Authentication anonymous user? registered user? admin user? who are you
Authorization what you are authorized to do
ON THE OTHER HAND complementary concepts
HTTP as REST protocol typical API design, but does it mean?
REpresentational State Transfer RESTful is typically used to refer to web services implementing such an architecture.
REST philosophy allows you to create compatible services with any device or client that supports HTTP protocol.
REST typically uses JSON in data format
The most important REST features are: what is the mean of ● Stateless stateless? ● Uniform ● Based on status codes ● Cacheable
The client has the responsibility to identify the request. The petitions don’t have state. Why? Scalability.
The cookies are used typically for storing and sharing the sessions.
REST + Cookies
The problem is that cookies have a lot of security and privacy problems: ● Hijacking ● Third-party cookies ● XSS attacks ● Cross-site request forgery (CSRF)
A better approach Token-based Authentication JSON Web Tokens (JWT)
JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded (base64) as a JSON object that is digitally signed using JSON Web Signature (JWS). At this moment there is a group working in creating a standard (draft 32).
REST + JWT
Benefits of JWT approach: ● Mobile ready ● CORS ● Performance ● More control ● Definitely less security problems...
The token must be stored somewhere. A good place would be in a free domain cookie. but DON’T send the cookie: sent the value inside the cookie!
What about OAuth2?
OAuth2 is an authorization architecture that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, Twitter, GitHub.... It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth2 provides authorization flows for web and desktop applications, and mobile devices without sharing their credentials.
OAuth2 follows a token approach but in the authorization flow.
Is better JWT than Cookies approach? Probably is the same. If you have a cookies approach without securities problems and following good practices, you are in the right way. JWT is the natural evolution of cookies and fix some issues from the beginning. We are searching security and control.