In this article, we will address the fundamental concepts that we must understand when working or developing in secure environments.
Although this article is applicable to any architecture, it is primarily designed for microservices, as we will refer to the JWT token. In a monolithic system, the user session is typically used instead of the JWT token (although it is also possible to use it).
1. Authentication
Authentication is the process of confirming that someone is who they claim to be, commonly known as "login" or entering the username and password.
Today, due to security challenges and attacks on websites, a simple username and password are not enough. Many websites require you to enter two-factor authentication, which can be:
- Passwords
- Single-use PIN
- Authentication applications
- Biometrics
With the increase in remote work, it is likely that we are all already familiar with two-factor authentication.
2. Authorization
Once we have confirmed our identity (Authentication), we must verify if we have access to certain areas of the application or different functions. This is done through authorization, which varies by user.
A real-life example would be a security pass in a company. You have your pass that indicates who you are (authentication), and the pass indicates which areas of the company you can access (authorization). If you want to access a restricted area, you need to obtain the corresponding authorization.
3. Social Login
Setting up the infrastructure to support authentication and authorization is not a simple task, and it becomes even more complicated if we add two-factor authentication.
For this reason, there are third-party options, the most well-known being Google, Facebook, Twitter, or even GitHub, which we call social login. They are an excellent option because they save us from having to create accounts everywhere and remember passwords.
Other options include Auth0, OKta, ForgeRock, SecureAuth, or even having your own microservice with a version of IdentityServer (written in .NET).
3.1. Authentication with OAuth 2.0 and OpenID Connect
OAuth 2.0 is the standard that enables this magic, as it separates authentication to verify identity and authorization for permissions. Through HTTPS API calls, we can call different services that provide access control.
When working with OAuth 2.0, we do it through OpenID Connect (OIDC), which is a wrapper or a layer above OAuth 2.0 that allows third-party applications to verify the user's identity and read basic information. OpenID Connect uses JWT tokens to return user information.
4. Content Security Policy (CSP)
Content Security Policy (CSP) is an effective tool for mitigating the risk of Cross-Site Scripting (XSS) attacks. CSP allows servers to specify which sources can load resources, preventing the loading of malicious scripts from untrusted sources.
5. Same-Origin Policy (SOP)
The Same-Origin Policy (SOP) is a security measure implemented in web browsers to prevent scripts from one page accessing data on another page if they do not share the same origin. This is crucial to protect user-sensitive data against potential Cross-Site Scripting (XSS) attacks.