I was doing some research on authentication, since I want to improve this part of my system, I found some cases like Basic, oAuth1 and oAuth2.
What’s the difference between them? What are they really? I read a bit about, but I could not understand much yet.
Can I develop an oAuth system? Or do I depend on something?
I want to develop my new API with NodeJS + Mysql (Currently it is PHP + Mysql) and in the future migrate to NodeJS + MongoDB.
This is a method that User-Agent (a line of text that identifies the browser and the OS for the server web) uses to provide username and password when making a request. It is the simplest access control technique because it does not require cookies or session identifiers, instead it uses default fields in the HTTP header. It also does not guarantee the application much security.
Basically OpenAuthority is a secure authorization protocol that addresses the authorization of third-party applications to access some data without exposing the password.
Some differences between Auth1 and Auth2:
Better support for applications than a web browser. This is an important point in relation to the Auth1, where desktop or mobile applications had to direct the user to the browser. With Auth2 there are new ways for an application to obtain authorization.
oAuth2 subscriptions are less complicated
One purpose of oAuth2 is to have a clear separation between the roles of the request server and the server that manages the user’s authorization.
Access tokens are shorter in oAuth2
- oAuth2 does not require client applications to have encryption
More details are in the article above.
In practical terms for node.js
There are direct and simple ways to implement oAuth-based authentication with node.js using existing libraries. It is necessary to have authorization servers, which can be created or could be Facebook, Github, Twitter, Gmail or any other service. A library that implements theAuth2 is passportjs , I recommend studying it (the implementation is not traumatic and there are several examples), where it is you can configure the authentication strategy – User and Password or Facebook for example. So in fact who will authorize the client to connect to the application will be the communication between the access server (your application) and the authorization server (Facebook). The user will not need to include user and password.
Sources for more specific studies: