wife :O

B. E.FIT !
'

E. ④ TINI.EE ! E. TEE It

.EE#EEE.MeOoH..t.f.AggGFt
④ TIMI B. III. Ei
'

E. ⑧

. FEE,

T/ heAndirearesaomndyonotfundemstand
anmte.tw#/webAuthN/Auth2
I ?"

r .
2 .
O.amztEM.ms:9
e. ? ?
' w'
II sessions
OAuth -77
tokenbase
 ; ÷gio÷
"
¥
.
:÷÷ : :
A I know a few methods .

%¥ai¥sec pig!
'

I can help you understand em

Basi Page -_5

page -10
tf y
session based

^sez I know
¥

Page 13 * They are Sufficient page -_ 6

L
-_

Iniesta:D
T
.

[
Ipmagpteifiotpgcode [
de pastsword page -17 based
Authorization grant flow

dffontwabpage.tt
-15
page Client
HTTP BASIC AUTHENTICATION
o
④¥maBoa am:÷ , nta¥÷f÷MBBT
"

l page
with l
Sends
a
blank Authenticate 1
www
-

A 1 & header
.

< 401
Stares
=
I
\
Browser notices the pretense of
www -
Auth Header & present popup
I
§Bananarama
f q ? B w f p ↳M to & password
.

enter username

I
1 username
1#

1
password T tone I
namei I
BE .VE#gsgBTg , I
head
Realest

!÷!÷a÷;og%µ
send it in Authorization

,
& validates Username
password
|
21 .

match
,
/ credentials
If in
html
I
I ,
mom
contacts
.

you get
FEE.mg Response
.

I -1
Browser will Remember
subsequent Request
| credentials and will pass on •

g
m WiIK
man
j.jgo.se
f.B.mg -
ro
 HTTP BASIC AUTH

* Credentials in header are base

64 encoded not
#
encrypted .

with HTTP is not

& Basic Auth
data is sent in plain
safe as

text .

* Use HTTPS

heater
.io?:o
A
E.jasa%ec.ro
'
 linked with piece of state in server
USER login is

SESSION BASED AUTHENTICATION

memory

{"

¥mzaaaaaom; I#
pose

keyF.
"

.no:7?::o: : :'.rytqmgggoes
Yasser

-1
server
-
+

vglsiedates
¥
credentials POST
""
User submit over

l
Credentials
l x
^
I sends browser I Eoi5mEEE
acooki e l h at w i u i d ent . l y ?EF9i : E nf U ure RequTest
and
user
identifies .

Server
< ↳ At this point
I * gientseisnewrgge.in
Is;gimooor
If
Server stores
&

kY¥?q.az E #Fhaokham ha I
BABBS
Ban:3::S.EE?a:kis:sseguent
Requests ( this ice called
.
session Cookie) -

I
v

html
I
GET Contacts
server Validates
.

→ the session
/ sends cookies as well
/
g
information
/ from Cookie 10
/
[ Contacts html .

v
Session info from

IT
or DB
memory
.

MF.info#i aoah hmhBaB

" / status -- 200
Bored
1 POST
OK .

logout html .

Invalidate
200
status
=
session token

M¥
"

Hta
" .EE/iEqahhaaHithaaBl#ntaas.n/
I
-7 The existing .EE .

stakes -_
403 I has been

1 Custard invalidated , user

unauthenticated
I
.

Eai¥
go.se -
ro
 -

token Base, Sign In

* Token is small piece of data

-

used with
> RESTful APIs
> single Page Apps
> Micro services
to server token
* Request carry a

mmmm

{ditoisgreoon.ie }
How token
? session
q
-

furman
2

÷÷i¥÷÷÷¥⇐÷¥ A
.

wai¥
go.se -
ro
 token Base, Sign µ .az#ima i a oh a hi a
-

in via ?¥E .

{"
EETB
" " "
Jon
i MzIEf.
username : ,
.am

pose "

y ÷
" " "
password Foo Bar
sueariueates
↳
:
-
t
g
-
ill
User
POST

/
User submit credentials over credentials
1
^
I sends browser , #IoiTmEEE
a#essforUser÷÷q.
and
user
identifies
Server
< token # that will
At this point
/ a glnieentseisuewggentin *

"q¥h⇐¥¥mzm¥¥¥¥.tl?n7wsse:naiFwesina7i9i seauene- las:L.SE#oitai7nEn

creates token
client saves * server
it: 'the
local
ppg
Bills
Requests .

!
l
Th is optional !

EE3mi q T GET Contacts .

html
-

local browser
÷ Server
/ l
storage well
sends Token as
decodes the

1
| Contacts html .
y
✓
/
token 21
validate Sign
(if presents

M%a .hn#aFi*a eah ha hBanB =/

"
status -- 200
Broad
/ POST
OK .

logout html

4#
.

Ask client
theists:S::b:
fear: snatsiitmyas.io
"
status
-_ 200 to clear token
clear token /
I
data ?ogiE.•a ¥rmouzgh¥ing
" ear

EE.ie#qq , taAh
403
stakes -_
No

present
token

#
.

I Authenticated user NOT

n. I
jam
go.se -
ro
 BASED AUTHENTICATION
-

token
As key Concept is tokens are stateless
it
* server should signees ,
so

not need to store it on backend .

may -

tokens
A- Signature prevents
from tampering

.gjn÷im?tYhp: areio&pgB.?k.T. @
-

woo

.sim£wWI
"

Sec ,
y
/¥%"tyAssertionmarkupLangu
SAML
 ?
m ¥moa am.÷ ;! fine' s
'
:3?
'

-1 em:*
'

A Needlesstosay.mg
mmmwY
By
gwt is
really
I
Important ,
was

s
-

'¥
"

hmmmm smiling face & get

A
But keep a

G¥tmw
ggps.whyn
t

EnnBs¥sec -
ro A
 I

Jew!NL¥*¥hµ¥EB¥KENS
g-
perigynous

for authentication 2)maybe also for authorization

A- Can be used token based used

token via OIDC )

( Id
validate Creeds

Token 2
Generate Generate
username token
Password
µ
Json Web Token .

z
y

m%mE* g¥ aokhmtBamM y p÷iFEYzB

'
"
% ""
inn:*
.
the
" ↳" "t
^
"

Response .

secret
key .

5
contained Contains the data
A Self
:

↳ Anyone can view the Content .

↳ verification can be only done by

entity who has access to secret -

key .

qq.mg?jagB;.sec-r0
"
 I

JghMFONBE.fi#EB*KENS
g-
perigynous

3 parts separated by optional

dots -
Jee - - - -
te -
It - - - - -

;
'
PPPPPPPP SSSSSSSSS
AHHHH HH . .
i
t- -- - - -

signature
-

:b
Header
HMACSHA 256 ( Header -1
Base Encode a) 1. It
6
Payload ,

::::÷:::÷÷÷÷÷÷÷:
a

at
}
/ Payload
server

Hashing Algorithm
used for signature Base Encode ( data )
Public
4
{
"
" "
DATA
AKA # wohwichaawea.fnaen.de#Eecita:yr
IIe claims
"
" id : 'doe
as
user
- ↳ types
"
email "
:
"
john@doee.com J "

"
exp
"
:
"
1234567890
"
Name without
↳ ←

anyone
meaning
except token
producer
to

I
. .

iat negotiation T.tn?.ogisYyered9finaeng

"
"
" "
:
70129401 "
Restricted .

} Name Reserved for

App usage .

→
IT Sub
JTI
IAT ISS Exp JWT token Identifier
issued at Issuer
subject
Token
expiry #me

eyqm.org?jaogB;s.sec-r0
 ÷ j÷am÷
This too much
.
÷ was

of knowledge ! !

Agreed ,
take a

µ
break ,
refresh 21 ""

then we will move

to
OAuth
/)
⑤EE3mB3a oMoE I hope
will be
that

easy .

H
"
in,

Don't worry
11
¥
""
I
will make it Easy ,

/)
'

Jai¥sec -
ro
 Otremba ftp.admmaa .am
.

PEN
THAT operation

III:::::::%a% : .no

i÷ sn|÷ ÷
; to
you are
asking me

open !!!

11 whatth

Don't confused by
name
get
! ⇐oE -

µ
"

It says Open 's

protocol for
Authorization "

/)
qq.a.mg?agqq;s.sec-r0
"
 It allows the users to share

their
private resources

without sharing username

-
-

4pd .

There are 4 Entities Involved

MB .ME?EfBfLBi.hI#.@ghead servery↳
Resource seiner

.am/s.gi;soai: dIonigni!sg7ig: to:;e

Authorization

aienta .

An:P!
rated
resource
-

Actual protected
.

⑧EI3 f. types of Authorization

↳
f :{genegeratng
"-

ways

T)
User
↳ Authorization Code Grant

Implicit Grant client

§
owner of Credential
credentials
Grant
Resource owner

" Password Grant

go.se -
ro
Authorization Code Grant
⑤
.a.com/tokenMBaE5Ehaaaaaaa
http://auth server

.E¥⑧B zaifM
-

Request Token

APP

%¥÷t¥
client

check 't

l Vista: eat
③ ②
sfFhIB Why
>
not
take

t|
zpass word
.

my username

Scantest ④
⇐

+
⑤#Aa# give my
I Consent
Yes Please ,
Hardin
⑥ a ⑧
A Hey App "

µ@n*¥
authorized Access for you
.

User .

and
take this authzcode
.

use this get

⑦ wer real
to
,
Access token -

V gamey Take
this
token and

⑨ regime
.im?EE..oOada.m get :c::*
. .

Bearer
with client App
Token
^

✓
⑦ Response before
I
* At step
.

②
aime: are:* .
+ are validated
Rest ega.gg?janBzsec-rO
"
 -

Implicit Grant

④
..com/tokenMBaM9Eqaaaaag
http://auth server

E.aBBaoi6B
-

Request Token

APP

n¥÷t¥
client

check 't

l vistnnsocwenat
③ ②
fFhIB 'int Why
7
not
take

t|
password
.

my username a

scanted ④
re

+
I give my Consent

⑤ Yes Please ,
that
µ Hey APP
for you
authorized Access
.

User .

Token and
take this
.

Resource
use this access

⑦ rearming
.tk:697#.OOado. yruisosmuemnded
with
Bearer
client App
Hei
; is:c:
Token
^

V
⑧ Response .

t
rest qq.a.az?g.!a.gBsec-r0
'
'
 Client credentials Grant

its
* used when client is acting on

client is resource
own behalf ( when
server)

*onsener
I
)
It
÷÷÷:
peed token Handml¥
yoked Access
Give
me
②
①
Take
this
token and

Rea
q .my?E E .magni
f#i.:@ fic set
:c:::
a
.

wins
Bearer
Token
③ client App
^

V
response .

⑨
+

resource-seruer.eqa.g ?jB ;.sec-r0

Resource Owner Password Credential
Grant
⑤
.q.com/tokenMBaf9E.qaagaa
http://auth server

Ef⇐⑧BBzai6M
-

Request Token

Client APP USER Can You

µey login

±→→*%u
③
l
②
check if

Vista: eat

sfFhIB Why not

take
7
t|
Password
.

my username a

It
"

¥ ⑨ tandem
11
-

Access
Token
with optional
y Refresh token

wimrsearer ⑤
Reg
.EKi#m. Omyaz.ada.mi
Token client App
^

V
⑥ Response .

+
rest qq.at?JBzsec-r0
'
'
o÷m÷÷÷9i No problem !
take your time to
"
-

absorbed

1
Also there will be another
,

Line

Just
covering
OAuth
in detail
-
 I hope you enjoyed !
.

Thanks for Reading

p ¥for eqso.se
m.o .ae?jaq
"
-

-
ro
a
"

Join more updates

content Reviewed , Examined
Ema

foE¥m%EB & corrected

By
MBgBBaqfBI
-5

christina

eyqoaq.ae?jaqtheIAM Ninja
that
" • "

Eino joist iiiistina

""

Thanks
HE
Read more Zines

@
securityzines.com