DEV Community

Authorization and Authentication For Everyone

Kim Maida on July 19, 2020

Authentication and authorization are necessary for many of the applications we build. Maybe you've developed apps and implemented authentication an...
Collapse
 
rmachuca89 profile image
Rodrigo Machuca

Thank you for sharing this outstanding interesting and well written article, and just timely for my particular needs. Keep it up!

Collapse
 
kimmaida profile image
Kim Maida

Thanks, Rodrigo, and you’re welcome! I hope it helps you with what you’re working on!

Collapse
 
kayis profile image
K

Thanks for that article, cleared some things up!

But I also have a question: The docs talk about storing subscription plan data into the users metadata, but don't go into detail how. Would I use a rule or hook for this? Also what is the difference?

Collapse
 
kimmaida profile image
Kim Maida • Edited

In a very general sense, I would recommend rules for adding the user metadata to your ID and/or access tokens (depending on the use case), but without knowing more details, I'm not able to detail a flow for you.

I strongly recommend that you ask this question in the Auth0 Community forum and provide details there such as:

  • What's the source of the subscription plan data? (E.g., a database?)
  • What's the purpose of the data? (E.g., to simply display in the client? To be able to change the plan? To control access based on the plan?)
  • What's your application architecture? (E.g., your API? third party APIs? Backend app? JS app running in the browser? etc.)

The folks at Auth0 should then be able to help you determine the correct flow to get all your data securely where it needs to go.

Collapse
 
bam92 profile image
Abel Lifaefi Mbula

Thank you for your post. It is well written and easy to digest for everyone (I think).

I really appreciate your diagrams. Can you tell how do you create them, please?

What would be your advice for modern developers: should they just forget about or abandon Auth 2.0 and stick to OIDC?

Collapse
 
kasaragaddaanil profile image
kasaragaddaanilkumar

As you mentioned these 2 points as problems with using access tokens for authentication:

  1. Someone could have stolen the access token from a different user
  2. The access token could have been obtained from another client (not HireMe123) and injected into HireMe123

How are they being solved in OpenID Connect?
Even in OpenID connect, what if I stole a JWT token and present it to authorization server, it will still work right? It is the same for point 2 as well right?

Collapse
 
poxrud profile image
Phil

If a token is stolen it can be used by someone else. Just like if a cookie is stolen it too can be used by someone else. It is up to the develop to make sure their application is secure against attacks.

Collapse
 
kimmaida profile image
Kim Maida

OIDC addresses this by using something called a nonce, which is explained in the section on authentication claims. A nonce provides a way for a client to know that the token it receives is the one being returned from the exact authorization request that was issued.

Collapse
 
harkinj profile image
harkinj

Great article.
2 small questions :
'The client application then decodes the ID token (which is a JWT) and verifies it. This includes validating the signature ' - to do this must the client app have the public key of the issuer installed? Does the client also need to communicate/interface with the auth server at the point of verification/validation?
Thanks for your time.

Collapse
 
kimmaida profile image
Kim Maida

Hello, thanks for your questions!

1) Yes, the client app must have access to the decryption key in order to validate the signature; otherwise, it won't be able to decrypt the signature to see its contents. If asymmetric key cryptography is being used, then it will be a public key; if symmetric, there is only one key, and that same key must be kept private on both the client and authorization server (not recommended).

2) No, the client does not need to communicate with the auth server during validation. It should already have the key, and everything else it needs to perform validation is contained within the JWT itself.

It's strongly recommended that you not implement validation manually, but rather, that you use an SDK or library. If you'd like to learn a lot more about this, I also wrote Signing and Validating JSON Web Tokens (JWT) for Everyone.

Collapse
 
yiremani profile image
Sigonz

that was awesome

Collapse
 
kimmaida profile image
Kim Maida

Thank you for the kind words, and thank you for reading!

Collapse
 
johncerpa profile image
John Cerpa

Thanks for the info

Collapse
 
nicolasdw profile image
Nicolas-DW

Really helpfull and crystal clear!
Thanks a lot

Collapse
 
silvesterwali profile image
silvesterwali

keep up ....thanks for sharing good one

Collapse
 
cheahengsoon profile image
Eng Soon Cheah

When using the iPhone (Safari) for authentication, always error 401 unauthorized for Windows Identity, any idea to solve this?

Collapse
 
masoodbinmohammad profile image
Masood Mohammad

This is insightful. Thank you for sharing this with us.

Collapse
 
gopalamlekar profile image
Gopal Amlekar • Edited

This is a great article. You explained this complicated stuff step by step and that was very useful. Thanks!
By the way, the animations are nice!

Collapse
 
shaijut profile image
Shaiju T

Is this still relevant ? Or are there any latest versions in oauth ?

Collapse
 
rhymes profile image
rhymes

Nicely written!

Collapse
 
undavide profile image
Davide Barranca

Looking forward to the next parts! Thanks for sharing such detailed yet accessible information.

Collapse
 
abdelkr08578914 profile image
Abdelkrim

I really enjoyed reading this crash-course, a lot of concept were demystified gracefully
Thanks a lot

Collapse
 
keania_eric profile image
Carver

Thank you for sharing this wonderful write up. It gave a lot of insight.

Collapse
 
carl0smore1ra profile image
Carlos Moreira

Excellent article, I wish I had read it before; Not long ago I was struggling to solve a Identity Server (.Net Core) problem with zero knowledge about Open Id Connect.
For sure I will share.