Skip to content

Resources to learn and implement authentication in your application

License

Notifications You must be signed in to change notification settings

gitcommitshow/awesome-authentication

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 

Repository files navigation

Banner

This is compilation of research on implementing authentication in applications(Covering authentication using JWT for now, more approaches will follow soon)

Fundamentals You Must Know

Cryptography

About Tokens

About Frameworks

Web-Security Recommendations

Secure Key Exchange In Public

Maintaining Forward Secrecy

Invalidating JWT

  • Simply remove the token from the client
  • Create a token blacklist
  • Just keep token expiry times short and rotate them often
  • Contingency Plans : allow the user to change an underlying user lookup ID with their login credentials

A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user's record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you're looking up the user anyway.

Securtity Risks and Criticism of JWT

Implementations(Examples/Demos)

Useful Tools