Access Control (ACL)
When is Basic Authorization used vs. Bearer Authorization?
The Basic and Digest authentication schemes are dedicated to the authentication using a username and a secret (see RFC7616 and RFC7617). The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750. Even if this scheme comes from an OAuth2 specification, you can still use it in any other context where tokens are exchange between a client and a server.
Concerning the JWT authentication and as it is a token, the best choice is the Bearer authentication scheme. Nevertheless, nothing prevent you from using a custom scheme that could fit on your requirements.
What does the JSON Web Token package do?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
What considerations should we make when creating and storing a SECRET?
- Never store unencrypted secrets in .git repositories
- Don’t share your secrets unencrypted in messaging systems like slack
-
Store secrets safely - Use encryption to store secrets within .git repositories - Use environment variables - Use “Secrets as a service” solutions
- Restrict API access and permissions - Default to minimal permission scope for APIs - Whitelist IP addresses where appropriate - Use short-lived secrets
Terms:
| Term | Def |
|---|---|
| encryption | is the process of taking plain text, like a text message or email, and scrambling it into an unreadable format — called “cipher text. |
| token | Token-based authentication is a process where the client application first sends a request to Authentication server with a valid credentials. The Authentication server sends an Access token to the client as a response. This token contains enough data to identify a particular user and it has an expiry time. The client application then uses the token to access the restricted resources in the next requests until the token is valid. If the Access token is expired, then the client application can request for a new access token by using Refresh token. |
| bearer | Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. |
| secret | As the name implies, an application secret is anything about an application that its developer wants to keep secret, such as passwords, API keys, and digital certificates. Typically, these secrets are used for identity and access management (IAM), making protecting them a vital component of access control — particularly in cases where the application has access rights to business-critical services and systems. |
| JSON Web Token | JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. |