A distinguish authentication, authorization, Cookie, Session, Token, JWT, OAuth 2.0
1.1, authentication and authorization
Popular understanding:
Certification :( who you are) to verify the identity credentials (such as user name, password), by this credential system is that you know you
Permissions :( You have the right to do) occurs after authentication, in charge of access to the system
1.2 What is a Cookie? Cookie role?
What is Cookie: Cookie are some sites to identify the user identity and data stored on the user's local (encrypted), Cookie is stored in the client , usually used to store user information.
1.3 What is Session? Session and Cookie the distinction?
Session of action : a recording state of a user by the server.
Note : Session is located on the server (stored in a single JVM), the return SessionId (respective head), the client storage SessionId, directly corresponding to the next time a request corresponding to the query from the server Session SessionId
How to solve Distributed Session (Session Sharing) - directly Token
Session usage example: After a typical application is the shopping cart, when you want to add items to the shopping cart, the system does not know which user actions, because the HTTP protocol is stateless, the server to a specific user to create specific Session can identify the user and track it.
How to authenticate Session : The SessionID, SessionID usually stored in the Redis .
Examples: successful user login system, and then returned to the client has the SessionID Cookie, when the user requests sent to the back-end will bring SessionID , so that the rear end will know the status of your identity.
The difference between the Session and Cookie : Cookie data stored in the client, Session data is stored on the server side; Session secure.
1.4 What is the Token? What is JWT?
Session information stored there is some trouble in the service side, the need to ensure the availability of, and is not suitable for mobile end (dependent Cookie)
Token effect : do not need to be able to store the information for authentication Session of the way, only in the client service side to save the Token on the line.
What is the JWT : essentially JSON format data for a signature, since it comes with the signature, so the recipient can verify its authenticity.
JWT consists of three parts :
- Header: JWT description metadata defined algorithm for generating a signature and Token Type
- PAYLOAD (load): used to store the actual data transfer needs
- Signature (Signed): Payload Header and server through a key (serect) using, Header specify which signature generation algorithm
Token-based verification process about identity :
(1) by the server Payload, Header, secret (key) create the token (Token), and sends the Token to the client;
(2) stored in the client Authorization Token field in the HTTP Header (Cookie also be placed but not across domains).
Detailed process:
-> user to the server sending the username and password used to log system
-> Authentication service response and returns the signature of the JWT (above contains the user who's content)
-> user sends requests to the backend each band in the Header JWT
-> server checks JWT and obtain user information
1.5 What is OAuth2.0?
Is an industry standard license agreement, mainly used to authorize third-party applications limited access privileges, its ultimate goal is to issue a time-sensitive token token for third-party applications, so that third-party applications to obtain resources through the token (such as third-party login)
