Authentication
Back-end - Authentification - Flask-HTTPAuth
Intro
Authentication is the process of verifying the identity of a user or system. Here's a simple breakdown of how some authentication type might be used in real scenarios:
1. Password-Based Authentication:
- Scenario: A user logs into their email account by entering their username and password.
2. Multi-Factor Authentication (MFA):
- Scenario: A banking app sends a verification code to the user's phone, which they must enter along with their password to access their account.
3. Biometric Authentication:
- Scenario: A smartphone user unlocks their device using their fingerprint or facial recognition.
4. Token-Based Authentication:
- Scenario:A user accesses a secure corporate network by providing a time-sensitive token generated by an authentication app on their smartphone.
5. Certificate-Based Authentication:
- Scenario: A web browser securely connects to a website using HTTPS, verifying the website's identity using a digital certificate issued by a trusted Certificate Authority.
6. OAuth (Open Authorization):
- Scenario: A user signs into a mobile app using their Google account without sharing their Google password directly with the app.
7. JWT (JSON Web Token):
- Scenario: A user logs into a web application and receives a JWT containing their authentication details. This JWT is then sent with each subsequent request to access protected resources on the server.
These scenarios demonstrate how each type of authentication can be applied in real-world situations to verify the identity of users and ensure secure access to systems and data.
REST API Authentication Mechanism: An Example
What Base64 is ?
Base64 is a binary-to-text encoding scheme that represents binary data (such as images, audio files, or binary executables) in an ASCII string format. It converts binary data into a sequence of printable characters, making it suitable for transmitting data in environments that require plain text, such as email or HTTP headers.
Base64 encoding uses a set of 64 characters, typically consisting of uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and two additional symbols, often '+' and '/'.
It's worth noting that the number "64" does not directly relate to the length of the encoded data or the strength of the encryption (since Base64 is not encryption). Instead, it refers to the size of the character set used for encoding.
In Python, the base64 module provides functions to encode and decode data using the Base64 encoding scheme. Here's a simple explanation of how Base64 works:
How to send the Authorization header?
The
Authorizationheader is used to transmit credentials, such as usernames and passwords, or tokens like OAuth or Bearer tokens, which are used to authenticate the client with the server.
Session authentication
A session refers to a period of interaction between a user and a system, typically starting when a user logs in and ending when they log out or their session expires. During a session, the system keeps track of the user's activities and maintains a certain state.
Sessions are created when a user logs in and are typically maintained using tokens or unique identifiers. The authentication process involves confirming the user's credentials, such as a username and password, and establishing a secure and unique session for that user.
The session identifier or token is then used to maintain the user's authenticated state throughout their interaction with the application. This token is often stored as a cookie on the user's device.
In-Memory Session ID Storing:
"In-memory" refers to storing session-related information directly in the computer's RAM (Random Access Memory) rather than persisting it to a database or other storage medium.
Example
In a real-world scenario, you would need to consider security aspects, session expiration, and potentially use more robust mechanisms, such as middleware or dedicated session management libraries, to handle user sessions in a web application.
SessionStorage is similar to localStorage ; the difference is that while data in localStorage doesn't expire, data in sessionStorage is cleared when the page session ends. Whenever a document is loaded in a particular tab in the browser, a unique page session gets created and assigned to that particular tab.
https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage
What Cookies Are: Cookies are small pieces of data stored on the user's device by the web browser.
They are sent between the web server and the browser to store information, such as user preferences, authentication tokens, and session data. Cookies play a crucial role in maintaining stateful interactions between the user and the web application.
Cookies have attributes such as name, value, expiration date, path, and domain. They can be either session cookies (temporary, cleared when the browser is closed) or persistent cookies (lasting beyond the current session).
Use Cookies when:
You need to store small amounts of data on the client-side.
Data needs to persist across different browser sessions.
You want a lightweight and straightforward way to store information like user preferences or tracking identifiers.
Use Sessions when:
You need to manage user-specific data during a single visit or session.
The data is temporary and doesn't need to persist after the user closes the browser.
You want a mechanism to handle user authentication and authorization securely within a specific session.
Summary:
Cookies are for persisting small data across sessions.
Sessions are for managing temporary data within a single user session.
How to Send Cookies in Python:
In Python, you can send cookies in an HTTP request using the requests library. Here's a simple example:
WHAT if you need to maintain state, such as staying logged in across multiple requests?
Here comes the Session object in the requests library in Python provides a way to persist parameters across requests. Here's what that means:
When you use a Session, it keeps track of cookies and other parameters between requests. Here's an expanded explanation:
When a web server sends a response to your web browser, it often includes a Set-Cookie header to set cookies on your device. Cookies are key-value pairs that store information. To work with these cookies in Python, you may need to parse them from the Set-Cookie header.
Parsing cookies allows you to extract and use this information in your Python code.
Let's consider a simple example of a web application for an online shopping site where you need to use sessions and cookies:
Scenario: Online Shopping Website
1. User Authentication:
Use of Sessions:
When a user logs in, start a session to keep track of their authenticated state throughout their visit.
Store user information (like user ID and username) in the session to personalize their experience.
2. Shopping Cart:
Use of Cookies:
When a user adds items to their shopping cart, store the cart information in a cookie.
This allows the user to navigate between pages without losing the contents of their cart.
3. Personalized Settings:
Use of Cookies:
Allow users to customize their website preferences (e.g., theme, language).
Store these preferences in cookies to apply them consistently across visits.
4. Remember Me Feature:
Use of Cookies:
Provide a "Remember Me" option during login.
If the user selects this option, store a long-lived cookie to remember their authentication status even after closing the browser.
5. Analytics and User Tracking:
Use of Cookies:
Implement analytics to track user behavior and preferences.
Use cookies to assign unique identifiers to users for tracking purposes.
6. Secure Authentication Tokens:
Use of Cookies:
When dealing with external APIs or microservices, store secure authentication tokens in cookies.
These cookies can be sent with each API request for secure and stateful communication.
Here's a simplified Python example illustrating the usage of sessions and cookies in a web framework like Flask:
Resources:
Advanced JAX-RS 22 - REST API Authentication Mechanisms
Resources:
https://flask-httpauth.readthedocs.io/en/latest/
REST API Authentication Mechanisms
What is the difference between Digest and Basic Authentication?