Differences between authentication types

Asked

Viewed 573 times

3

I was doing some research on authentication, because I want to improve this part of my system, I found some cases like Basic, oAuth1 and Oauth2.

What is the difference between them? What are they really? I read a little about, but I haven’t really understood much yet. Can I develop an oAuth system? Or depend on something?

I plan to develop my new API with Nodejs + Mysql (currently PHP + Mysql) and in the future migrate to Nodejs + Mongodb.

1 answer

3


Basic

It is a method that the User-Agent (a line of text that identifies the browser and the OS for the web server) uses to provide user name and password when making a request. It is the simplest access control technique because it does not require cookies or session identifiers, instead it uses standard fields in the HTTP header. It also doesn’t guarantee much security to the application.

oAuth

Basically Auth (Open Authorization) is a secure authorization protocol that deals with the authorization of third-party applications to access some data without exposing the password.

Some differences between Auth1 and Oauth2:

  • Better support for applications that is not a web browser. This is an important point with respect to Auth1, where desktop or mobile applications had to direct the user to the browser. With Oauth2 there are new ways for an application to get authorization.

  • Oauth2 signatures are less complicated

  • One purpose of Oauth2 is to have a clear separation between the server responsible for requests and the server that manages user authorization.

  • Access tokens are shorter in Oauth2

  • Oauth2 does not require client applications to have encryption

More details are in the article above.

In practical terms for Node.js

There are straightforward and simple ways to implement oAuth-based authentication with Node.js using existing libraries. There must be authorization servers, which can be created or could be Facebook, Github, Twitter, Gmail or any other service. A library that implements Oauth2 is passportjs, recommend studying it (the implementation is not traumatic and there are several examples), where it is possible to configure the authentication strategy - User and Password or Facebook for example. So actually who will authorize the client to connect to the application will be the communication between access server (your application) and the authorization server (Facebook). User will not need to include user and password.

Sources for more specific studies:

  • In my case, I am building an API that will be used in my APP (Mobile, IOS and Android), and my Dashboard (WEB). Think which one would be appropriate ?

  • I particularly never created the oAuth authorization API, always used the most common ones, used Facebook and Gitbub. Hardly any user does not have Facebook for example. But if the client is going to be another API (not a user per se) then perhaps it is more appropriate you create your server, otherwise the happy path may be better cost/benefit.

  • In case, my app will login via Facebook, however, also have option to register by form, already Dashboard, no login via facebook.

  • You can use the basic and by facebook then. Or create the server if you want greater security and practicality for the user.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.