Software Engineering Stack Exchange
Software Engineering Stack Exchange

Questions tagged [authentication]

Authentication is the act of one entity proving its identity to another entity. Common examples involve public key cryptography. For example, proving that a banking web site actually belongs to the bank you think it does.

415 questions
134
votes
7 answers

Are private, unguessable URLs equivalent to password-based authentication?

I want to expose a resource on the web. I want to protect this resource: to make sure it is only accessible to certain individuals. I could set up some kind of password-based authentication. For example, I could only allow access to the resource…
GladstoneKeep
  • 2,629
  • 4
  • 19
  • 15
99
votes
8 answers

Is browser fingerprinting a viable technique for identifying anonymous users?

Is browser fingerprinting a sufficient method for uniquely identifying anonymous users? What if you incorporate biometric data like mouse gestures or typing patterns? The other day I ran into the Panopticlick experiment EFF is running on browser…
SMrF
  • 1,093
  • 2
  • 8
  • 7
38
votes
1 answer

Where to place an API key: a custom HTTP header VS the Authorization header with a custom scheme

I'm designing a REST API using authorization/authentication via an API Key. I tried to figure out what is the best place for it and found out that many people suggest using a custom HTTP header such as ProjectName-Api-Key, eg: ProjectName-Api-Key:…
RomanG
  • 491
  • 1
  • 4
  • 6
34
votes
2 answers

Cookie-based vs Session vs Token-based vs Claims-based authentications

I have read about authentications and become confusing about types classification. Let's start from Cookie-based authentication, If I understand it right, the key point is that all data, needed for user authentication, is stored in cookies. And…
Set
  • 449
  • 1
  • 4
  • 9
34
votes
3 answers

JSON Web Token - why is the payload public?

I can't understand the reasoning for making the claims/payload of a JWT publicly visible after base64 decoding it. Why? It seems like it'd be much more useful to have it encrypted with the secret. Can someone explain why, or in what situation,…
ineedhelp
  • 451
  • 1
  • 4
  • 5
24
votes
4 answers

How should I architect a RESTful webservice to use 3rd party (i.e. Google, Facebook, Twitter) for authentication?

For my job we have a nice RESTful webservice we've built out that we use to drive a couple websites we have. Basically the webservice lets you create and work with support tickets, and the website is responsible for the front end. Any webservice…
Ralph Callaway
  • 373
  • 3
  • 8
23
votes
3 answers

Is it bad practice to store a user's email address in a JWT?

I'm using JWTs for user auth in a web application. I have a user db where each user's unique ID is their email address. To identify the subject of the JWT, I currently have a claim which stores the user's email address in the token. Does that…
Justin Borromeo
  • 401
  • 1
  • 4
  • 6
23
votes
2 answers

Share private SSH keys with Bash on Windows

I have Windows 10 with Git installed. This Git uses my C:/Users/MyName dir as the HOME directory and the /.ssh/ dir within, appropriately for sourcing my private SSH keys. I have just enabled and setup "Bash on Ubuntu on Windows" (what a mouthful!)…
Toby
  • 595
  • 1
  • 6
  • 13
21
votes
2 answers

Should I store my user claims in the JWT token?

I am using JWT tokens in HTTP headers to authenticate requests to a resource server. The resource server and auth server are two separate worker roles on Azure. I cannot makeup my mind as to whether I should store the claims in the token or attach…
Astravagrant
  • 313
  • 1
  • 2
  • 6
20
votes
9 answers

Is this scenario an exception to the rule of never storing passwords in plaintext?

I am making a full-stack web application for a professor. At his request, the passwords and usernames are generated programmatically, and they cannot be changed or reset by the students. (If you forget your password, you ask the professor, who can…
James
  • 359
  • 2
  • 7
20
votes
1 answer

Difference between 'aud' and 'iss' in jwt

I want to implement a more robust authentication service and jwt is a big part of what I want to do, and I understand how to write the code, but I'm having a little trouble understanding the difference between the reserved iss and aud claims. I…
Adam McGurk
  • 381
  • 1
  • 2
  • 9
20
votes
2 answers

REST API security: HMAC/key hashing vs JWT

I just read this article that is a few years old but describes a clever way of securing your REST APIs. Essentially: Each client has a unique public/private key pair Only the client and the server know the private key; it is never sent over the…
smeeb
  • 4,820
  • 10
  • 30
  • 49
18
votes
9 answers

Authentication and authorisation for people with intellectual disabilities

Currently, I'm involved in a research project in which we are evaluating an existing web environment providing a safe online playground for children/adolescents with intellectual disabilities. Certain areas of this web application require…
KDW
  • 349
  • 2
  • 12
18
votes
3 answers

Handling token renewal / session expiration in a RESTful API

I'm building a RESTful API that uses JWT tokens for user authentication (issued by a login endpoint and sent in all headers afterwards), and the tokens need to be refreshed after a fixed amount of time (invoking a renew endpoint, which returns a…
Óscar López
  • 345
  • 1
  • 4
  • 11
17
votes
5 answers

Authorization and authentication system for microservices and consumers

We plan to refactor our company system into a micro-service based system. This micro-services will be used by our own internal company applications and by 3rd party partners if needed. One for booking, one for products etc. We are unsure how to…
Robert
  • 545
  • 6
  • 16
1
2 3
27 28