Hello Everyone, today I am going to explain some important authentication types that are most commonly used nowadays.
But before starting with the types, Here is the most basic definition of authentication-
Authentication is the process by which the system decides, whether the one who is trying to access it has the permission to access the system or not. It does not determine what tasks the individual can do or what files the individual can see but, identifies and verifies who the person or system is.
Now, here are some important and most basic authentication types-
OAuth Authentication
OAuth is an open authentication protocol, which allows accessing the resources of the resource owner by enabling the client applications on HTTP services such as Facebook, GitHub, etc. It allows sharing of resources stored on one site to another site without using their credentials. It uses username and password tokens instead.
Basically, there are three parties involved: oAuth Provider, OAuth Client, and Owner.
oAuth Client (Application Which wants to access your credential)
oAuth Provider (eg. facebook, twitter…)
Owner (the person with facebook,twitter.. account )
FIg. OAuth type authentication
Here is a diagram that depicts OAuth type authentication in a simple way-
OAuth gives the Client the flexibility to choose which specific resources the client wants to use in its application.
for example, if the Provider is Facebook, then the client can choose from the ‘messages’, ‘notifications’, ‘wall posts’ etc. to be used in its application.
Digest Authentication
(Digest authentication)是一个简单的认证机制,最初是为HTTP协议开发的,因而也常叫做HTTP摘要,在RFC2671中描写叙述。其身份验证机制非常easy,它採用杂凑式(hash)加密方法,以避免用明文传输用户的口令。
摘要认证就是要核实,參与通信的两方,都知道两方共享的一个秘密(即口令)。
This type of authentication is intended to replace unencrypted HTTP basic access authentication. It is not, however, intended to replace strong authentication protocols, such as public-key or Kerberos authentication.
Digest authentication is a method of authentication in which a request from a potential user is received by a network server and then sent to a domain controller. The domain controller sends a special key, called a digest session key, to the server that received the original request. The user must then produce a response, which is encrypted and transmitted to the server. If the user’s response is of the correct form, the server grants the user access to the network, Web site or requested resources for a single session.
However, there is a disadvantage of this authentication, digest access authentication provides no mechanism for clients to verify the server’s identity.
Basic Authentication
Next one in the list is Basic type authentication. In this, The server sends back a header stating that it requires authentication for a given realm. The user provides the username and password, which the browser concatenates (username + “:” + password), and base64 encodes. This encoded string is then sent using “Authorization“-header on each request from the browser.
Following Image will help you understand the basic flow used in Basic type Authentication-
Fig. Basic-authentication
It is relatively a simple protocol and is supported by all the major browsers. However, there are some drawbacks in using this type of authentication –
- User credentials are sent in the request.
- Credentials are sent as plaintext.
- Credentials are sent with every request.
- No way to log out, except by ending the browser session.
- Vulnerable to cross-site request forgery (CSRF); requires anti-CSRF measures.
These drawbacks make it a bit insecure as compared to the other types of Authentication.
Token Based Authentication
Token-based authentication involves the issue of an access token at the time of authentication. This token can be in different forms compatible with the ecosystem being used in. The client can enter their username and password in order to obtain an access token. The client keeps this token and sends it across with every request to the server. While processing every individual request from the client, the server doesn’t know that the client is already authenticated – because HTTP is stateless – and so checks the token sent along and ascertains that the client is already authenticated and so provides access to the resources being requested.
Following fig will show the basic structure of a TOken Based Authentication-
Fig. Token Based Authentication.
Token-based authentication systems work well in a web API environment where most applications are available via their APIs. And so tokens can be used to obtain access to multiple services and applications across domains at once without worrying about the single domain policy.
It is comparatively faster and secure because the token is encrypted and is digitally signed.
So this is all for now.
Hope this will help to understand the basics of the authentication types mentioned above.