Ultimate Web Authentication Handbook: Strengthen Web Security by Leveraging Cryptography and Authentication Protocols

Cover Page
Title Page
Copyright Page
Dedication Page
Foreword
About the Author
About the Reviewer
Acknowledgement
Preface
Errata
Table of Contents
1. Introduction to Web Authentication
   Introduction
   Structure
   Tools and Resources
      MDN Web Docs
      Google Chrome
      CURL
      OpenSSL
      Go Language
      Flutter Framework
      HTTP Protocol Basics
      Headers
      Cookies
      Session Management
      Minimal Web Server
      Counter Cookie
      Session Cookie
      Protecting the Cookies
   Web Architecture
      Web Application Architecture
   Introduction to Authentication
      Credentials and access tokens
   Authentication over HTTP
   Limitations
      Form-based authentication
   Conclusion
   Questions
2. Fundamentals of Cryptography
   Introduction
      Security by Obscurity
   Structure
   Message Consistency
      Protection
   Symmetric Cryptography
      Encryption
      Signing
   Password Safety
   Asymmetric Cryptography
   Digital Signing
   Digital Certificates
      Certificate Profile
      Issuance
      Examples
         Self-Signed Certificate for CA
         Generating RSA Keypair and CSR
         Signing the CSR with CA
         Viewing the Certificate
         PKCS#12 Container
         Encryption Using Certificates
         Signing Using Certificates
   Digital Signing for Authentication
   Conclusion
   Reference Books
   Questions
3. Authentication with Network Security
   Introduction
      Network Protocols
   Structure
   Transport Layer Security
   Server Authentication
   Client Authentication
   Web Browser Support
      Client Certificates
      Non-TLS certificate-based authentication
   Conclusion
   Questions
4. Federated Authentication-I
   Introduction
   Structure
   Federated authentication
      Service provider initiated
      IDP initiated
   Single sign-on
   Authentication ticket or token
   Claims-based authentication
   SAML token
      Metadata
      Profiles
      Binding
      Configuring the identity provider
      Configuring the HR app service provider
      Session management
      Protecting the APIs
      Single sign-on
      IDP-initiated authentication
      Protected resources
   Identity and access management
   Conclusion
   Questions
5. Federated Authentication - II (OAuth and OIDC)
   Introduction
   Structure
   Authentication vs authorization
   OAuth protocol
      3-legged OAuth protocol
         Web application displaying GitHub user data
      Limited capability device
         Command line utility for GitHub
      Native applications
         Authorization server
         Integration and Resource Server
         Native client using Flutter
      Token issuance
         Token expiry
         Scopes
   OpenID Connect (OIDC)
      Using OAuth for Authentication
      Identity Token
      JSON Web Token
      Login with Google
         Configuring the Google Cloud Platform
         User Experience
         Token Security
         Token Expiry
         Service Endpoints
         Web front end
   Conclusion
   Questions
6. Multifactor Authentication
   Introduction
   Structure
   Factors of authentication
   OTP-based authentication
      HOTP Sample
      Synchronization of the counter
      Unattended HOTP devices
      Time-based OTP
      Synchronization of time
      Exchanging shared secret
      Other OTP-like authenticators
   Fast Identity Online (FIDO)
      Registration
      Authentication
      Sample code and user interface
         Selection of FIDO 2 Devices
         Front end for registration
         REST APIs for registration
         Device Attestation
         Device Security
   Bringing it all together
      Authorization policy
      Server-rendered authentication forms
      User consent
      Session Management
      Post Registration
   Conclusion
   Questions
7. Advanced Trends in Authentication
   Introduction
   Structure
   Digital identity
      Proliferation of identities
      Foundational identity
      Digital identity
      Indian National Foundational Identity (Aadhaar)
         Validation
         Ecosystem
      Beyond India (MOSIP)
      Know your customer
         Beyond identity
         e-Signing
      Identity Wallets
   Biometric authentication
      Fingerprint
      Face biometry
      Other biometric technologies
      Local vs. server authentication
      Liveness and antispoofing mechanisms
   Post-quantum cryptography
      Current status
   Zero trust architecture
      Standardization
   Conclusion
   Questions
Appendix A: The Go Programming Language Reference
   Introduction
   Installation
   The Go Play Ground
      Hello World
      Simple function
      Closure
      HTTP server
   Built-in data types
   Variables
      Pointers
      Global vs. local
   Control flow
   Error handling
   User-defined data types
   Interface
   Exporting methods and variables
   Resolving package dependencies
   Conclusion
Appendix B: The Flutter Application Framework
   Introduction
   Installation
   DartPad
      Hello World
      Fibonacci function
      Futures
      HTTP Requests
   User interface
      Stateless vs stateful widgets
      Providers and change notifications
   Conclusion
Appendix C: TLS Certificate Creation
   Introduction
   Root certificate
   Intermediate CA
   TLS server certificate
   Generating the PKCS-12 file
   Client hierarchy
Index