This question gets a ton of views–and has a Popular Question badge–so I know there is a lot of latent interest in this topic, and many people are asking exactly the same thing and not finding answers on the Interwebs. Most of the available information results in the textual equivalent of the hand wavy thing, … Read more
HTTP is stateless. In order to authorize you, you have to “sign” every single request you’re sending to server. Token authentication A request to the server is signed by a “token” – usually it means setting specific HTTP headers, however, they can be sent in any part of the HTTP request (POST body, etc.) Pros: … Read more
Basically, refresh tokens are used to get new access token. To clearly differentiate these two tokens and avoid getting mixed up, here are their functions given in The OAuth 2.0 Authorization Framework: Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access … Read more
Come on guys 🙂 We could do it simpler, by examples: /this-is-an-endpoint /another/endpoint /some/other/endpoint /login /accounts /cart/items and when put under a domain, it would look like: https://example.com/this-is-an-endpoint https://example.com/another/endpoint https://example.com/some/other/endpoint https://example.com/login https://example.com/accounts https://example.com/cart/items Can be either http or https, we use https in the example. Also endpoint can be different for different HTTP methods, for … Read more
Most Subversion commands take the –username option to specify the username you want to use to the repository. Subversion remembers the last repository username and password used in each working copy, which means, among other things, that if you use svn checkout –username myuser you never need to specify the username again. As Kamil Kisiel … Read more
To expand on Conor’s answer and add a little bit more to the discussion… Can someone give me a step by step description of how cookie based authentication works? I’ve never done anything involving either authentication or cookies. What does the browser need to do? What does the server need to do? In what order? … Read more
I’m the author of a node library that handles authentication in quite some depth, express-stormpath, so I’ll chime in with some information here. First off, JWTs are typically NOT encrypted. While there is a way to encrypt JWTs (see: JWEs), this is not very common in practice for many reasons. Next up, any form of … Read more
If you are looking for an authentication framework for Connect or Express, Passport is worth investigating: https://github.com/jaredhanson/passport (Disclosure: I’m the developer of Passport) I developed Passport after investigating both connect-auth and everyauth. While they are both great modules, they didn’t suit my needs. I wanted something that was more light-weight and unobtrusive. Passport is broken … Read more
tl;dr: This is all because of security reasons. OAuth 2.0 wanted to meet these two criteria: You want to allow developers to use non-HTTPS redirect URI because not all developers have an SSL enabled server and if they do it’s not always properly configured (non-self signed, trusted SSL certificates, synchronised server clock…). You don’t want … Read more
You need to start mongod with the –auth option after setting up the user. From the MongoDB Site: Run the database (mongod process) with the –auth option to enable security. You must either have added a user to the admin db before starting the server with –auth, or add the first user from the localhost … Read more