question

osyris-3187 avatar image
0 Votes"
osyris-3187 asked Bruce-SqlWork answered

Best method for Security and identity for a full stack developer

I have created a authentication and authorization system before with asp net core mvc and razor pages
I would create a cookie that would be connected to my database to check if someone is still loged in
and who would be able to get acces.

Now I have heard about JWT wich seems to be a much better way to authenticate a website
since it would no longer be needed to store it on the server since all the information is in the Token
and you can work with multiple servers without the user having to login again.

I have seen some sevices like AUth0 wich seems to handle all the heavy lifting including
login with facebook, google etc as well as two factor authentication every thing seems to be already done
But i think it does take a away the flexibilty of a fullstack developer and there is price tag on those services.

I would like to know what would be the choice for a full-stack developer (using Reactjs)
And what would be the best to learn and use in the future when for example working for a company.
also please correct me if im wrong im trying to orientate the most professional way to handle authentication and authorization.

microsoft-authenticatordotnet-aspnet-core-generaldotnet-aspnet-core-webapidotnet-aspnet-core-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AgaveJoe avatar image
0 Votes"
AgaveJoe answered AgaveJoe edited

A JSON Web Token (JWT) is basically a signed string that contains user claims created by a trusted token server. JWT is an open standard used for authorization. A client must send a JWT (Bearer token in an HTTP header) to gain access to secured resource like an Web API controller. The fact that the client has the JWT indicates the client previously authenticated with a trusted token server.

OAuth is an open standard, a protocol, for authorization it is not a service and it is not authentication. OAuth uses access tokens to allow client applications delegated access to secured resources over HTTP. Keep in mind there are different types of clients which OAuth supports.

There's also OpenId which is a protocol that defines what type of information is shared in a token like the user's email address.

The type of security used with React depends on the security requirements. A typical situation is a React application is a client to a secured Web API application. First, the React application must get the access token by authenticating with a token server. The React application must send the access token to the Web API application to gain access to the secured resource.

What I've explained above is a brief overview. Online resources are plentiful and the RFCs are openly published. Set aside time to learn the basics and create a few demo apps to get the idea.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChaoDeng-MSFT avatar image
0 Votes"
ChaoDeng-MSFT answered ChaoDeng-MSFT edited

Hi @osyris-3187 ,
JSON Web Tokens (JWTs) are so hot right now. They’re all the rage in web development.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
However, improper use of JWT can adversely affect application security.You can refer to this article to learn more.
You can read this article about how to use jwt in asp.net core:https://devblogs.microsoft.com/aspnet/jwt-validation-and-authorization-in-asp-net-core/



If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards,

ChaoDeng



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered

If you are writing react apps that call webapi, it’s much easier to use jwt token rather than cookies. If local authentication rather than oauth, you just supply as webapi that you pass a user name password and get a token back. The login is a little more complex for oauth but there are react modules for this.

Once the react app has a token, it just passes the token on each request. The request will get a 401 error if no access instead of the redirect response from cookie authentication.

As a jwt token like a cookie token has a lifetime. If you need to check during the lifetime if valid, you need check each request like you do now.

Oauth has a concept of refresh tokens. These have a long lifetime, but are only used to get an access token which has a short lifetime.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.