Inno III- Auth Flashcards
Authentication vs Authorization
Authentication: Verifies who a user is (identity verification).
Authorization: Determines what actions or resources a user is allowed to access.
ASP.NET Core Authentication
Built-in Authentication: Supports cookie-based, JWT, and third-party authentication providers (Google, Facebook, etc.).
Authentication Middleware: Uses AddAuthentication and UseAuthentication in Startup.cs.
Authentication Schemes: Define how users are authenticated (e.g., JWT Bearer, Cookies).
Role-based Authorization
Role-based Auth: Restricts access based on user roles.
Example: [Authorize(Roles = “Admin”)].
Role Claims: Roles are added as claims to the user’s identity.
Policy-based Authorization
Policy-based Auth: Uses policies with requirements to control access.
services.AddAuthorization(options =>
{
options.AddPolicy(“RequireAdmin”, policy => policy.RequireRole(“Admin”));
});
Access & Refresh Tokens
Access Token: Short-lived token for accessing protected resources.
Refresh Token: Long-lived token used to request new access tokens.
Identity Server
Identity Server: Open-source framework for handling authentication, authorization, and single sign-on (SSO).
OAuth 2.0
OAuth 2.0: Authorization framework for granting third-party apps access to user resources without sharing credentials.
Key Flows: Authorization Code, Client Credentials, Implicit, and Resource Owner Password.
Tokens: Issues access tokens and (optionally) refresh tokens.
Access Token
What it is: A short-lived token used to access protected resources (e.g., APIs).
When you get it: After a successful login or authorization request (like via OAuth 2.0).
Contents: Encodes user info, claims, and an expiration time.
Expiration: Typically short (e.g., 15-60 minutes) for security reasons.
Refresh Token
What it is: A long-lived token used to get a new access token without logging in again.
When you get it: Along with the access token, during login or authorization.
Usage: Sent to a token endpoint to exchange for a new access token.
Expiration: Longer lifespan (e.g., days or weeks) but should be securely stored.
What Happens When a JWT Expires?
API call fails: If you use an expired token, the server returns 401 Unauthorized.
Client flow: The app detects the failure, checks the refresh token, and requests a new access token.
Token refresh request: The client sends the refresh token to the authentication server.
Server response: If the refresh token is valid, the server issues a new access token (and sometimes a new refresh token).
Role-based Authorization
Role-based Auth: Restricts access based on user roles.
Roles: Represent a set of permissions or responsibilities (e.g., Admin, User, Manager).
Example: [Authorize(Roles = “Admin”)].
Role Claims: Roles are added as claims to the user’s identity during authentication.
Assigning Roles: Roles can be assigned to users in the database or through ASP.NET Core Identity.
Combining Roles: You can authorize multiple roles: [Authorize(Roles = “Admin,Manager”)].
Policy-based Authorization
Policy-based Auth: Uses policies with requirements to control access.
Policies: More flexible than roles, as they allow for complex conditions (e.g., age, email domain).
Requirements: Define specific conditions (e.g., must be over 18 years old).
Handlers: Evaluate the requirements and decide if access is granted.
services.AddAuthorization(options =>
{
options.AddPolicy(“RequireAdmin”, policy => policy.RequireRole(“Admin”));
options.AddPolicy(“Over18”, policy => policy.Requirements.Add(new MinimumAgeRequirement(18)));
});
Identity Server
Identity Server: Open-source framework for handling authentication, authorization, and single sign-on (SSO).
Supports: OAuth 2.0, OpenID Connect, and custom authentication workflows.
Token Issuer: Manages issuing, validating, and refreshing tokens.
Scopes: Define the resources and actions a token can access.
Clients: Applications that request tokens (e.g., web apps, mobile apps, APIs).
Resources: APIs or services that are protected and need authorization.
OAuth 2.0
OAuth 2.0: Authorization framework for granting third-party apps access to user resources without sharing credentials.
Key Flows:
Authorization Code: Secure flow for server-side apps (recommended for most web apps).
Client Credentials: For machine-to-machine communication.
Implicit (deprecated): Older flow for SPAs (now replaced by Authorization Code + PKCE).
Resource Owner Password: Directly exchanging username/password for tokens (less secure).
OAuth 2.0
Tokens:
Access Token: Grants access to protected resources.
ID Token: Contains user identity information (in OpenID Connect).
Refresh Token: Allows refreshing an expired access token without logging in again.
Example Flow:
User logs in → App sends credentials to Identity Server.
Identity Server validates credentials → Issues access & refresh tokens.
User accesses API with access token → API verifies token with Identity Server.
Access token expires → App uses refresh token to get a new access token.
