Please enable JavaScript.
Coggle requires JavaScript to display documents.
Auth0 Protocols (JWT (Structure (Header (alg / typ = RS256 / JWT), Payload…
Auth0 Protocols
JWT
Define: JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object
-
-
How it works: user login using credentials --> ID Token (JWT) return --> verify JTW signature --> save JTW locally --> use JWT token with
Authorization: Bearer <token>
-
OpenID Connect (OIDC) is all about user authentication; based on the OAuth 2.0 family of specification; use JWT delivered via OAuth 2.0
ID Token
body
iss: the issuer of the token.
sub: the subject of the token (a unique identifier for the user).
aud: the audience that the token is intended for.
exp: the time the token expires (in seconds).
iat: the time the token was issued (in seconds).
scope
-
-
workflow: 1) send the user to the authorization URL and request an id_token; 2) After Auth0 has redirected back to the app, you can extract the id_token from the hash fragment of the URL.
API Scopes: For example, if you want to read and delete contact information, you would create two scopes: read:contacts and delete:contacts.
-
-
While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication. Its purpose is to give you one login for multiple sites. Each time you need to log in to a website using OIDC, you are redirected to your OpenID site where you login, and then taken back to the website. For example, if you chose to sign in to Auth0 using your Google account then you used OIDC. Once you successfully authenticate with Google and authorize Auth0 to access your information, Google will send back to Auth0 information about the user and the authentication performed. This information is returned in a JSON Web Token (JWT) called an ID Token.
login
1) login route --> 2) issue challenge --> 3) auth0 /authorize, which display lock widget (input username and password) --> 4) once logged in, go back to /signin-auth0 to pass auth code; 5) OIDC intercepts request; 6) handler looks for auth code; 7) OIDC calls /oauth/token to exchange auth code for user id and access tokens; 8) OIDC middleware extracts user info from ID token's claims; 9) OIDC receives no more requests.
-
Single-Page Applications
SPAs are Web apps that load a single HTML page and dynamically update that page as the user interacts with the app.
Benefit#1: Applications are more fluid and responsive, without the jarring effect of reloading and re-rendering the page.
-
Benefit#2: Sending the app data as JSON creates a separation between the presentation (HTML markup) and application logic (AJAX requests plus JSON responses).
-
Cookie-Based Authentication (stateful):
- User enters their login credentials
- Server verifies the credentials are correct and creates a session which is then stored in a database
- A cookie with the session ID is placed in the users browser
- On subsequent requests, the session ID is verified against the database and if valid the request processed
- Once a user logs out of the app, the session is destroyed both client and server side
Token-Based Authentication (stateless):
- User enters their login credentials
- Server verifies the credentials are correct and returns a signed token
- This token is stored client-side, most commonly in local storage - but can be stored in session storage or a cookie as well
- Subsequent requests to the server include this token as an additional Authorization header or through one of the other methods mentioned above
- The server decodes the JWT and if the token is valid processes the request
- Once a user logs out, the token is destroyed client-side, no interaction with the server is necessary
