This appendix serves as a short refresher on authentication and authorization. It describes the OAuth 2.0 flow process, the OpenID Connect protocol, and the inner workings of JSON Web Tokens.
In simple web and mobile applications, the back-end server is usually responsible for the authentication and authorization of users. A password authentication scheme may work as follows (figure C.1):
In more complex scenarios additional systems or steps may be involved. OpenID, for example, is an open standard authentication protocol designed to allow users to authenticate via a third-party service (an OpenID identity provider) instead of having to develop a custom sign-in system. OpenID Connect adds an authentication layer on top of OAuth 2.0. A protocol like OpenID Connect is needed to enforce security and bridge the gap between authentication and authorization. Although it might seem that OAuth 2.0 could be used for authorization as well as authentication, it would be a mistake to assume that. Having an authorization system without an authentication component could lead to attackers gaining improper access to resources. Figure C.2 shows what an OpenID Connect flow looks like.
What’s the difference between authentication and authorization? Authentication is the process of verifying who the user is; for example, confirming that user Bob is who he represents himself to be. Authorization is about verifying what the user is allowed to do. Is Bob allowed to view this page? Is Bob allowed to delete a database record? Authentication and authorization are independent concepts (authenticated and non-authenticated users can be authorized to do different things) but are often linked in discussions about security.
OpenID is mainly concerned with authentication. OAuth is mainly about authorization. OpenID Connect is an extension of OAuth 2.0 designed to bring authentication and authorization together. For a more detailed explanation, see https://oauth.net/articles/authentication/.
The OAuth 2.0 specification (https://tools.ietf.org/html/rfc6749), which is used by OpenID Connect, defines four different grant types for different authorization scenarios:
JSON Web Token (https://tools.ietf.org/html/rfc7519) is an open standard used to transport claims between parties. These tokens have properties that make them useful in serverless systems:
Claims are encoded in JWT as a JSON object and are sent as a JSON Web Signature (JWS) or JSON Web Encryption (JWE) structure. The JWS payload is digitally signed by the entity creating the token to prevent tampering. The JWT spec defines support for symmetric and asymmetric signing algorithms. Tokens created with an asymmetric signing algorithm can be verified using a public key on a client. Naturally, JWT signed with a symmetric algorithm requires the secret signing key to validate the signature. These can’t be exposed to clients, but you can use them in a Lambda function to validate the token.
It’s also important to note that in JWS the claims (payload) portion is not encrypted in any way. It’s only Base64-encoded so it can be trivially inspected and read. Do not send any sensitive information in it. JWE, on the other hand, encrypts the content of the message instead of digitally signing it. It’s possible to encrypt the JWT claims and then embed them in a JWS if you want to enforce confidentiality and integrity at the same time.
JWT consists of three segments: header, body, and signature. Figure C.3 shows what a JWT token looks like and points out how to identify each segment.
The header of JWT is composed of two parts: the declaring type (JWT) and the hashing algorithm. The payload consists of JWT claims. There’s a set of reserved claims that, although not mandatory, is useful to have. Auth0, for example, includes the following minimum subset of claims in every token:
Finally, the signature is used to verify the integrity of the token. Typical JWT implementations support signature computation using HMAC with the SHA-256 cryptographic hash function (HS256) or RSA with SHA-256 (RS256).
The website jwt.io has an interactive debugger (figure C.4) for testing whether you have correctly generated your symmetric or asymmetric JWT. It also lists available libraries for token signing/verification for different languages and platforms.
3.138.110.105