Web Authentication

January 31, 2020

Web Authentication Diagram from https://www.javainuse.com/62-12-min.JPG

Been struggling to work out web authentication security.

But I think I’ve made some sense of it now.

You’ve got to think about password hashing when you store the password…

from passlib.hash import sha256_crypt

password = sha256_crypt.encrypt("password")
password2 = sha256_crypt.encrypt("password")


print(sha256_crypt.verify("password", password))

…and JSON Web Tokens when you are verifying that someone has logged in…

import python_jwt as jwt, jwcrypto.jwk as jwk, datetime

key = jwk.JWK.generate(kty='RSA', size=2048)

payload = { 'foo': 'bar', 'wup': 90 };
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))

header, claims = jwt.verify_jwt(token, key, ['PS256'])

for k in payload: assert claims[k] == payload[k]