Page cover image

Authentication Flows

Authentication Flow in Modern Technologies

When a user logs in, they provide their username and password. The API then takes these inputs, checks them against the database, and ensures that the usernames and passwords match, with appropriate security measures like hashing and salting in place.

Curiosity piqued, and you pondered the whereabouts and nature of Elara. She had been the most exceptional AI you’d ever encountered. Intrigued, you decided to investigate the authentication method she employed to establish a connection with your network. Delving into the details, you uncovered that Elara had leveraged a single sign-on mechanism provided by the manufacturer of your cybernetics brain implant.

To identify who is sending the request, the request can include the authenticated user’s user ID. This prevents unauthorized users from making such requests because they do not possess the same user ID.

CSRF attack

An attacker tricks a user into making an unintended request, often by luring them into clicking a malicious link or loading a compromised webpage.

XSS attack

This attack involves injecting malicious scripts into a trusted website.

How to secure the session tokens?

However, to prevent malicious actors from impersonating an admin by inserting an authenticated user’s ID, session tokens are introduced.

When the admin logs in, the API securely generates a session ID and stores it in the database. The admin includes this session ID in their requests to the API for authentication. This adds an additional layer of security, as malicious actors would need to discover the admin’s session ID to impersonate them.

Privacy and security upgrades are essential in generating session IDs to make them random and statistically impossible to brute force by bad actors.

Storing these tokens can be done using cookie-based storage, which involves attaching a small piece of data, including the session ID, to the website. Alternatively, session IDs can be stored in local storage, a separate storage area within the browser.

You went out to get some fresh air. Screens throughout the city exude an artificial brightness, but the residents seem devoid of joy. Amidst the backdrop of a rainy, dark city illuminated by blinding neon lights, you stumble upon an abandoned smartphone just outside your apartment. On this phone, face recognition (Face ID) is the authentication method.

JSON Web Tokens and Current De-centralized Authentication Methods

JSON Web Tokens are an open, industry-standard RFC 7519 method for representing claims securely between two parties. Unlike the access token, which the client may not fully understand, the ID token is a uniquely formatted string of characters known as a JSON Web Token (JWT) that the client can easily interpret.

These JWTs contain vital information, including your ID, login time, expiration, and security checks against tampering.

The signature ensures data integrity by encrypting the header and payload with a secret key stored on the client. When users want to send an API request, they include the JWT, and the API uses asymmetric encryption to verify the data’s integrity using the token’s signature.

Last updated

Was this helpful?