Practical gateway to securing web applications with OIDC, OAuth, SAML, FIDO, and Digital Identity to.
Book Description
In today's digital landscape, web apps evolve rapidly, demanding enhanced security. This Ultimate Web Authentication Handbook offers a comprehensive journey into this realm. Beginning with web authentication basics, it builds a strong foundation. You'll explore cryptography fundamentals, essential for secure authentication. The book delves into the connection between authentication and network security, mastering federated authentication via OAuth and OIDC protocols.
You'll also harness multi-factor authentication's power and stay updated on advanced trends. The book expands on deepening your understanding of Java Web Token (JWT), FIDO 2, WebAuthn, and biometric authentication to fortify web apps against multifaceted threats. Moreover, you'll learn to use Identity and Access Management (IAM) solutions for constructing highly secure systems. Whether you're a developer, security enthusiast, or simply curious about web security, this book unlocks the secrets of secure online interactions.
Author(s): Sambit Kumar Dash;
Publisher: Orange Education PVT Ltd
Year: 2023
Language: English
Pages: 338
Cover Page
Title Page
Copyright Page
Dedication Page
Foreword
About the Author
About the Reviewer
Acknowledgement
Preface
Errata
Table of Contents
1. Introduction to Web Authentication
Introduction
Structure
Tools and Resources
MDN Web Docs
Google Chrome
CURL
OpenSSL
Go Language
Flutter Framework
HTTP Protocol Basics
Headers
Cookies
Session Management
Minimal Web Server
Counter Cookie
Session Cookie
Protecting the Cookies
Web Architecture
Web Application Architecture
Introduction to Authentication
Credentials and access tokens
Authentication over HTTP
Limitations
Form-based authentication
Conclusion
Questions
2. Fundamentals of Cryptography
Introduction
Security by Obscurity
Structure
Message Consistency
Protection
Symmetric Cryptography
Encryption
Signing
Password Safety
Asymmetric Cryptography
Digital Signing
Digital Certificates
Certificate Profile
Issuance
Examples
Self-Signed Certificate for CA
Generating RSA Keypair and CSR
Signing the CSR with CA
Viewing the Certificate
PKCS#12 Container
Encryption Using Certificates
Signing Using Certificates
Digital Signing for Authentication
Conclusion
Reference Books
Questions
3. Authentication with Network Security
Introduction
Network Protocols
Structure
Transport Layer Security
Server Authentication
Client Authentication
Web Browser Support
Client Certificates
Non-TLS certificate-based authentication
Conclusion
Questions
4. Federated Authentication-I
Introduction
Structure
Federated authentication
Service provider initiated
IDP initiated
Single sign-on
Authentication ticket or token
Claims-based authentication
SAML token
Metadata
Profiles
Binding
Configuring the identity provider
Configuring the HR app service provider
Session management
Protecting the APIs
Single sign-on
IDP-initiated authentication
Protected resources
Identity and access management
Conclusion
Questions
5. Federated Authentication - II (OAuth and OIDC)
Introduction
Structure
Authentication vs authorization
OAuth protocol
3-legged OAuth protocol
Web application displaying GitHub user data
Limited capability device
Command line utility for GitHub
Native applications
Authorization server
Integration and Resource Server
Native client using Flutter
Token issuance
Token expiry
Scopes
OpenID Connect (OIDC)
Using OAuth for Authentication
Identity Token
JSON Web Token
Login with Google
Configuring the Google Cloud Platform
User Experience
Token Security
Token Expiry
Service Endpoints
Web front end
Conclusion
Questions
6. Multifactor Authentication
Introduction
Structure
Factors of authentication
OTP-based authentication
HOTP Sample
Synchronization of the counter
Unattended HOTP devices
Time-based OTP
Synchronization of time
Exchanging shared secret
Other OTP-like authenticators
Fast Identity Online (FIDO)
Registration
Authentication
Sample code and user interface
Selection of FIDO 2 Devices
Front end for registration
REST APIs for registration
Device Attestation
Device Security
Bringing it all together
Authorization policy
Server-rendered authentication forms
User consent
Session Management
Post Registration
Conclusion
Questions
7. Advanced Trends in Authentication
Introduction
Structure
Digital identity
Proliferation of identities
Foundational identity
Digital identity
Indian National Foundational Identity (Aadhaar)
Validation
Ecosystem
Beyond India (MOSIP)
Know your customer
Beyond identity
e-Signing
Identity Wallets
Biometric authentication
Fingerprint
Face biometry
Other biometric technologies
Local vs. server authentication
Liveness and antispoofing mechanisms
Post-quantum cryptography
Current status
Zero trust architecture
Standardization
Conclusion
Questions
Appendix A: The Go Programming Language Reference
Introduction
Installation
The Go Play Ground
Hello World
Simple function
Closure
HTTP server
Built-in data types
Variables
Pointers
Global vs. local
Control flow
Error handling
User-defined data types
Interface
Exporting methods and variables
Resolving package dependencies
Conclusion
Appendix B: The Flutter Application Framework
Introduction
Installation
DartPad
Hello World
Fibonacci function
Futures
HTTP Requests
User interface
Stateless vs stateful widgets
Providers and change notifications
Conclusion
Appendix C: TLS Certificate Creation
Introduction
Root certificate
Intermediate CA
TLS server certificate
Generating the PKCS-12 file
Client hierarchy
Index
