# Authentication

## Password hashing

![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LxtoAXZwwOc4XGto8vb%2F-MGOTJwjNuytkUd_wtJ0%2F-MGO_JaS35jmRzU0LxqG%2FScreenshot%202020-09-04%20at%2016.44.10.png?alt=media\&token=2acb4561-d947-4ad4-b01f-36d23cddb5ff)

## JWT (JSON web token)

It is an open standard ([RFC 7519](https://tools.ietf.org/html/rfc7519)). \
**Compact:**\
\- small size. JWT can be sent through a URL, POST param, inside a header.\
**Self-contained:**\
The payload contains all required info about the user, avoiding the need to query the DB more than once

**JWT can be signed:**\
\- using a secret (with the HMAC algorithm)\
\- using public/private key pair using RSA or ECDSA

### When to use

* Authorization (most common scenario). SSO.
* Information exchange.

### Structure

* Header
  * type of the token, which is JWT
  * signing algorithm being used (HMAC|SHA256|RSA)
  * ```
    {
      "alg": "HS256",
      "typ": "JWT"
    }
    ```
  * \=> JSON is **base64Url** encoded
* Payload
  * contains claims. `Claim = statement about an entity (e.g. user) + additional data`
  * types of claims
    * **registered**
      * ***iss*** (issuer)
      * ***exp*** (expiration time)
      * ***sub*** (subject)
      * ***aud*** (audience)
      * and [others](https://tools.ietf.org/html/rfc7519#section-4.1)
    * **public**
      * to avoid collisions they should be defined in the [IANA JSON Web Token Registry](https://www.iana.org/assignments/jwt/jwt.xhtml) or be defined as a URI that contains collision resistant namespace
    * **private**
      * custom claims to be used between parties (neither registered nor public)
  * example payload:
  * ```
    {
      "sub": "1234567890",
      "name": "John Doe",
      "admin": true
    }
    ```

    The payload is then **Base64Url** encoded
  * for signed tokens this information, though protected against tampering, is readable by anyone. **Do not put secret information in the payload or header elements of a JWT unless it is encrypted.**
* Signature
  * ```
    HMACSHA256(
      base64UrlEncode(header) + "." +
      base64UrlEncode(payload),
      secret)
      
      // example
    ```
  * Signature is used to verify that the message was not changed along the way
  * `if (signed with private key) => verify that sender of JWT is who it says it is`

Separated by dot => `xxxxx.yyyyy.zzzzz` .

| +                         | -                                |
| ------------------------- | -------------------------------- |
| Fast                      | Compromised Secret key           |
| Stateless                 | No visibility to logged in users |
| Used across many services | Token can be stolen              |
| Compact                   |                                  |

![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LxtoAXZwwOc4XGto8vb%2F-MGxpDAVhxAb66xQGdwL%2F-MGxpXlOu8DrFYEl3pyO%2FScreenshot%202020-09-11%20at%2017.43.36.png?alt=media\&token=9cd1da0b-6f55-4f43-bd7b-656eaedf22e4)

Separate lib is used. [LINK](https://github.com/jwtk/jjwt)

## Form based auth

* username & password
* standart in most websites
* Can logout
* HTTPS recommended

![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LxtoAXZwwOc4XGto8vb%2F-MGxeUPf9OUuExArTpeT%2F-MGxe_JYYM1MrOUzWDIM%2FScreenshot%202020-09-11%20at%2016.55.44.png?alt=media\&token=c40832e3-3045-48d1-81ce-4cc6a1d8072d)

* Store sessions in DB or Redis.
  * &#x20;If (in memory) => sessions are lost after restart.
* default SpringSecurity login page can be substituted

##