OAuth 2 and JWT-How to design a secure API?

Source: Internet
Author: User
Tags comparable oauth

Tag: Digital ANGULARJS represents represent Processor server Post block ICA

OAuth 2 and JWT-How to design a secure API?

Moakap translation, original OAuth 2 VS JSON Web tokens:how to secure an API

This article describes in detail two common ways to ensure API security: OAuth2 and JSON Web Token (JWT)

Assume:

    • You have or are implementing the API;
    • You are considering choosing an appropriate method to ensure the security of the API;
How does JWT compare with OAuth2?

Want to compare JWT and OAuth2? The first thing to understand is that these two are not comparable at all and are two completely different things.

    • JWT is an authentication protocol
      JWT provides a way to publish access tokens, and to validate a signed access token for a publication. Tokens themselves contain a series of claims that the application can use to restrict access to resources.

    • OAUTH2 is an authorization framework
      On the other hand, OAUTH2 is an authorization framework that provides a detailed set of authorization mechanisms (guidance). Users or apps can authorize third-party apps to access specific resources through public or private settings.

Since JWT and OAuth2 are not comparable, why should we put these two together? In practice, many people do compare JWT with OAuth2. It is misleading to put the two together in the title. In many cases, when discussing the implementation of OAUTH2, JSON Web token is used as an authentication mechanism. That's why they often come together.

Let's figure out what JWT and OAuth2 are all about.

JSON Web Token (JWT)

The JWT is defined in the standard:

JSON Web Token (JWT) is a compact url-safe means of representing claims to be transferred between. The claims in a JWT was encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).
-RFC7519 https://tools.ietf.org/html/rfc7519

JWT is a safety standard. The basic idea is that the user provides the user name and password to the authentication server, the server verifies the legality of the user's submission of information; If the validation succeeds, it generates and returns a token (token) that the user can use to access the protected resources on the server.

An example of a toke:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
    • 1

A token consists of three parts:

Header.claims.signature

For secure use in URLs, all parts are encoded base64 url-safe.

Head of Header

The head section simply declares the type (JWT) and the algorithm used to generate the signature.

{  "alg" : "AES256",  "typ" : "JWT"}
    • 1
    • 2
    • 3
    • 4
Claims statement

The declaration section is the core of the entire token and represents the user details to be sent. In some cases, we are likely to implement authentication on one server and then access resources on another server, or a separate interface to generate Token,token is saved in the application client (such as a browser).
An example of a simple statement (claim):

{  "sub": "1234567890",  "name": "John Doe", "admin": true}
    • 1
    • 2
    • 3
    • 4
    • 5
Signature signature

The purpose of the signature is to ensure that the above two pieces of information are not tampered with. If you try to use BAS64 to modify the decoded token, the signature information will be invalidated. Typically, a private key is used to confuse headers and claims with specific algorithms to generate signature information, so only the original token can match the signature information.

Here is an important implementation detail. Only applications that obtain a private key (such as a server-side application) can fully certify that token contains the legitimacy of the declarative information. Therefore, never put the private key information on the client (such as a browser).

What is OAuth2?

Instead, OAuth2 is not a standard protocol, but a secure authorization framework. It describes in detail the different roles, users, service front-end applications (such as APIs) in the system, and how mutual authentication is achieved between the client (such as a Web site or mobile app).

The OAuth 2.0 authorization framework enables a THIRD-PARTY application to obtain limited access to an HTTP service, eithe R on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the Third-party application to obtain access in its own behalf.
-RFC6749 https://tools.ietf.org/html/rfc6749

Here is a brief talk about the basic concepts involved.

Roles role

Either the application or the user can be any of the following roles:

    • Resource owner
    • Resource server
    • Client applications
    • Authentication Server
Client Types Type

The client here mainly refers to the user of the API. It can be of type:

    • Privately owned
    • of public
Client Profile Clients Description

The OAUTH2 framework also specifies a centralized client description to represent the type of application:

    • Web Apps
    • User Agent
    • Acoustic applications
Authorization Grants Certification Authority

A certification authority represents a set of permissions that a resource owner authorizes to a client application, which can be in the following forms:

    • Authorization Code
    • Implicit authorization
    • Resource owner password Certificate
    • Client certificate
Endpoints Terminal

The OAUTH2 framework requires the following terminals:

    • Authentication Terminal
    • Token terminal
    • REDIRECT Terminal

From above it should be seen that OAuth2 defines a fairly complex set of specifications.

Protect user passwords with HTTPS

Before further discussing the implementation of OAuth2 and JWT, it is necessary to say that both scenarios require SSL security, which is the encryption of the data to be transmitted.

Securely transmitting private information provided by the user is necessary in any secure system. Otherwise, anyone can steal information such as user name and password when the user logs in by hacking into private wifi.

Some important implementation considerations

Before you make your choice, refer to the points that are mentioned below.

Time to invest

OAuth2 is a security framework that describes licensing issues across multiple applications in various scenarios. There is a huge amount of information to learn and it takes a lot of time to fully understand it. Even for some experienced development engineers, it will take about one months to get a deeper understanding of OAuth2. It's a big time to invest.

On the contrary, JWT is a relatively lightweight concept. It may take a day to study the standard specification in depth, and it is easy to get started with concrete implementation.

Risk of errors

Unlike JWT, OAuth2 is a strict standard protocol, making it more prone to error during implementation. Although there are many existing libraries, the maturity of each library is different, and it is also easy to introduce various errors. It is also easy to find some security holes in common libraries.

Of course, if there is a fairly mature, strong development team to continue OAuth2 implementation and maintenance, you can certainly avoid these risks in Chengdu.

Benefits of Social Login

In many cases, it is convenient to use a user's existing account on a large social networking site to authenticate.

If you expect your users to be able to use accounts such as Facebook or Gmail directly, it's much easier to use an existing library.

Conclusion

Before concluding, let's start by listing the main usage scenarios for JWT and OAuth2.

JWT uses a stateless distributed API for scenarios

The main advantage of JWT is that it handles user sessions in an app in a stateless, extensible way. The server can easily get the user's session information through the embedded declarative information, without having to access the user or session database. This is useful in a distributed service-oriented framework.

However, if the system needs to use the blacklist to achieve a long-term effective token refresh mechanism, this stateless advantage is not obvious.

Advantage

    • Rapid development
    • No Cookies required
    • The wide application of JSON on the mobile side
    • Do not rely on social login
    • A relatively simple conceptual understanding

Limit

    • Token has a length limit
    • Token cannot be revoked
    • Token required with expiry time limit (exp)
OAuth2 Usage Scenarios

In the author's view, two comparisons are necessary to use the OAuth2 scenario:

Outsourced authentication Server

As discussed above, if you do not mind the use of API relies on external third-party certification providers, you can simply leave the certification work to the certification service provider.
As is common, go to a certification service provider (such as Facebook) to register your app, and then set up user information that needs to be accessed, such as e-mail, name, etc. When a user accesses the site's registration page, they see a portal connected to a third-party provider. After the user clicks to be redirected to the corresponding certification service provider's website, obtains the user's authorization to be able to access the information which needs, then redirects back.

Advantage

    • Rapid development
    • Small amount of code implemented
    • Reduction in maintenance work
Solutions for Large Enterprises

Using OAuth2 is a good choice when designing APIs to be used by different apps, and each app is used differently.

Considering the workload, a separate team may be required to develop sophisticated, flexible security policies for a variety of applications. Of course, the amount of work required is also relatively large! This, OAuth2 's author also points out:

To being clear, OAuth 2.0 at the hand of a developer with deep understanding of web security would likely result is a secure I Mplementation. However, at the hands of most developers–as have been the experience from the past II years–2.0 are likely to produce I Nsecure implementations.

Hueniverse-oauth 2.0 and the Road to Hell

Advantage

    • Flexible approach to implementation
    • Can be used in conjunction with JWT
    • Can be extended for different applications
Further
    • Http://jwt.io-JWT official website, you can also view the status of libraries implemented in different languages.
    • http://oauth.net/2/OAuth2 Official website, you can also view the status of libraries implemented in different languages.
    • OAuth 2 tutorials-useful Overview of how OAuth 2 works
    • Oauth2 Spec issues Eran Hammer ' s (the author of the Push OAuth standard) views on what went wrong with the OAuth 2 Spec process. Whatever your own opinion, good to get some framing by someone who understand's key aspects of what make a security Standa Rd successful.
    • Thoery and Implemnetation:with Laravel and Angular really informative guide to JWT on theory and in practice for Laravel and Angular.
Article Tags: oauth2jwtapi security

OAuth 2 and JWT-How to design a secure API?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.