In this article, we have discussed the process of token-based authentication, its process, and the reason for its popularity over traditional cookie-based authentication.
Authentication is the process of determining whether a user or entity is who he/she claims to be. Authorization helps confirm the identity of a user through session cookies that rely on session IDs that are stored on the server. Hence, developers are forced to either create session storage that is unique to each & every server or implement an entirely separate layer for session storage.
The rise of Single Page Applications (SPAs) and decoupling of the front-end from the back-end is in full force. Frameworks like Angular, React, and Vue allow developers to build bigger, better, and more performant single page applications than ever before. Token-based authentication goes hand-in-hand with these frameworks.
Token-based authentication has gained prevalence over the past few years due to the rise of SPAs, web APIs, and the Internet of Things (IoT).
Token authentication (or token-based authentication) is one of the core elements of scalable identity and authorization management. Token authentication is stateless, secure, mobile-ready, and designed to grow with your user base without adding additional strain on your servers.
When we talk about authentication with tokens, we generally talk about authentication with JSON Web Tokens (JWTs). While there are different ways to implement tokens, JWTs have become the de-facto standard. With this context in mind, the rest of the article will use tokens and JWTs interchangeably.
Token-based authentication is stateless. The server does not keep a record of which users are logged in or which JWTs have been issued. Instead, every request to the server is accompanied by a token which the server uses to verify the authenticity of the request. The token is generally sent as an addition authorization header in the form of Bearer {JWT}, but can additionally be sent in the body of a POST request or even as a query parameter. Let us see how this flow works:
Although your server will have to generate a token, it does not have to store this token anywhere. As all the metadata of the user is encoded right into the token, any machine on your network will be capable of validating any user. The client and server can pass the token back and forth forever without having to store any session or user data. This is known as “statelessness.” It is the key to the scalability of your application.
In a mobile app, the usage of tokens for authentication enable you to securely and easily control the mobile devices that are accessing your API. They are easier to use as compared to cookies on Android and iOS. Moreover, they enable your app to authenticate requests received from multiple backends, without the need for extra efforts from your development team.
Due to their stateless nature, applications that are supported by distributed and multiple servers will benefit the most from tokens.
OAuth 2.0It is a framework that offers a set of protocols that facilitate interaction with a service that enables the delegation of authentication or the provision of authorization. OAuth 2.0 is widely adopted across several web and mobile applications.
Social logins are mainly designed for simplifying the login process for users and to realize a higher conversion rate for registrations. For the uninitiated, social login is a type of single sign-on using existing information from social networking sites, such as Facebook, Twitter, etc., where users are normally expected to have accounts.
Advantages of social loginsThe use of social logins can make the registration- or subscription process easier, and therefore faster.
When a consumer website wants to enable social functionalities, such as commenting on & the sharing of content or gamification, a social login can create an added value.
With multiple accounts, it is difficult for people to remember all of their login information. When they use a social login, they do not have to remember new login information.
Websites can gather profile-specific or social data when they are able to offer very specific content to users. This data includes information such as the name, e-mail, address, interests, activities, and friends of users. However, this can create problems for privacy. It can also result in the narrowing of diversity in views and options available on the internet.
Users can logon to websites with multiple social identities so that they have better control over their online identity.
Social login offers you instant demographic and psychographic data about your clients, which can be used for a better segmentation, personalization, and goal-targeted efforts.
Due to the availability of more detailed visitor data, user experiences can be more personalized.
If you brand is not very well-known, seeing familiar logos like Facebook and Twitter can enhance the feeling of familiarity and comfort.
When users do not have to remember usernames and passwords, there will be a lesser number of failed logins. This is because they still know which social login they have used.
Often, it is not easy to login on a smartphone. A social login can be an easy solution for smartphone users.
Social Login SetupSocial login mostly relies on an authentication scheme such as OAuth 2.0. Read the article below (linked below this paragraph) to learn more about the different login flows OAuth supports. We choose Passport to handle social login for us, as it provides different modules for a variety of OAuth providers, be it Facebook, Twitter, Google, GitHub, etc. In this article below, we will be using passport-Facebook to provide login functionality via an existing Facebook account.
https://medium.com/tkssharma/authentication-using-passport-js-social-auth-with-node-js-1e1ec7086ded