Analysis of authentication methods for full-stack applications and implementation of a web application with an integrated authentication system
DOI:
https://doi.org/10.30837/2522-9818.2024.3.076Keywords:
authentication; integrated authentication system; OAuth; JWT; token; web applicationAbstract
The subject of research is methods and techniques for secure user authentication in web applications. The goal of the work is to analyse authentication methods and implement a web application with an authentication system integrating JWT tokens and the OAuth v2.0 standard. The article solves the tasks of analysis of the main protocols and methods of user authentication in web applications, implementation of authentication based on the OAuth 2.0 standard and JWT access/refresh token, and analysis of the risks of vulnerabilities and attacks for the implemented web applications. Methods used: comparison, empirical analysis, calculation methods. The next results have been obtained: analysed the protocols and methods of user authentication in web applications; selected authentication methods of JWT token and OAuth v2.0 standard for building modern web applications; created a web application based on the selected authentication methods in web applications; analysed the risks of vulnerabilities and attacks in web applications. Conclusions: The most well-known authentication methods for web applications are analyzed. It is established that most modern authentication methods have many disadvantages, which leads to increased risks when using these authentication methods. It is shown that one of the most reliable methods of web application user data security is the use of a combination of JWT Access/Refresh token and browser fingerprints. The implementation, configuration, and analysis of this methodology have shown that this combination provides the most reliable prevention of token theft and use from another computer. OAuth 2.0 authentication was also implemented. The study found that delegating authentication to services such as Facebook or Google can provide a low risk of attacks and vulnerabilities for a web application. It is noted that authentication using OAuth 2.0 can be compromised only at the beginning of the connection between the client and the server, or rather when the client first sends initial information from the browser fingerprints. This information is sent over the secure HTTPS (Hypertext Transfer Protocol Secure) protocol, so the risk of compromising OAuth 2.0 authentication is low.
References
Список літератури
Радівілова Т.А., Кіріченко Л.О., Тавалбех М.Х., Ільков А.А. Виявлення аномалій в телекомунікаційному трафіку статистичними методами. Електронне фахове наукове видання "Кібербезпека: освіта, наука, техніка". 2021. № 3(11). C.183–194. DOI: 10.28925/2663-4023.2021.11.183194
Radivilova T. at al. Analysis of Approaches of Monitoring, Intrusion Detection and Identification of Network Attacks. Proceedings of 2021 IEEE 8th International Conference on Problems of Infocommunications, Science and Technology (PIC S&T), Kharkiv, Ukraine. 2021. P. 631–634.DOI: 10.1109/PICST54195.2021.9772226
Radivilova T. at al. The Complex Method of Intrusion Detection Based on Anomaly Detection and Misuse Detection. Proceedings of 2020 IEEE 11th International Conference on Dependable Systems, Services and Technologies (DESSERT), Kyiv, Ukraine. 2020. P. 133–137. DOI: 10.1109/DESSERT50317.2020.9125051
Радівілова Т.А. та ін. Балансування самоподібного трафіку в мережних системах виявлення вторгнень. Електронне фахове наукове видання "Кібербезпека: освіта, наука, техніка". 2020. № 3(7). C. 17–30. DOI: https://doi.org/10.28925/2663-4023.2020.7.1730
Пшеничних С.В., Добринін І.С., Клочкова Д.Ю. Математична модель оптимального вибору засобів захисту інформації при проектуванні комплексної системи захисту на об’єкті інформатизації. Електронне наукове фахове видання – журнал "Проблеми телекомунікацій". 2023. № 1(32). С. 45–58. URL: https://pt.nure.ua/wp-content/uploads/2023/12/123_Pshenychnyh_security_.pdf
Добринін І.С., Борова М.П. Оптимізація вибору варіанту побудови системи захисту інформації від атак при антагоністичній грі. Системи озброєння і військова техніка. 2018. № 2 (54). C. 89–93. DOI: 10.30748/soivt.2018.54.12
Ardi C., Calder M. The Prevalence of Single Sign-On on the Web: Towards the Next Generation of Web Content Measurement. Proceedings of the 2023 ACM on Internet Measurement Conference. 2023. DOI: 10.1145/3618257.3624841
Shaikh N., Kasat K., Jadhav S. Secured Authentication by Single Sign On (SSO): A Big Picture. Proceedings of the 2022 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS). 2022. P. 951–955. DOI: 10.1109/ICCCIS56430.2022.10037708
Schmitz G. Privacy-preserving Web single sign-on: Formal security analysis and design. It-Information Technology. 2022. № 64.1-2. P. 43–48. DOI: https://doi.org/10.1515/itit-2022-0003
Sharma S., Jevitha K. Security Analysis of Oauth 2.0 Implementation. Proceedings of the 2023 Innovations in Power and Advanced Computing Technologies, i-PACT, Kuala Lumpur, Malaysia. 2023. P. 1–8. DOI: 10.1109/i-PACT58649.2023.10434479
Singh J., Chaudhary N. Oauth 2.0: Architectural design augmentation for mitigation of common security vulnerabilities. Journal of Information Security and Applications. 2022. № 65. Article 103091. DOI: https://doi.org/10.1016/j.jisa.2021.103091
Al-Husari F. Designating a Leader Browser Tab to Perform Refreshing of Access Token in Oauth 2.0. Proceedings of the 2023 11th International Scientific Conference on Computer Science, COMSCI 2023, Sozopol, Bulgaria. 2023. P. 1–4. DOI: 10.1109/COMSCI59259.2023.10315906
Shevchuk D., Harasymchuk O., Partyka A., Korshun N. Designing Secured Services for Authentication, Authorization, and Accounting of Users. CEUR Workshop Proceedings. 2023 Cybersecurity Providing in Information and Telecommunication Systems II, CPITS-II 2023, Kyiv. 2023. №3550. P. 217–225. URL: https://ceur-ws.org/Vol-3550/short4.pdf
Park J., Kim J., Park M., Jung S. A. Study of Oauth 2.0 Risk Notification and Token Revocation from Resource Server. In: Kim, Hw., Choi, D. (eds) Information Security Applications. WISA 2015. Lecture Notes in Computer Science, Vol. 9503. Springer, Cham. 2016. DOI: https://doi.org/10.1007/978-3-319-31875-2_23
Shaikh N., Kasat K. and Jadhav S. Secured Authentication by Single Sign On (SSO): A Big Picture. Proceedings of the 2022 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS), Greater Noida, India. 2022. P. 951–955. DOI: 10.1109/ICCCIS56430.2022.10037708
Al Shabi M., Rashiq R. M. Analyzing Privacy Implications and Security Vulnerabilities in Single Sign-On Systems: A Case Study on OpenID Connect. International Journal of Advanced Computer Science & Applications. 2024. №15.4. DOI: 10.14569/IJACSA.2024.0150465
Mansur E.S., Rahmatulloh A., Shofa R., Darmawan I. AMAN: Token-based Authentication to Improved Single Sign-On Security Between Systems. Proceedings of the 2023 International Conference on Advancement in Data Science,
E-learning and Information System (ICADEIS). 2023. P. 1–6. DOI:10.1109/ICADEIS58666.2023.10270904
Grassi, P.A. at al. NIST SP 800-63B. Digital identity guidelines: Authentication and lifecycle management. NIST Special Publication (SP). 2020. DOI: https://doi.org/10.6028/NIST.SP.800-63b
Sambit K.D. Ultimate Web Authentication Handbook. Orange Education Pvt Limited, 2023. 340 p. URL: https://github.com/OrangeAVA/Ultimate-Web-Authentication-Handbook
RFC 7519. JSON Web Token. 2015. URL: https://tools.ietf.org/html/rfc7519 (дата звернення: 05.08.2024).
Alsmadi I. at al. Practical Information Security. A Competency-Based Education Course.·Springer International Publishing, 2018. 317 p. DOI: https://doi.org/10.1007/978-3-319-72119-4
RFC 6749. OAuth 2.0 Refresh Token. 2020. URL: https://oauth.net/2/grant-types/refresh-token (дата звернення: 01.08.2024).
10 Best E-Commerce Website Builders Compared in 2024. 2024. URL: https://www.websiteplanet.com/blog/best-website-builders-ecommerce-websites/ (дата звернення: 15.07.2024).
Single page apps in depth. 2013. URL: http://singlepageappbook.com/goal.html (дата звернення: 03.08.2024).
Добринін І. С., Мальцева Н. О. Вдосконалення методики факторного аналізу інформаційних ризиків. Системи обробки інформації. 2017. № 3(149). С. 146–150. DOI: 10.30748/soi.2017.149.29
References
Radivilova, T.A., Kirichenko, L.O., Tavalbeh, M.H., Ilkov, A.A. (2021), "Detection of Anomalies in Telecommunication Traffic by Statistical Methods" ["Vyyavlennya anomaliy v telekomunikatsiynomu trafiku statystychnymy metodamy"], Electronic professional scientific publication "Cybersecurity: Education, Science, Technology", № 3(11), P. 183–194. DOI: 10.28925/2663-4023.2021.11.183194
Radivilova, T. at al. (2021), "Analysis of Approaches of Monitoring, Intrusion Detection and Identification of Network Attacks", Proceedings of 2021 IEEE 8th International Conference on Problems of Infocommunications, Science and Technology (PIC S&T), Kharkiv, Ukraine, P. 631 634. DOI: 10.1109/PICST54195.2021.9772226
Radivilova, T. at al. (2020), "The Complex Method of Intrusion Detection Based on Anomaly Detection and Misuse Detection", Proceedings of 2020 IEEE 11th International Conference on Dependable Systems, Services and Technologies (DESSERT), Kyiv, Ukraine, P. 133–137. DOI: 10.1109/DESSERT50317.2020.9125051
Radivilova, T.A. at al. (2020), "Balancing self-similar traffic in network intrusion detection systems" ["Balansuvannya samopodibnoho trafiku v merezhnykh systemakh vyyavlennya vtorhnen"], Electronic professional scientific publication "Cybersecurity: education, science, technology", №3 (7), C. 17–30. DOI: https://doi.org/10.28925/2663-4023.2020.7.1730
Pshenychnych, S.V., Dobrynin, I.S., Klochkova, D.Yu. (2023), "Mathematical model of the optimal choice of means of information protection when designing a complex system of protection at the object of informatization" ["Matematychna modelʹ optymalʹnoho vyboru zasobiv zakhystu informatsiyi pry proektuvanni kompleksnoyi systemy zakhystu na obʺyekti informatyzatsiyi"], Electronic scientific publication – the journal "Telecommunications Problems", № 1(32), С. 45–58. available at: https://pt.nure.ua/wp-content/uploads/2023/12/123_Pshenychnyh_security_.pdf
Dobrynin, I.S., Borova, M.P. (2018), "Optimization of the choice of the option of building an information protection system against attacks during an antagonistic game" ["Optymizatsiya vyboru variantu pobudovy systemy zakhystu informatsiyi vid atak pry antahonistychniy hri"], Weapon systems and military equipment, № 2 (54), C. 89–93. DOI: 10.30748/soivt.2018.54.12
Ardi, C., Calder, M. (2023), "The Prevalence of Single Sign-On on the Web: Towards the Next Generation of Web Content Measurement", Proceedings of the 2023 ACM on Internet Measurement Conference. DOI: 10.1145/3618257.3624841
Shaikh, N., Kasat, K., Jadhav, S. (2022), "Secured Authentication by Single Sign On (SSO): A Big Picture", Proceedings of the 2022 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS), P. 951–955. DOI: 10.1109/ICCCIS56430.2022.10037708
Schmitz, G. (2022), "Privacy-preserving Web single sign-on: Formal security analysis and design", It-Information Technology, №64.1-2, P. 43–48. DOI: https://doi.org/10.1515/itit-2022-0003
Sharma, S., Jevitha, K. (2023), "Security Analysis of Oauth 2.0 Implementation", Proceedings of the 2023 Innovations in Power and Advanced Computing Technologies, i-PACT, Kuala Lumpur, Malaysia, P. 1–8. DOI: 10.1109/i-PACT58649.2023.10434479
Singh, J., Chaudhary, N. (2022), "Oauth 2.0: Architectural design augmentation for mitigation of common security vulnerabilities", Journal of Information Security and Applications, №65, Article 103091. DOI: https://doi.org/10.1016/j.jisa.2021.103091
Al-Husari, F. (2023), "Designating a Leader Browser Tab to Perform Refreshing of Access Token in Oauth 2.0", Proceedings of the 2023 11th International Scientific Conference on Computer Science, COMSCI 2023, Sozopol, Bulgaria, P. 1–4. DOI: 10.1109/COMSCI59259.2023.10315906
Shevchuk, D., Harasymchuk, O., Partyka, A., Korshun, N. (2023), "Designing Secured Services for Authentication, Authorization, and Accounting of Users", CEUR Workshop Proceedings, 2023 Cybersecurity Providing in Information and Telecommunication Systems II, CPITS-II 2023, Kyiv, №3550, P. 217–225. available at: https://ceur-ws.org/Vol-3550/short4.pdf
Park, J., Kim, J., Park, M., Jung, S. (2016), "A Study of Oauth 2.0 Risk Notification and Token Revocation from Resource Server". In: Kim, Hw., Choi, D. (eds) Information Security Applications, WISA 2015. Lecture Notes in Computer Science, Vol 9503, Springer, Cham. DOI: https://doi.org/10.1007/978-3-319-31875-2_23
Shaikh, N., Kasat, K. Jadhav, S. (2022), "Secured Authentication by Single Sign On (SSO): A Big Picture", Proceedings of the 2022 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS), Greater Noida, India, P. 951–955. DOI: 10.1109/ICCCIS56430.2022.10037708
Al Shabi, M., Rashiq, R. M. (2024), "Analyzing Privacy Implications and Security Vulnerabilities in Single Sign-On Systems: A Case Study on OpenID Connect", International Journal of Advanced Computer Science & Applications, №15.4. DOI: 10.14569/IJACSA.2024.0150465
Mansur, E.S., Rahmatulloh, A., Shofa, R., Darmawan, I. (2023), "AMAN: Token-based Authentication to Improved Single Sign-On Security Between Systems", Proceedings of the 2023 International Conference on Advancement in Data Science, E-learning and Information System (ICADEIS), P. 1–6. DOI: 10.1109/ICADEIS58666.2023.10270904
Grassi, P.A. at al. (2020), "NIST SP 800-63B. Digital identity guidelines: Authentication and lifecycle management". NIST Special Publication (SP). DOI: https://doi.org/10.6028/NIST.SP.800-63b
Sambit, K.D. (2023), "Ultimate Web Authentication Handbook", Orange Education Pvt Limited, 340 p. available at: https://github.com/OrangeAVA/Ultimate-Web-Authentication-Handbook.
"RFC 7519. JSON Web Token", available at: https://tools.ietf.org/html/rfc7519 (last accessed: 05.08.2024).
Alsmadi, I., at al. (2018), "Practical Information Security". A Competency-Based Education Course,·Springer International Publishing, 317 p. DOI: https://doi.org/10.1007/978-3-319-72119-4
"RFC 6749. OAuth 2.0 Refresh Token", available at: https://oauth.net/2/grant-types/refresh-token (last accessed: 01.08.2024).
"10 Best E-Commerce Website Builders Compared in 2024", available at: https://www.websiteplanet.com/blog/best-website-builders-ecommerce-websites/ (last accessed: 15.07.2024).
"Single page apps in depth", available at: http://singlepageappbook.com/goal.html (last accessed: 03.08.2024).
Dobrynin I. S., Maltseva N. O. (2017), "Improving the method of factor analysis of information risks" ["Vdoskonalennya metodyky faktornoho analizu informatsiynykh ryzykiv"], Information processing systems, №3(149), С. 146–150. DOI: 10.30748/soi.2017.149.29
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Our journal abides by the Creative Commons copyright rights and permissions for open access journals.
Authors who publish with this journal agree to the following terms:
Authors hold the copyright without restrictions and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
Authors are able to enter into separate, additional contractual arrangements for the non-commercial and non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
Authors are permitted and encouraged to post their published work online (e.g., in institutional repositories or on their website) as it can lead to productive exchanges, as well as earlier and greater citation of published work.
