There are several common front-end solutions: HTTP Basic Authentication, session-cookie, Token Authentication, OAuth(Open Authorization), JWT, and so on
HTTP Basic Authentication
HTTP Basic Authentication
HTTP Basic Authentication Is a Basic authorization mode for browsers to comply with the HTTP protocol. The HTTP protocol defines a method that allows the HTTP server to authenticate users on clients during HTTP communication.
HTTP Basic Authenticatio
Step 1: The client requests data from the server, either a Web page or an Ajax asynchronous request, assuming that the client has not been authenticated. Step 2: The server sends the verification request code 401 to the client, and then the user login interface pops up. Step 3: The user enters the user information and password, the browser will automatically base64 form encryption; The fourth step: the server receives the request, decrypts the information, compares it with the user information in the database, and returns the request content that the user needs all the time. Login invalidation scheme: During the logout operation, set up a special logout account on the server. When the Authentication information received is the logout user name and password, the logout succeeds, and the client in the logout operation, manually modify the Authentication of the request header. Set it to the server’s default logout account and password.
Second, the session cookie
I. The concept of session-cookie
Use the server side session (session) and browser side cookie to achieve the authentication of the front and back end, because HTTP request is stateless, need to create a session in the server side (Seesion), the same client request are maintained in their own session, when the request arrives at the server side, Check to see if the client has created seesion on the server. If so, it has been successfully authenticated. Otherwise, it has not been authenticated.
1. Session-cookie authentication
Step 1: The server creates the seesion on the server side when it receives the first access from the client, and stores the seesion in memory. Then it generates a unique identifier string for the session, and plants the unique identifier string in the response header. Step 2: When the browser receives the request, it will parse the response header and save the session_ID in the local cookie. The browser will carry the cookie information under the domain name in the request header in the next HTTP request. Step 3: When the server receives the request from the client, it will parse the session_ID in the cookie of the request header, and then find the session of the client saved by the server according to the session_ID, and judge whether the request is valid.
3. Token verification
1. Token Authentication Process
Step 1: The client uses the username and password to request login. Step 2: the server receives a request to verify the user name and password. Step 3: After the authentication is successful, the server issues a Token and sends the Token to the client. Step 4: After receiving the Token, the client can store it in a Cookie or Local Storage. Step 5: Each time the client requests resources from the server, it needs to bring the Token signed by the server. Step 6: the server receives the request and verifies the Token contained in the request. If the verification succeeds, it returns the requested data to the client.
2. Token authentication scheme JWT
JWT is a scheme proposed by Auth0 to implement authorization verification by encrypting and signing JSON. That is, after successful login, the relevant information is composed of JSON objects, and then the object is encrypted in some way and returned to the client. The client will bring the token in the next request. The server verifies the validity of the token upon receiving the request. JWT composing Headers: including tyP and ALG; Claims: includes user information to be shared; Signature: A Signature string encrypted with a private key based on the ALG algorithm. This segment is the most important sensitive information and can only be decrypted on the server.
Iv. OAuth(Open Authorization)
First, OAuth concept
OAuth (Open Authorization) is an open standard that allows users to authorize third party websites to access their information stored on another service provider without having to provide a user name and password to third party websites or share all content of their data. In order to protect the security and privacy of user data, Third-party websites need to explicitly ask users for authorization before accessing user data. We commonly provide OAuth certification service manufacturers are Alipay, QQ, wechat.
Two, OAuth certification process
Step 1: Request authorization from the user, and when we click on the third-party entry, the third-party authorization service will lead us to the third-party login authorization page; Step 2: When the user clicks authorization and logs in, the authorization server will generate a user certificate (code). This user credential is appended to the redirect_URI address; Step 3: When the user requests again, he carries the user’s credentials (code) and verifies that the server returns an Access Token. Step 4: When you request the resource again with the token, you get the protected resource information.