Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
This is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon)
Fundamentals You Must Know
Cryptography
- Assymetric Cryptography
- Digital Signatures : Verifying authenticity of message
- Forward Secrecy : A way to protect against future compromises of private key
- Encryption vs Signing
- Encryption vs Encoding
- Hashing vs Encoding cs Encryption vs Obfuscation
About Tokens
About Frameworks
- OAuth2.0 - authorization framework to enable third-party application obtain limited access to HTTP service
- OpenIDConnect - authentication on top of OAuth2.0
Web-Security Recommendations
- Authentication cheatsheet by OWASP
- PKCE - Proof Key for Code Exchange by OAuth Public Clients
- The OAuth 2.0 Authorization Framework: Bearer Token Usage
Secure Key Exchange In Public
- Diffie Hellman Key Exchange
- An SO answer to build more understanding around DH algo, signatures, forward secrecy, etc.
- Diffie-Hellman key exchange implementation in node.js
Maintaining Forward Secrecy
Invalidating JWT
- Simply remove the token from the client
- Create a token blacklist
- Just keep token expiry times short and rotate them often
- Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials
A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.
Securtity Risks and Criticism of JWT
- Stop using JWT for sessions and part 2: Why your solution doesn't work
- Why JWTs Suck as Session Tokens
- No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid (including JWT, JWE and JWS)
- shieldfy/API-Security-Checklist#6 with more resources
- Things to Use Instead of JWT
- Branca as an Alternative to JWT?
- Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.)
Implementations(Examples/Demos)
- Demo: How Docusign APIs auth workflow using JWT access token and refresh tokens
- JWT Authentication & Authorization in NodeJs/Express & MongoDB REST APIs(2019)
- JWT+Passport
- JWT+Passport : Code
- JWT+Passport : Guide on DO
- Passport-jwt
- Refreshing token using node-jsonwebtoken
- oAuth2 server with node.js
- oAuth libraries for node.js
- Inspiration: Read Firefox Accounts Code- All services including autyh-server, profile-server Documentation
- oAuth2 server toolkit for node.js
- OAuth2 Server and OpenID Connect Provider written in Go - sdk in all languages
- JavaScript client SDK to communicate with OAuth 2.0 and OpenID Connect providers
- AuthZ lib supports ACL, RBAC, ABAC in Node.js
- Google OpenIDConnect authentication