Created Authentication history (Basic, Digest, Cookie, Session, Token, JWT, API key, HMAC) (markdown)

+https://medium.com/@iamprovidence/authentication-history-basic-digest-cookie-session-token-jwt-api-key-55d6c21be90b

+

+# Authentication history (Basic, Digest, Cookie, Session, Token, JWT, API key, HMAC) | by iamprovidence | Medium

+

+

+[iamprovidence](https://medium.com/@iamprovidence)

+

+Let’s say you are building an app. Nothing overcomplicated. Simple data storage like Google drive. Users can upload and view their files. The question is how do we make sure users can only view their files and not someone else?

+

+The naive approach would be to send `UserId` in every request to a server. It is not only naive but also creates a huge security hole! As soon as your users have basic knowledge of how the Internet works they will try sending requests to a server with a different `UserId`.

+

+The only valid option would be to let the server distinguish which user sent a request. There is a variety of authentication options, like Basic authentication, Digest, Cookie, Session, Token and JWT. If you are interested in getting deeper knowledge in what are those, which problems they solve, and their benefits and drawbacks, read this article to the very end.

+

+In case you are new here, there are other articles on this topic.

+

+Authentication theory:

+

+* **Authentication history (Basic, Digest, Cookie, Session, Token, JWT, API key, HMAC)**

+* [Token gang (Bearer token, Reference token, Opaque token, Self-contained token, JWT, Access token, ID token, Refresh token)](https://medium.com/@iamprovidence/token-gang-bearer-token-reference-token-opaque-token-self-contained-token-jwt-access-token-6e0191093cd0)

+* [OAuth 2.0 and OpenID in simple terms](https://medium.com/@iamprovidence/oauth-2-0-and-openid-in-simple-terms-7196089a1b29)

+

+How to implement authentication in C# environment:

+

+* [Cookie-based Authentication in ASP](https://medium.com/@iamprovidence/basic-authentication-in-asp-39c585f9e074)

+* [Authorization in ASP](https://medium.com/@iamprovidence/authorization-in-asp-1ffece002c3)

+* [Identity Server integration with ASP MVC](https://medium.com/@iamprovidence/identity-server-integration-with-asp-mvc-1e128e4f319f)

+* Identity Server for microservices

+* Identity Server integration with SPA

+* SSO with Identity server

+

+You may also check out some others stories:

+

+* What is authentication schema in ASP about?

+* Authorization policy under the hood

+* Encapsulate authentication with DelegatingHandler

+* How to parse token on client side

+

+Meanwhile, we are starting.

+

+Basic Authentication

+--------------------

+

+The simplest authentication mechanism is HTTP Basic Authentication. Here’s an overview of how it works:

+

+1. A user enters his login and password in the login form

+2. If the server successfully validates those, the client now can store the user’s login and password

+3. **User Authentication.** The client includes an `Authorization` header in all subsequent requests with the word "Basic" followed by a space and a base64-encoded string of the form "login:password".

+

+```

+HTTP: https://my-app.com/get-photos

+Authorization: Basic base64encode(login:password)

+```

+

+

+4\. **Server Verification.** The server, upon receiving the request, decodes the base64 string, retrieves the login and password, and verifies them against DB. If the credentials are valid, the server allows access to the requested resource; otherwise, it returns a `401 Unauthorized` status code.

+

+

+

+Despite its simplicity, Basic Authorization has multiple drawbacks:

+

+* **security.** credentials are sent in an easily decodable Base64-encoded format therefore should only be used in conjunction with HTTPS

+* **privacy.** user’s credentials are exposed and can not be used by other systems

+* **revocation.** the server has no way to end the user’s session

+* **storage.** user’s credential is stored in a browser and could be exposed

+* **performance.** additional db calls have to be made to validate credentials (consider adding cache)

+

+**Digest** Authentication

+-------------------------

+

+To overcome the shortcoming of the Basic Authentication a more secure way to transmit credentials was found.

+

+It involves hashing the username, password, and other information in the request, making it harder to intercept and decode:

+

+1. A user enters his login and password in the login form

+2. If the server successfully validates those, the client creates a hash based on login and password

+3. **User Authentication.** The client includes an `Authorization` header in all subsequent requests with the word "Digest" followed user’s login and generated hash:

+

+```

+HTTP: https://my-app.com/get-photos

+Authorization: Digest username="john", hash="5ccc069c403eb171e9517f40e41"

+```

+

+

+4\. **Server Verification.** The server, upon receiving the client’s request, performs its own hash calculations using the stored password. If the calculated hash matches the one sent by the client, access is granted.

+

+

+

+In practice it is a bit more complicated than that, but it is enough for you to understand Digest Authentication.

+

+This time we don’t send user’s password but a hash value, which is irreversible comparing to encoding. This approach is a bit more secure, but we still have issues:

+

+* **performance.** validation of credential cost time and resources

+* **revocation.** the server still has no way to end the user’s session

+

+Cookie

+------

+

+The traditional authentication approach on the web involves cookies.

+

+A cookie could be anything, a number, string, _serialized object_, and so on. However, for security reasons, the cookie responsible for authentication is encrypted.

+

+The usual flow of using cookies is as follows:

+

+1. A user enters his login and password in the login form

+2. If the server successfully validates those, it _issues_ an encrypted cookie. That cookie can also contain any additional information about the user like age, permissions, preferences etc

+3. **User Authentication.** The _user’s browser_ stores that cookie and includes it in all subsequent requests as a Cookie header:

+

+```

+HTTP: https://my-app.com/get-photos

+Cookie: uLfpKTEAAxgVbjjJs6S5RcXnQlLnK4knnz2zBa5wN3wO/zqQM4ZhAv604

+```

+

+

+4\. **Server Verification.** The server, upon receiving the client’s request, validates a cryptographic signature attached to the cookie, its expiration time, domain path etc. If the cookie sent by the client is valid, access is granted.

+

+

+

+There are a few things worth noting:

+

+* **self-contained**. cookies are self-contained. It means the server can just verify its signature without the need to do a DB request. This is how validation cost issues were solved

+* **stateless**: the server does not need to store additional data. This simplifies server-side implementations and allows for easier horizontal scaling

+* **revocation**. server has multiple ways to terminate a user’s session (cookie expiration time, timeout session for inactive users, send invalidate cookie header)

+* **in-build support.** but the most lovely thing about cookies is that they are so common you don’t have to implement any code on the client side. Your browser will attach cookies on every request automatically. That is just ideal for [MPA](https://medium.com/@iamprovidence/frontend-side-architecture-evolution-mpa-spa-bd87fa32da8)

+

+Regardless of how good it sounds, there are always some caveats:

+

+* **performance.** cookies are sent out for every single request (even for requests that don’t require authentication)

+* **interoperability.** cookies work out of the box only in the browser. For all the other clients (desktop, mobile etc) you still would have to write code

+* **scale poorly.** cookies are bound to a server’s domain and, therefore are not applicable in [SPA](https://medium.com/@iamprovidence/frontend-side-architecture-evolution-mpa-spa-bd87fa32da8) or [microservices](https://medium.com/@iamprovidence/microservices-376bb3f553b7)

+* **security risks**: cookies are vulnerable to [CSRF attacks](https://medium.com/p/0d5de7c74569#8042). Extra protection measures should be implemented

+

+You can find an example of cookie-based authentication [here](https://medium.com/@iamprovidence/basic-authentication-in-asp-39c585f9e074).

+

+Session

+-------

+

+You can make cookies work in a [distributed environment](https://medium.com/@iamprovidence/microservices-376bb3f553b7) with sessions:

+

+1. A user enters his login and password in the login form

+2. If the server successfully validates those, it gets or _creates_ a user’s session in the database and _issues_ a cookie with the session id

+3. **User Authentication.** The _user’s browser_ stores that cookie and includes it in all subsequent requests as a `Cookie` header:

+

+```

+HTTP: https://my-app.com/get-photos

+Cookie: SessionId=270299

+```

+

+

+4\. **Server Verification.** The server, upon receiving the client’s request, validates the cookie and retrieves the session from the DB

+

+

+

+A session is just a record in the database about a user. It contains all the data you would usually have in the cookie, but this time it is completely on the server side.

+

+Despite weak advantages:

+

+* **server-side storage.** sensitive data is not exposed to the client

+* **centralized control on the server side**. it is easier to implement features like session timeouts, account locking, and other security measures

+* **cross-domain communication.** a session can be utilized across a [distributed environment](https://medium.com/@iamprovidence/microservices-376bb3f553b7)

+

+You have almost the same issues as before:

+

+* **latency.** session validation requires DB call

+* **performance.** cookies are sent out for every single request

+* **interoperability.** cookies do not work on their own outside the browser

+* **scale poorly.** a database can be distributed too, which leads even to more issues

+* **security risks**: cookies are vulnerable to [CSRF attacks](https://medium.com/p/0d5de7c74569#8042). Extra protection measures should be implemented

+

+Token

+-----

+

+Long story short, token authentication is the same as the session one. We just no longer have cookies, and instead of session id, a random string is used, so it is harder to compromise it:

+

+1. A user enters his login and password in the login form

+2. If the server successfully validates those, it gets or creates a user’s session in the database and issues a random string related to this session called a token

+3. **User Authentication.** The client stores that token and includes it in all subsequent requests:

+

+```

+HTTP: https://my-app.com/get-photos

+Authorization: pS4zFXYx0URtDEkMWOcGunMgxA7cGyXYx0URtDEkMWOcGunMgxA7

+```

+

+

+4\. **Server Verification.** The server, upon receiving the client’s request, validates there is a session in the DB with such token. If so the access is granted

+

+

+

+I know 😔. Cookies seemed to be such a good idea. So why would we get rid of it and use a token instead?

+

+* **interoperability.** token can be used on any device (browser, mobile, desktop)

+* **cross-domain communication.** support [distributed architecture](https://medium.com/@iamprovidence/microservices-376bb3f553b7)

+* **privacy.** no credential is exposed, so the token can be used by third-party

+* **server-side storage.** sensitive data is not exposed to the client

+* **centralized control on the server side**. it is easier to implement features like session timeouts, account locking, and other security measures

+

+However, we just get back to square one:

+

+* **no in-build support.** we have to implement everything by ourselves

+* **storage.** token stored on the client side can be [exposed](https://medium.com/p/0d5de7c74569#095b)

+* **performance.** token validation costs a DB request. For [microservices](https://medium.com/@iamprovidence/microservices-376bb3f553b7), it is even worse. You need an http call to an identity server that will do a DB request

+

+JWT

+---

+

+Finally, we grow up to good old JWT tokens. 😌

+

+So what is the deal with it? JWT tries to keep the benefits of token authentication but decreases performance issues. Do you remember how exactly the validation cost was reduced with cookies? 🤔 Cookies are self-contained. So let’s make our token self-contained.

+

+JWT (JSON Web Token) is a cryptographically secure token that contains all needed data inside itself in JSON format:

+

+```

+{

+ "alg": "HS256",

+ "typ": "JWT"

+}

+.

+{

+ "sub": "1234567890",

+ "name": "John Doe",

+ "iat": 1516239022

+}

+.

+signature

+```

+

+

+Additionally, it is encoded to make it more size concise. So the token above will be encoded to:

+

+```

+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

+```

+

+

+The flow is pretty much the same as what we are used to:

+

+1. A user enters his login and password in the login form

+2. If the server successfully validates those, it issues a JWT token

+3. **User Authentication.** The client stores that token and includes an `Authorization` header in all subsequent requests with the word “Bearer” followed by a space and a JWT token:

+

+```

+HTTP: https://my-app.com/get-photos

+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

+```

+

+

+4\. **Server Verification.** The server, upon receiving the client’s request, validates the [signature](https://medium.com/@iamprovidence/cryptography-for-kids-040516012acc#8da0) and grants access

+

+

+

+The benefits are:

+

+* **performance.** no database lookup since the token is self-contained

+* **interoperability.** the token can be used on any device (browser, mobile, desktop etc)

+* **stateless**: the server does not need to store additional data. This simplifies server-side implementations and allows for easier horizontal scaling

+* **cross-domain communication.** support [distributed architecture](https://medium.com/@iamprovidence/microservices-376bb3f553b7)

+* **privacy.** no credential is exposed, so the token can be used by third-party

+

+But remember about those issues:

+

+* **storage.** token still can be [hijacked](https://medium.com/p/0d5de7c74569#095b) by an attacker (can be partially fixed with a [refresh token](https://medium.com/@iamprovidence/token-gang-bearer-token-reference-token-opaque-token-self-contained-token-jwt-access-token-6e0191093cd0#0164))

+* **revocation.** the server has no way to end the user’s session (JWT token is valid even after a user logs out)

+* **no in-build support.** we need to write code (one can argue it is a benefit since it is more agile and flexible but I will let you decide)

+* **sensitive data exposure.** care must be taken not to include sensitive information in the token payload

+

+As you can see, even though JWT is so popular, it is not a panacea either.

+

+API Key

+-------

+

+Since we are already on this topic, a few final words for M2M authentication.

+

+The API Key flow is avoided for user authentication but is commonly used for machine-to-machine (M2M) communication or third-party integrations, where one software application or system interacts with another API (Application Programming Interfaces).

+

+Here is a basic overview of the API Key flow:

+

+1. Developers or administrators generate API keys beforehand

+2. **Server Authentication.** The client includes an `Authorization` header in all subsequent requests with the word "ApiKey" followed by the key:

+

+```

+HTTP: https://my-app.com/get-photos

+Authorization: ApiKey 9c403eb171e9517f40e415ccc069c403eb171e9517f40e41

+```

+

+

+You can also find an implementation where the API key is included as a query parameter:

+

+```

+HTTP: https://my-app.com/get-photos?

+ api-key=9c403eb171e9517f40e415ccc069c403eb171e9517f40e41

+```

+

+

+3\. **Server Verification.** The server, upon receiving the client’s request, validates the API key to check if it is legitimate and associated with a valid application

+

+

+

+Even though it is almost a standard it still has some minute flaws:

+

+* **storage.** can be stored insecurely, such as hardcoding them in source code, storing them in configuration files, or sharing them inappropriately

+* **no expiration.** they don’t expire unless explicitly revoked allowing hijackers to have infinite access to the API

+

+HMAC

+----

+

+It is also possible, that client exposes an endpoint to receive webhooks. This time, not the server, but **_the client_** needs to authenticate requests.

+

+Traditionally, webhooks are secured with [HMAC](https://medium.com/@iamprovidence/cryptography-for-kids-040516012acc#8da0) (Hash-based Message Authentication Code).

+

+Here’s an overview of how it works:

+

+1. The client sends an _authenticated_ request to subscribe to the server’s events

+2. The server validates the request, generates a random [_signing key_](https://medium.com/@iamprovidence/cryptography-for-kids-040516012acc#3521), and stores it. This key is issued in the response a single time

+

+```

+{

+ "signingKey": "sa13d"

+}

+```

+

+

+3\. **Server Authentication.** When an event occurs on the server, it generates a [signature](https://medium.com/@iamprovidence/cryptography-for-kids-040516012acc#8da0) by hashing the webhook’s payload along with a signing key

+

+Both payload and signature are included in the webhook:

+

+```

+{

+ "signature": "171e9517f40e415ccc06",

+ "payload": <object>

+}

+```

+

+

+4\. **Client Verification.** The client, upon receiving the webhook, calculates the signature in the same way (`signature = hash(content + signing key)`) and compares it to the one in the webhook. If they are the same, the request is considered to be legit and can be processed

+

+

+

+HMAC has some benefits over API keys:

+

+* **data integrity.** it not only authenticates the server but also ensures the request is untampered

+* **privacy.** API Key (Signing Key) is not sent directly and is not exposed if intercepted, even for developers' team

+* **uniqueness.** signature is unique for each webhook

+

+While it is common to use HMAC with webhooks, you can get use of it for traditional M2M communication. Just remember, that it adds:

+

+* **complexity.** HMAC is harder to implement compared to API key

+* **storage.** can be stored insecurely. If the key is compromised, all communications relying on it are vulnerable

+* **no expiration.** they don’t expire unless explicitly revoked

+* **sensitive data exposure.** the HMAC does not protect the payload’s confidentiality. If the payload contains sensitive data, it must be encrypted separately to ensure privacy

+* **performance.** both the client and the server require time to compute the HMAC, slowing down request processing

+

+Final Thoughts

+--------------

+

+And that is all for today 😌. In this article I was aiming to guide you through the authentication landscape, offering insights into the diverse tools and techniques that have shaped the authentication over time.

+

+It is essential not only to understand and be able to use any of those approaches in parallel but also to combine them. Regardless of how clean and experience-proved those ideas look, in practice, you would have to deal with a complete horror of legacy code 😁.

+

+It happens so, that authentication is so widely known and a completely misunderstood topic at the same time, that most of the time it results in a complete mess. I have seen JWT is stored in cookies, cookies used for API-only communication, or JWT for M2M. I have been through that kind of sh\*t you don’t even want to hear. Most of the time those implementations were done by me 😅. Don’t do as I have done. Be smarter. Learn ahead and find a solution that suits you best 🙃.

+

+Let me know in the comment what was your worst experience with authentication?💬

+Give this article a clap or a few if you like it 👏

+You can support me with a link below ☕️

+And don’t forget to follow if you are interested to read about all those authentication methods in detail ✅