teesloane / auth-boss Goto Github PK
View Code? Open in Web Editor NEW๐ Become an Auth Boss. Learn about different authentication methodologies on the web.
๐ Become an Auth Boss. Learn about different authentication methodologies on the web.
It's pretty standard to have base64 encoding for JWT secrets, but that's a confusing part for a lot of people, especially those who would be consuming a JWT that is generated by Auth0.
For example, I need to specifically create a Base64 encoded string to Authenticate the JWT on my app:
export function verifyToken(token) {
return new Promise((resolve, reject) => {
jwt.verify(
token,
new Buffer(process.env.AUTH0_CLIENT_SECRET, 'base64'),
{ audience: process.env.AUTH0_CLIENT_ID, },
(err, decoded) => {
if (err) reject(new Error('Could not verify JWT'))
resolve(decoded)
})
})
}
Had I not done that part, the token would have never properly authenticated.
Hey,
I think there's a bit of confusion between identification, authentication and authorization and it could be good to clear that. This could help to define the three terms.
The principal issue is the description of OAuth2: it's about authorization, not authentication (as is OpenID and the other methods). Facebook, Google and others keep their own identification/authentication system and, as a user, you still have to authenticate yourself to them. OAuth2 will then authorize (as you've requested) the other site to use some of your data (email address, name, maybe more; it could be defined in the scope). To do so, it must identify you to the site (so you could indeed use it as an identification protocol) but it's not why it has been designed. This StackOverflow topic surely explains it better.
It could also be dangerous to use OAuth2 as an identification protocol (even if Google and Facebook use it that way). This answer on StackExchange and the OAuth2 RFC explain why.
Weirdly, the Authorization header is about authentication (I don't understand the name choice).
Good job, though ๐
Quentin
The Zine is available at this link for free: gum.co/webauthzine
If I can add this to the repo, it will be a great match for content with visual representations as well. I would like to know your thoughts.
My team at work we were able to enter the local machine to the Active Directory domain that checks the user login and password for the Kerberos protocol. The application works in a browser.
OAuth docs clearly state:
"OAuth 2.0 is not an authentication protocol."
Here: https://oauth.net/articles/authentication/
So perhaps it would be better for you to change the text to "OAuth is an authorization protocol" and then perhaps link to the above document for the sake of pedants.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.