In a nutshell, Authentication asks who are you, Authorization asks are you allowed here?

Modern day Authentication techniques:

• OAuth
• JWT
• Zero Trust Architecture
• Passwordless

Auth techniques of the future:

• Decentralized (Blockchain based Auth)
• Behaviour based auth
• Post Quantum based Auth - Quantum computers are future, and when they become the present, all cryptographic and hashing algorithms we use today become instantly obsolete, because of the nature the computers operate (based on quantum superposition and entanglement)

Approaches for Authentication and Authorization today:

• Sessions
• JWTs
• Cookies

Difference between Session based Auth and JWT based Auth is that, Session based auth needed the server to be stateful to store the session ID, JWT allows stateless nature of the server as it encodes the user data within the token itself so no storage is necessary

1. JWT (JSON Web Token)

   JWT is a token based stateless authentication mechanism where a json object containing the necessary user details is encoded with a secret key and sent to the user on signin. The subsequent user requests that require authentication is sent with the user token, the server then verifies it with the secret key and validates the user.

   A JWT token is usually encoded with base64 and another algorithm. A token consists with three main parts:

   • Header (encoded with base64) - contains signature algorithm (e.g. HS256) and type of token (e.g. JWT)
   • Payload (encoded with base64) - user details
   • Signature (built with specified hashing algorithm using header, payload and a secret key)

   The generated token is merged with these three parts with the following syntax:

   token = header.payload.signature
   

   the header and payload can be decoded easily, the authentication is verified using the signature, which is signed using the secret key, known only by the server. If the token is tampered in any way, the signature becomes invalid, and the user auth fails.

Sometimes a hybrid approach (stateful and stateless) is used where after successful jwt authentication, the server checks the database or any memory based storage (in case of redis) if the user is restricted (in case of RBAC) or banned for any shady activity or not. This is stateless authentication with stateful authorization.

This may seem like a defeat of purpose of stateless auth, but benefits of stateless auth still exists:

• more secure and less dependency on db, which can suffer malicious attacks
• no session ID storage (which is not scalable)
• horizontally scales well (for distributed systems)

Cookies are a way of client side storage that the browser provides to store some relevant user data in a secured way. A server can store and access the cookies they have set, they cannot access any other server’s cookies. Tokens stateful or stateless are stored a cookie only till expiry if required.

Types of Authentication

1. Stateful

2. Stateless

3. API Keys

4. OAuth 2.0

5. Stateful Authentication

Note: The cookies are set as HTTP only, so they aren’t accessible by javascript/ scripts

1. Stateless Authentication