[Draft] Authentication - vinhtbkit/bkit-kb GitHub Wiki

Terms

Identity Provider (Idp)

• Services that store and verify user identity

Service Provider

• Federation partner that provides services to the user

Types of authentication

Password authentication

User remembers username / password and use them to authenticate Implementation:

Cons:

• Vulnerable to attacks ( man in the middle, brute force, password guessing ...)
• Password could be exposed on server

Token authentication

User provides credentials once and Identity Provider will issue an authentication token, which can be used to authenticate without having to provide the credentials again until it expires

Biometric authentication

Multi-factor authentication (MFA)

An authentication factor is a certain proof that verifies a user’s identity.

• Knowledge factor: what user knows (username, password, PIN,...)
  • Can be easily cracked or stolen
• Possession factor: what user owns (mobile device, OTP device, SIM cards ...)
  • Much more difficult to attack
• Inherence factor: fingerprints, face recognition...

Authentication protocols

LDAP

SAML

OIDC

API Authentication methods

Basic authentication

• Authenticate using username + password
• Format: Authorization: Basic XXXX where XXXX is Base64 encoded of username:password

API keys

• Uses a custom header, or request parameter to authorize request

OAuth2

• Often uses Bearer token
• More details: https://github.com/sonyynosification/bkit-kb/wiki/OAuth2-overview

Authentication strategies for microservices

Authentication performed by each microservice

Authentication with an authentication service

Authentication using API Gateway