See what web authentication technologies are available
Basic certification
Basic authentication (basic authentication) is an authentication method defined from http / 1.0.
Basic authentication will put the "user name: password" encrypted by Base64 into the authorization field of the request header for server verification. Because base64 encryption is adopted, the risk of password theft is very high. In addition, ordinary browsers cannot realize authentication logout.
If basic authentication is used in the website, it is best to add SSL authentication (i.e. turn on HTTPS), otherwise the security of password transmission cannot be guaranteed.
Digest certification
In order to make up for the weakness of basic authentication, digest authentication has been available since http / 1.1. Digest authentication will transmit the user password to the server after MD5 encryption, which reduces the risk of password theft, but it still does not solve the problem of user camouflage.
In step 2, the response can also be called request digest, which stores the password string after MD5 operation to form a response code.
Whether it is basic certification or digest certification, they can not meet the pursuit standard of most web sites for a high level of security.
SSL client authentication
SSL client authentication is accomplished by HTTPS client certificate. With client certificate authentication, the server can confirm whether the access comes from the logged in client. The certification process can be found in this article.
In most cases, SSL client authentication is used in combination with other authentication methods. Obviously, SSL client authentication can only prove that the request comes from a secure client, but can not prove that the request comes from a secure user.
Bearer certification
Bearer authentication also belongs to HTTP protocol standard authentication, which is popular with OAuth protocol.
The certificate in bearer authentication is called bearer_ Token, or access_ Token, its issuance and verification are completely controlled by our own application, and do not depend on the system and web server. The standard request method of bearer authentication is as follows:
Authorization: Bearer [BEARER_TOKEN]
Bear is the core of bearer certification_ Token, and the most popular token encoding method is JSON web token.
The JSON web token (JWT) is especially suitable for the single sign on (SSO) scenario of distributed sites. The declaration of JWT is generally used to transfer the authenticated user identity information between identity providers and service providers. It can also add some additional declaration information necessary for other business logic. The token can also be directly used for authentication or encrypted.
Form authentication
The form based authentication method is not defined in the HTTP protocol. The client will send the login information (credential) to the web application on the server, and the verification result of the login information will be authenticated.
Form authentication does not have common standards and specifications. There will be different implementation methods on each web site. Generally, cookie + session will be used to manage the session.
Form authentication needs to be implemented independently. If the security performance is fully considered, it can have a high security level. However, it is not uncommon for web sites to have problems in the implementation of form authentication.
OAuth2 + OpenID
OAuth and openid can be classified as third-party authentication, that is, the user's authentication is authenticated through a non service.
OAuth is an open standard that allows users to allow third-party applications to access the user's private resources (such as photos, videos and contact lists) stored on a website without providing the user name and password to third-party applications. At present, the latest version of OAuth is 2.0.
OAuth emphasizes authorization (authorization). Let's take an example to show you the OAuth authorization process. Have you all used wechat authorization? First, the client will ask the user whether to allow wechat authorization. After the user allows it, the wechat terminal will return code information; then, the server will use code information to authorize the login to the wechat platform, and the user authentication information access_token will be returned after successful login; finally, the service The service side takes access again_ The token information obtains the user related resources. The general process is as follows.
What is openid? Openid emphasizes authentication (authentication), imagine that when the client requests wechat authorization, if the user does not log in to wechat or does not have a wechat account? Do you have to jump to the wechat login page? This is what openid does. Openid only performs the function of user authentication and cannot get any user information. The user's information is safely stored on the openid server (you can set up an openid service website yourself, or you can choose a trusted openid service website to complete the registration).
Openid is often used for single sign on between different services.