Middleware JWT authorization
27.09.2021 • Barbora Bačenková • Security
A lot of people are mixing authentification and authorization. It´s a security process that has different purposes. However, they go hand in hand, and is needed to use both. Let’s take a closer look at how these concepts work and why they are so important in the field of computer security.
Authentication | I am
Authentication verifies the identity of the user who wants to access the resource.
- Single-Factor/Primary Authentication
- Two factor authentication (2FA)
- Single Sign-On (SSO)
- Multi-Factor Authentucation (MFA)
- Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol (CHAP)
- Extensible Authentication Protocol (EAP)
Authorization | I can
Authorization proves whether the user is actually authorized to access or to perform any function.
What we will discuss below is particularly useful information for all applications and web services in general. Essential part of a great user experience is that you can access all needed resources with confidence and security.
- Authorization HTTP – person enters their username and password for authentication. This method doesn't include cookies, session IDs, or login pages.
- Authorization API - when a user attempts to access system resources during registration, an API key is generated. The same key is paired with a token (identifier token) that is hidden. The combination of an API key and a hidden token is constantly used whenever a user authenticates and enters their environment which can use.
- OAuth 2.0 - this method allows the API to authenticate and access the necessary system resources
Authorization JWT (JSON web token)
JSON Web Token is an open standard used for secure data transfer between different parties. The server generates a token that certifies the user identity, and sends it to the client. It is commonly used for authorization and uses pair of public-private keys. The owner of the private key (authentication part) should be higher company authority (like Active Directory). JWT has both - authentication and authorization support. Mainly API authentication, and server-to-server authorization.
This architecture proves to be very effective in modern web applications, where we perform API requests via REST after the user is authenticated.
As a company engaging in middleware, we work with authorization and authentication from ESB point of view (Enterprise service bus). ESB works in these two points of authorization/authentication view:
ESB is a REST API provider
- Application (as API consumer) authenticates against the higher authority
- ESB verifies token issuer identity by a public certificate
- ESB authorizes possible actions by looking into the payload of JWT)
- The application doesn't need any certificate
ESB is a REST API consumer
- ESB authenticates against the higher authority
- Application (as API provider) verifies token issuer identity by a public certificate
- Application authorizes possible actions by looking into the payload of JWT
- ESB doesn't need any certificate
In many cases, highly sensitive data such as bank, financial and business data are included. Data breach events are one of the biggest risks faced by systems.