In this post we are going to look at the first part, or better said, what we must understand first when we are going to work or develop in secure environments.
It is important to point out that while this post is adapted to any type of architecture, it is mainly intended for microservices as I will mention the JWT token. When working in a monolith system, validation is usually done with the user session rather than the JWT token (although it can also be used).
Index
1 - What is authentication?
To authenticate is to validate that someone is who they say they are, what we commonly call "logging in" or entering a username and password.
But nowadays, due to security reasons and issues with websites getting hacked, a simple username and password is not enough, and many websites require you to enter two private pieces of information, which is commonly referred to as two-factor authentication.
And these are usually two of the following:
- Passwords: the regular username and password.
- One-time pin: when you log in, you receive an email or SMS with a code, and you have to enter that code.
- Authentication apps: there are certain apps, mostly used on mobile devices, where you have a pin that is valid for one minute; these are now very common on many websites.
- Biometrics, fingerprints, retina scanners, etc. Very flashy and common in movies, but in the real world, this is mostly just for unlocking your phone or facial recognition on some smartphones.
Nowadays, with remote work, I imagine we are all used to two-factor authentication already.
2 - What is authorization?
Once we have validated that we are who we say we are (Authentication), we must check whether we have access to certain parts of the application or different features. This action is performed through authorization, and of course, it varies depending on the user.
A real-life comparison would be a driver's license: you have a license that indicates who you are (authentication), and on the back it specifies which types of vehicles you are allowed to drive (authorization). If you want to drive a truck, you need to get a truck license and have the authorities update that information (give access).
3 - Social login
As you might imagine, setting up all the infrastructure to support authentication and authorization is not easy, and it gets much more complicated if we add two-factor authentication.
That is why we have third-party options, the most common and popular being Google, Facebook, Twitter, or even GitHub, this is what we call social login. In my opinion, they are great, because this way we avoid having to create accounts everywhere, remember passwords, etc. You just click the "login with Google" button and everything works perfectly.
Other options include Auth0, OKta, ForgeRock, SecureAuth, or even running your own microservice with a fork of IdentityServer (written in .NET), but for a couple of months now, it is no longer free for companies.
But how does it work? What is the magic behind this technology? The quick answer is JWT tokens. But the detailed answer is a bit longer.
3.1 - Authentication with OAuth 2.0 and OpenID Connect
Oauth 2.0 is the standard that powers this magic, separating both functions: authentication to verify identity and authorization for permissions. Through HTTPS API calls, we can contact the different services that provide access control (Facebook, Google, Auth0, IdentityServer, etc).
But when we work with OAuth 2.0, we do not work directly with it, but rather through OpenID connect (OIDC), which is a wrapper or a layer on top of OAuth 2.0 that allows third-party applications to verify the user's identity and read basic information. OpenID Connect uses JWT tokens to return user information.
In the next post we will see how to authenticate/validate a user in a C# API using OpenID Connect.
If there is any problem you can add a comment bellow or contact me in the website's contact form
