• Encryption vs Signing
• Encryption vs Encoding
• Hashing vs Encoding cs Encryption vs Obfuscation

About Tokens

• JWT
• JWT vs Opaque tokens

About Frameworks

• OAuth2.0 - authorization framework to enable third-party application obtain limited access to HTTP service
• OpenIDConnect - authentication on top of OAuth2.0

Web-Security Recommendations

• Authentication cheatsheet by OWASP
• PKCE - Proof Key for Code Exchange by OAuth Public Clients
• The OAuth 2.0 Authorization Framework: Bearer Token Usage

Secure Key Exchange In Public

• Diffie Hellman Key Exchange
• An SO answer to build more understanding around DH algo, signatures, forward secrecy, etc.
• Diffie-Hellman key exchange implementation in node.js

Maintaining Forward Secrecy

• Double Rachet Algo
• Signal protocol specs & implemtation lib in js

Invalidating JWT

• Strategies to invalidate jwt - SO Q&A

• Simply remove the token from the client
• Create a token blacklist
• Just keep token expiry times short and rotate them often
• Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials

A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.

• Discussion: Is refreshing an expired JWT token a good strategy?

Securtity Risks

• JWT attack - signature as MAC
• Recreating JWT validation bypass
• 3 JWT design flaws

Implementations(Examples/Demos)

• Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens
• JWT Authentication & Authorization in NodeJs/Express & MongoDB REST APIs(2019)
• JWT+Passport
• JWT+Passport : Code
• JWT+Passport : Guide on DO
• Passport-jwt
• Refreshing token using node-jsonwebtoken
• oAuth2 server with node.js
• oAuth libraries for node.js
• Inspiration: Read Firefox Accounts Code- All services including autyh-server, profile-server Documentation
• oAuth2 server toolkit for node.js
• OAuth2 Server and OpenID Connect Provider written in Go - sdk in all languages
• JavaScript client SDK to communicate with OAuth 2.0 and OpenID Connect providers
• AuthZ lib supports ACL, RBAC, ABAC in Node.js
• Google OpenIDConnect authentication

Useful Tools

• Encode or Decode JWTs