Académique Documents
Professionnel Documents
Culture Documents
See http://docs.aws.amazon.
com/general/latest/gr/sigv4_si
gning.html
When to use For internal APIs that are used If you are building a web Mobile, Web, Server side If you are building a web For web and mobile apps Only for server side Only if you have external third
from server side only, and are application only, and your apps. Only if you are okay to application only, and can store when you already have a applications when you provide party developers who want
low-value. framework supports it, and you forego revocation and sessions in database or a distributed cache like your clients a library to user specific data, and you
do not have a distributed inactivity based timeout. distributed cache redis/memcached. manage the cryptography, and need permission from your
cache like redis/memcached. For server side apps, prefer only if you are concerned users before sharing their data
Don't implement this on your JWT with per-request token. about replay attacks. with the third party.
own.
In practice, using JWT for For anything else, OAuth is
every request, and including overkill.
the url and key request
parameters in the JWT
achieves most of the benefits
of this approach without
implementing the complex
canonicalization algorithm
Where is data Server side. The username is In the cookie In the token Stored server side either in Stored server side either in Server side. The "userid" is TBD
stored? passed in the request, the memory or in database or in memory or in database or in passed in the request, the
server validates it using the distributed cache or in file distributed cache or in file signature tells the server it is
provided password, and then system. system. indeed that user. The server
looks up whatever information can then look up whatever
it wants from it's database. information it wants from it's
database.
Expiry Not relevant. Upto the server Stored in the cookie Stored in the token Stored server side Stored server side Passed in the request, and
to manage usually valid for a very short
time only.
Use Crypto? No Cryptography Yes, but usually handled by Yes, but usually handled by No Cryptography No Cryptography Yes.
web framework mature library Outside of AWS libraries,
there isn't a good standard
implementation, so it will be
painful to use if you don't
provide client libraries
Inactivity based Not relevant. Don't use this Server has to overwrite the Painful. Yes. Yes. Doesn't make sense.
timeout technique for web based cookie with every request, You have to use refresh Easily handled out of the box With every request, increment This approach only makes
clients setting a new expiry time. If tokens, which is added work in every web framework the timeout on the server side. sense for server side
the framework doesn't handle for the client. applications, and in such
this alread, this can be painful You can maintain a applications inactivity based
last_seen_at flag in a timeout does not make sense
database/cache, and use that
to expire, but then you lose the
benefits of being stateless
Revocation Not relevant. Don't use this Painful. Painful. Possible, but exact capabilities Yes. Yes,
technique for web based You have to maintain a You have to maintain a depends on web framework Simply delete the session data The server can easily deny the
clients separte revocation list in a separate revocation list in a on the server side, and next request.
distributed store. Again, you distributed store. Again, you request will be considered
lose the benefits of being lose the benefits of being unauthenticated.
stateless stateless.
Browser: Not relevant. Don't use this Implicit. Explicit. Implicit. Explicit. Not applicable.
Storage technique for web based Browser handles this Programmer has to store the Browser handles this Programmer has to store the This technique is not suitable
clients automatically, no effort on part token somewhere. Usually automatically, no effort on part token somewhere. Usually for web applications.
of the programmer sessionStorage or of the programmer sessionStorage or
localStorage. localStorage.
HTTP Basic Auth Stateless Session Cookie JWT Stateful Session Cookie Random Token Full Request Signature OAuth
Passing Passed in Authorization As cookie. Browser As request header - As cookie. Browser As request header - Passed in the Authorization
Credentials header automatically sends this to the Authorization: Bearer <token> automatically sends this to the Authorization: Bearer <token> header, but instead of
server server "bearer", it will be some other
Example: Programmer explicitly passes Programmer explicitly passes custom scheme. AWS uses
this with every request this with every request AWS4-HMAC-SHA256.
Authorization: Basic
QWxhZGRpbjpPcGVuU2VzY Example:
W1l
Authorization: AWS4-HMAC-
Username and password are SHA256
NOT encrypted Credential=AKIDEXAMPLE/20
150830/us-east-
1/iam/aws4_request,
SignedHeaders=content-type;
host;x-amz-date,
Signature=5d672d79c15b131
62d9279b0855cfba6789a8edb
4c82c400e06b5924a6f2b5d7