This is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon)
Fundamentals You Must Know
Cryptography
- Assymetric Cryptography
- Digital Signatures : Verifying authenticity of message
- Forward Secrecy : A way to protect against future compromises of private key
- Encryption vs Signing
- Encryption vs Encoding
- Hashing vs Encoding cs Encryption vs Obfuscation
About Tokens
About Frameworks
- OAuth2.0 - authorization framework to enable third-party application obtain limited access to HTTP service
- OpenIDConnect - authentication on top of OAuth2.0
Web-Security Recommendations
- Authentication cheatsheet by OWASP
- PKCE - Proof Key for Code Exchange by OAuth Public Clients
- The OAuth 2.0 Authorization Framework: Bearer Token Usage
Secure Key Exchange In Public
- Diffie Hellman Key Exchange
- An SO answer to build more understanding around DH algo, signatures, forward secrecy, etc.
- Diffie-Hellman key exchange implementation in node.js
Maintaining Forward Secrecy
Invalidating JWT
- Simply remove the token from the client
- Create a token blacklist
- Just keep token expiry times short and rotate them often
- Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials
A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.
Securtity Risks and Criticism of JWT
- Stop using JWT for sessions and part 2: Why your solution doesn't work
- Why JWTs Suck as Session Tokens
- No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid (including JWT, JWE and JWS)
- shieldfy/API-Security-Checklist#6 with more resources
- Things to Use Instead of JWT
- Branca as an Alternative to JWT?
- Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.)
Implementations(Examples/Demos)
- Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens
- JWT Authentication & Authorization in NodeJs/Express & MongoDB REST APIs(2019)
- JWT+Passport
- JWT+Passport : Code
- JWT+Passport : Guide on DO
- Passport-jwt
- Refreshing token using node-jsonwebtoken
- oAuth2 server with node.js
- oAuth libraries for node.js
- Inspiration: Read Firefox Accounts Code- All services including autyh-server, profile-server Documentation
- oAuth2 server toolkit for node.js
- OAuth2 Server and OpenID Connect Provider written in Go - sdk in all languages
- JavaScript client SDK to communicate with OAuth 2.0 and OpenID Connect providers
- AuthZ lib supports ACL, RBAC, ABAC in Node.js
- Google OpenIDConnect authentication