![\"This](\"/f46881583c7518a93bb24e94c32320de/a-developer-friendly-dark-theme.webp\")
A token plays a crucial role in enhancing the overall security mechanism of an organization that helps to deliver flawless and secure authentication and authorization on their website or application.
\nHowever, there’s much confusion regarding relying on access tokens. Businesses find it challenging to choose between OpenID Connect and OAuth 2.0.
\nAs a result, many organizations deploy insecure web applications that compromise their consumers’ identities and crucial business information.
\nIt’s always better to learn about the aspects of tokens and leverage the best token management mechanism that offers robust security.
\nThis post will help you better understand what a token is, what is a JWT, and its pros that will help you decide why you need to invoke the potential of JWT for your API product.
\nA token is a digitally encoded signature used to authenticate and authorize a user to access specific resources on a network.
\nA token is always generated in the form of an OTP (One-Time Password), which depicts that it could only be used once and is generated randomly for every transaction.
\nThe token-based authentication allows users to verify their unique identity, and in return, they receive a unique token that provides access to specific resources for a particular time frame.
\nUsers can easily access the website or network for which the token is issued and need not enter the credentials again and again until the permit expires.
\nTokens are widely used for regular online transactions for enhancing overall security and accuracy.
\n\nJWT (JSON Web Token) is a token format. It is digitally signed, self-contained, and compact. It provides a convenient mechanism for transferring data.
\nJWT is not inherently secure, but the use of JWT can ensure the authenticity of the message so long as the signature is verified and the integrity of the payload can be guaranteed. JWT is often used for stateless authentication in simple use cases involving non-complex systems.
\nOn the other hand, OAuth 2.0 is an authorization protocol that builds upon the original OAuth protocol created in 2006, arising out of a need for authorization flows serving different applications from the web and mobile apps to IoT.
\nOAuth 2.0 specifies the flows and standards under which authorization token exchanges should occur. OAuth 2.0 does not encompass authentication, only authorization.
\nSince tokens like JWT are stateless, only a secret key can validate it when received at a server-side application, which was used to create it. Hence they’re considered the best and the most secure way of offering authentication.
\nTokens act as a storage for the user’s credentials, and when the token travels between the server or the web browser, the stored credentials are never compromised.
\nAs we know that tokens must be stored on the user’s end, they offer a scalable solution.
\nMoreover, the server just needs to create and verify the tokens and the information, which means that maintaining more users on a website or application at once is possible without any hassle.
\nFlexibility and enhanced overall performance are other vital aspects of JWT-based authentication. They can be used across multiple servers and can offer authentication for various websites and applications at once.
\nThis helps in encouraging more collaboration opportunities between enterprises and platforms for a flawless experience.
\nThe security of consumer identity is becoming a significant challenge for online platforms collecting consumer information.
\nJWT can be a game-changer when it comes to performing secure authentication.
\nThe precise use of secure token management through a robust consumer identity and access management (CIAM) solution can help businesses secure consumer information without hampering the overall user experience.
\nJWT can be the right option in most scenarios if implemented correctly and securely by following the proper security measures.
\n\n","frontmatter":{"date":"January 04, 2022","updated_date":null,"description":"A token plays a crucial role in enhancing the overall security mechanism of an organization. This post will help you better understand what a token is, what is a JWT, and its pros that will help you decide why you need to invoke the potential of JWT for your API product.","title":"Are You Thinking of Token Management for Your API Product? Think about JWT!","tags":["security"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7241379310344827,"src":"/static/72f18d6005ea105c39c7326447f82250/33aa5/token-managmt.jpg","srcSet":"/static/72f18d6005ea105c39c7326447f82250/f836f/token-managmt.jpg 200w,\n/static/72f18d6005ea105c39c7326447f82250/2244e/token-managmt.jpg 400w,\n/static/72f18d6005ea105c39c7326447f82250/33aa5/token-managmt.jpg 768w","sizes":"(max-width: 768px) 100vw, 768px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}},{"node":{"excerpt":"2021 was a remarkable year since businesses began overcoming challenges and uncertainties worldwide amid the global pandemic. Regardless of…","fields":{"slug":"/identity/loginradius-top-performing-blogs-2021/"},"html":"2021 was a remarkable year since businesses began overcoming challenges and uncertainties worldwide amid the global pandemic.
\nRegardless of the industry, almost every organization bounced back and made every effort to stay up and running in the most unpredictable times.
\nAs far as the consumer identity and access management (CIAM) industry is concerned, LoginRadius was one of the top performers in securing billions of identities and educating the global audience regarding the diverse aspects of CIAM and security.
\nOur insightful blogs helped millions of people globally understand, implement, and enhance their platform experience by leveraging cutting-edge technology in the CIAM landscape.
\nIn this post, we’ve narrowed down the list of our Top 10 Performing Blogs in 2021 that people across the globe found insightful as they helped them cut corners during the unpredicted times.
\nWe hope you’ll find a topic you’re excited about and will get the most accurate and in-depth information about the same. Let’s get started.
\nTwo-factor authentication is one of the best security methods that use two layers to verify a consumer's identity.
\nThis means, rather than simply entering the password to log into an account, two-factor authentication requires a code sent via text message to the consumer's phone number or generated through an app.
\nRead this blog to learn everything about two-factor authentication, how to set up two-factor authentication on your social accounts, and its importance.
\nSalting hashes sounds like something that comes out of a recipe book. However, Salt plays a significant role in preventing a data breach in cryptography.
\nWhile data leaks can sometimes happen, hash salting generators only come to mind when there is a significant invasion of privacy that affects the majority of the consumers’ applications.
\nRead this blog to know more about Salt, utilizing hashing using Salt, and its importance in enhancing overall password security.
\nIdentity management in cloud computing is the subsequent identity and access management (IAM) solution.
\nHowever, it is a lot more than merely a straightforward web app single sign-on (SSO) solution. This next generation of IAM solution is a holistic move of the identity provider right to the cloud.
\nThis blog covers all the aspects of cloud IAM, its significance, and businesses must incline towards a modern cloud identity management solution.
\nLogin is a big deal that decides the entire UX your website will deliver. Businesses should try to put as little resistance as possible into their registration process.
\nAs with it comes customer identities—the most accurate first-party data beneficial for conversions and customer retention.
\nThis blog covers all the aspects associated with UI/UX along with the numerous benefits of using social login for your online platforms.
\nWhen the hacker gains access into the system admin's account by using the online platform's vulnerabilities, particularly in two areas: credential management and session management, it's referred to as broken authentication.
\nPoor credential management and poor session management always lead to broken authentication. Read on this blog to know everything about broken authentication, its consequences, and how to prevent it.
\nA token plays a crucial role in enhancing the overall security mechanism of an organization that helps to deliver flawless and secure authentication and authorization on their website or application.
\nWith token security, users have to re-authenticate themselves for obvious security reasons by offering credentials to sign in if the access token is expired.
\nHowever, this can be tedious and hampers user experience. To overcome this, the concept of refresh tokens was introduced.
\nThis blog provides an overview of using refresh tokens and helps securely authenticate users without hampering their overall experience.
\nConsumers demand a more innovative experience today. They don't like to create a new ID whenever they want to utilize a service. Instead, they are open to leveraging their existing digital identity securely and efficiently, with the opportunity to reuse it in multiple domains.
\nAnd as a response to this demand, businesses have come up with a concept called Bring Your Own Identity (BYOI).
\nRead on this blog to learn every aspect of BYOI.
\nTokens are widely used to provide authorization and authentication to users when accessing a website or a mobile application. This post covers detailed information about tokens' use and their advantages and disadvantages.
\nThis blog will help you better understand what a token is, what are its pros and cons and will help you decide whether you need to invoke the potential of tokens for your business or not.
\nTo cope with the increasing number of cyber frauds and data thefts, the National Institute of Standards and Technology (NIST) has issued specific requirements and controls for digital user identities.
\nThe NIST has dispensed several guidelines that ensure security to the user and eventually help enterprises secure their crucial business information.
\nThese guidelines offer recommendations for users for creating strong passwords and suggestions for vendors/verifiers handling passwords.
\nThis blog provides detailed information about NIST password guidelines and offers valuable insights into how businesses can ensure maximum security in 2021 and beyond.
\nThis is perhaps the most popular blog that depicts the importance of passwordless in the modern digital world.
\nA passwordless magic link allows you to log in directly with the help of a link that is received through an email. This process is similar to receiving a one-time password (OTP) though you might have to physically enter the OTP once you are redirected to the page or application.
\nIn the case of passwordless magic links, all you have to do is click on the link sent through an email, allowing you to log in directly.
\nRead on this insightful blog that covers all the aspects of passwordless login, challenges, and how organizations can use magic links for going passwordless.
\nThe blogs mentioned above can help you understand the CIAM landscape and the crucial role of incorporating a cutting-edge consumer identity and access management solution.
\nLoginRadius helps businesses deliver a flawless user experience backed by robust security through a world-class consumer identity and access management solution.
\nReach us to know more about LoginRadius CIAM and how it can help scale your business growth even in the most unpredictable times.
\n\n","frontmatter":{"date":"December 29, 2021","updated_date":null,"description":"Our insightful blogs helped millions of people globally understand, implement, and enhance their platform experience by leveraging cutting-edge technology in the CIAM landscape in 2021. Here we’ve compiled a list of our top-performing blogs of 2021 that can help you quickly find the most admired and insightful posts to solve your purpose.","title":"Top 10 Performing Identity Blogs in 2021","tags":["LoginRadius"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7391304347826086,"src":"/static/95e05aa57ea67e9bd0c598471a15cce4/33aa5/performing-blogs.jpg","srcSet":"/static/95e05aa57ea67e9bd0c598471a15cce4/f836f/performing-blogs.jpg 200w,\n/static/95e05aa57ea67e9bd0c598471a15cce4/2244e/performing-blogs.jpg 400w,\n/static/95e05aa57ea67e9bd0c598471a15cce4/33aa5/performing-blogs.jpg 768w","sizes":"(max-width: 768px) 100vw, 768px"}}},"author":{"id":"Navanita Devi","github":null,"avatar":null}}}},{"node":{"excerpt":"All React developers love to leverage the benefits React caters to in developing web applications. But developers need to keep in mind the…","fields":{"slug":"/engineering/react-security-vulnerabilities/"},"html":"All React developers love to leverage the benefits React caters to in developing web applications. But developers need to keep in mind the security postures while creating React web apps. React applications face a vast attack surface and are prone to different vulnerabilities. This article is a checklist of React security best practices that every developer should know before diving into PWA (progressive web application) development.\nIf you are new to progressive web applications and React, let's get familiar with these terminologies first.
\nProgressive Web Apps (PWA) are apps built using web technologies like HTML, CSS, and JavaScript (JS). But these apps deliver the experience, feel, and functionality of a native app. PWA combines new technologies and integrations to build a reliable, engaging, accessible, and secure application. Developers mostly use React on top of HTML and JavaScript to build a progressive web app.
\nReact is popular among progressive web app developers. This open-source, robust JavaScript library helps in building user interfaces based on UI components. React gains popularity in the software development industry because it allows developers to create lightweight apps with additional facilities: security, push notification, app-like look and feel, etc. Some popular companies that have become the early adopters of React are Instagram, Netflix, Airbnb, Uber Eats, Discord, the New York Times, etc.
\nReact helps developers build a reliable, robust, and secure progressive web app, but these apps face certain security pitfalls also. Developers need to give prior attention to security vulnerabilities, which are often ignored due to faster app development cycles or more focus on product features.\nWith the arrival of each new update in React having more features, the security flaws are getting unnoticed. Such unnoticed actions are increasing security concerns. Here is a list of top React security vulnerabilities that every React developer must address before delivering or deploying their apps.
\nSQL Injection (SQLi) is a widely known web application attack. The cybercriminal intends to perform database manipulation logically to access sensitive information that is not supposed to be displayed. Attackers try to sneak into that sensitive information to collect phone numbers, payment details, addresses, passwords, and other credentials.\nThis technique allows the attackers to manage access to the server, pull the data, and manipulate the values in the database. Apart from data modification, hackers can also delete the data.\nLet us take an example. Let us take an example where the code will search for the current user-ID and the login matching the employee name, where the owner is the current user-ID.
\nstring query = "SELECT * FROM logondata WHERE owner = "'"\n+ empID + "' AND empName = '"\n+ EmpName.Text + "'";Combining both the employee ID and employee name, the following query gets generated.
\nSELECT * FROM logondata\nWHERE owner =\nAND empName = ;The problem that pops here is that the main code leverages the concept of concatenation that helps in combining those data. The attacker can use a string like 'empName' OR 'x'='x' as the employee name. 'x' = 'x' is such a condition, which will always evaluates to True. Therefore, the statement returns True for all values within the table. So, the following query becomes:
SELECT * FROM logondata\nWHERE owner = 'karlos'\nAND empName = 'name' OR 'x' = 'x';There are three major categories of SQL injection based on how attackers gain access to the backend data.
\nIn-band SQL Injection: Here the persuader will instigate the attack and gather sensitive credentials via one single channel. Such SQL attacks are simple, and hence, it is one of the most commonly performed SQLi attacks on React apps. It comes with two sub-categories –
\nInferential/Blind SQL Injection: The attacker pushes payloads targeting the server. Then they observe the behavior and keep track of the server response to know more about the database structure. Here, the attacker cannot witness the data reverting through the attack in-band, hence the name \"Blind.\" There are two sub-categories of blind SQLi.
\nThe comprehensive rendering feature of React makes it a preferable choice over other JavaScript libraries and frameworks. But this rendering feature also drags React-based apps to the most widely exploited vulnerability, cross-site scripting (XSS). Cross-site scripting leverages malicious client-side scripts by injecting them into web applications. When the users trigger those scripts, the attackers gain control over the app and steal sensitive information from the web application.
\nInjecting malicious scripts into the react app will make the app release some internal app data. Therefore, React developers should prevent the application from running the script. Here is a typical example of cross-site scripting where the attacker can place and execute a malicious script within the application like this:
\n<input type="search" value="PWA"/>Now, executing malicious script will make the search look like:
\n<input type="search" value="Attacker "/> <script> StealCredentials() </script>"> ;Here, StealCredentials() is a function that contains malicious scripts to steal user information.\nLet us now take a look at the types of XSS.
\nThis attack gains popularity, not simply because of its potential to harm the target users through the application but because such attacks need more creative and intellectual hackers. But, to prevent such attacks, developers need to become even more creative.
\nYou can also use content security policies as the last line of defense against XSS. If all other XSS prevention fails, CSP allows developers to control various things, such as loading external scripts and executing inline scripts. To deploy CSP, developers need to include an HTTP response header called Content-Security-Policy with a value carrying the policy.\nAn example for including CSP is as follows:
\ndefault-src 'self'; script-src 'self'; object-src 'none'; frame-src 'none'; base-uri 'none';Broken authentication is a weakness through which attackers can capture one or multiple accounts when authentication or session management is poorly implemented in progressive web apps. This vulnerability helps the attacker take over multiple user accounts, letting the attacker possess the same privileges and access control as the target user.
\nAttackers usually exploit such a React security vulnerability by detecting the authentication solution or bypassing them. The security team labels the authentication as broken when the cybercriminal can compromise users' passwords, session tokens, digital identities, or account information from the React app. Examples of some common reasons for this attack are:
\nLet us take a situation where the attacker could detect the hashes for the following names.
\nSue 4420d1918bbcf7686defdf9560bb5087d20076de5f77b7cb4c3b40bf46ec428s\nKarlos 4420d1918bbcf7686defdf9560bb5087d20076de5f77b7cb4c3b40bf46ec624g\nDee 77b177de23f81d37b5b4495046b227befa4546db63cfe6fe541fc4c3cd216egkThe hash function will store the password in a hashed form rather than plain text. But then, humans can easily read the hash. Now, if two different users enter the same password, then these passwords will generate the same hash. Hackers can perform a dictionary attack, and if they crack one password, they can use the same password to gain access to other accounts that use the same hash.
\nAttackers can perform XML External Entities attacks on React web applications that parse XML input. Here the outdated XML parsers of your React app become vulnerable. Such vulnerability can lead an attacker to perform denial of service, port scanning, server-side request forgery, etc. Such attacks occur when an XML input gets referred to an external entity but has a weakly configured XML parser. Here are some examples where attackers are attempting XEE on React web applications that parse XML input.
\nThe attacker might attempt to extract data from the server.
\n<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE sample [\n<!ELEMENT sample POO >\n<!ENTITY xmlxxe SYSTEM "file:///etc/passwd" >]> <sample> &xmlxxe; </sample>Another code snippet where the attacker explores the private network of the server by tweaking the code:
\n<!ENTITY xmlxxe SYSTEM "https://186.141.2.1/privnw" >]>It is another code snippet where the attacker tries for a Denial of Service (DoS) attack by comprising a potentially perpetual file:
\n<!ENTITY xmlxxe SYSTEM "file:///gkr/rand" >]>It is another popular React app vulnerability where the malicious actor exploits the app by submitting zip files having malicious or arbitrary code within them. React developers enable adding zip files to decrease the file size while they get uploaded. When the app unzips the archive, its malicious file(s) can overwrite other files or perform arbitrary code execution. Attackers can either harm the files existing in the target system or gain remote access to the system.
\nHere is a Zip slip code example demonstrating a ZipEntry path merges to a destination directory without validating that path. Researchers and security professionals have found similar codes in different repositories across many apps.
\nEnumeration<ZipEntry> entry = zip.getEntries();\n while (entry.hasMoreElements()) {\nZipEntry ez = entry.nextElement();\nFile fil = new File(destinationDir, ez.getName());\nInputStream input = zip.getInputStream(ez);\nIOUtils.copy(input, write(fil));\n }Here is a link to the repository containing libraries and APIs infected by zip slip.
\nCSRF is another React web application vulnerability allowing attackers to persuade users to perform unintentional actions without their direct consent. It does not steal the identity of the legitimate user but acts against their will. For rendering such attacks, the attacker sends an email or a web link convincing the victim to achieve a state-changing request in the application.
\nBefore going through the checklist on fixing CSRF vulnerabilities, here is a quick example of how the CSRF GET request will be once the attacker tweaks it.\nA standard GET request for a $250 transfer from person1 to person2 might look like this:
\nWhen the attacker induces the user to perform some unintended action or runs a malicious script, the $250 gets transferred to the attacker's account. This malicious request might look something like this:
\nSome attackers can also put innocent-looking hyperlinks embedding the request.
\nIt might happen that you have pushed a React app's code to GitHub. Now an email/notification is popping up saying, \"One of your dependencies has a security vulnerability.\" That is another method where attackers seek the help of malicious packages to gain access to your React applications. Such malicious packages collect valuable app details and user information and send it to a third party.
\nThese packages can also execute malicious code during the package installation phase. These attackers use the concept of typosquatting to make their attacks seamless. Typosquatting is a method of naming the packages based on their original counterparts. It outwits the developers into downloading these malicious packages that can wreak havoc on the React app.
\nHope this comprehension has given a crisp idea of the top React vulnerabilities and the different checklists developers can use to fix those security flaws. Developers should know how crucial application security is for both the business and its users. As the React features are increasing, there is an equal delay in the number of days taken by the React community to fix any React security issues.
\nIn this article, we discussed the most well-known vulnerabilities like SQLi, XSS, Broken Authentication, XXE, Zip Slip, CSRF, and Package & dependency vulnerabilities, plus how to prevent React apps from such attacks. So, developers and product managers should cautiously handle all security-related aspects of a React project by following the checklist given in this article.
\n","frontmatter":{"date":"December 24, 2021","updated_date":null,"description":"React security vulnerabilities are hard to detect. However, this article talks about the top 7 vulnerabilities and how to fix them to enjoy all the benefits React caters to in developing Progressive Web Applications.","title":"React Security Vulnerabilities and How to Fix/Prevent Them","tags":["React","Vulnerability"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.2820512820512822,"src":"/static/7d6e838c39ee3573adb83d3237a82ee6/ee604/react-security.png","srcSet":"/static/7d6e838c39ee3573adb83d3237a82ee6/69585/react-security.png 200w,\n/static/7d6e838c39ee3573adb83d3237a82ee6/497c6/react-security.png 400w,\n/static/7d6e838c39ee3573adb83d3237a82ee6/ee604/react-security.png 800w,\n/static/7d6e838c39ee3573adb83d3237a82ee6/f3583/react-security.png 1200w,\n/static/7d6e838c39ee3573adb83d3237a82ee6/5707d/react-security.png 1600w,\n/static/7d6e838c39ee3573adb83d3237a82ee6/b6c0e/react-security.png 1926w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Gaurav Kumar Roy","github":"GauravRoy6","avatar":null}}}},{"node":{"excerpt":"Security has become a fundamental aspect to consider while developing an application. As people become more aware and hackers more notorious…","fields":{"slug":"/engineering/guest-post/securing-php-api-with-jwt/"},"html":"Security has become a fundamental aspect to consider while developing an application. As people become more aware and hackers more notorious, you need to employ systems that strengthen your application's data security.
\nPreviously, it was common to use session storage to secure applications. In recent times, sessions have proved inefficient, which pushed to migrate to authentication with APIs. Even though this was a superb and robust way to secure web applications, it became obsolete as hackers tried to figure out how to crack this authentication.
\nAs the web evolves to accept more and more users, the research for secure authentication techniques speeds up. In 2010, the world was introduced to a new and secure authentication standard -- JWT. Let's know more about JWT.
\nJSON Web Token (JWT) is a safe way to authenticate users on a web app. Using JWT, you can securely transfer encrypted data and information between a client computer and a server.
\n\n\nLearn more about the differences between sessions and JWTs here.
\n
JWT offers many benefits. Here are some of them.
\nNow that you've learned about the advantages, it's time to go deeper into the JWT.
\neyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9\n .eyJpc3MiOiJodHRwczpcL1wvcWEtYXBpLndlbGx2aWJlLmNvbVwvYXBpXC9hdXRoXC9sb2dpbiIsImlhdCI6MTYzMDQ3OTA5NSwiZXhwIjoxNjMwNDgyNjk1LCJuYmYiOjE2MzA0NzkwOTUsImp0aSI6Imtsa3hHUGpMOVlNTzRSdUsiLCJzdWIiOjc3ODE4LCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3IiwidXNlcnNfaWQiOjc3ODE4LCJtZW1iZXJzX2lkIjo3Nzg4MzMsInByb3h5X3VzZXJfbWVtYmVyc19pZCI6bnVsbH0\n .TxXwLLu1zWBe7cLLYdFYy3P2HX4AaLgc7WfSRtTgeiIThe above string is an example of a JWT authentication string. At first glance, it may appear to be a randomly produced string. But don't underestimate; this string is made up of three separate components that are essential in a JWT.
\nThe header of a JWT is the initial section of the string before the first dot. This header is produced by acquiring plain text and performing cryptographic operations on it. Moreover, the header uses a very efficient Base64 encoding procedure.
\nYou can quickly obtain the JWT's headers using symmetric or asymmetric encryption techniques.
\nThe string's central component is the JWT's payload part. This string includes all of the important information about a received request and the user or client computer who created the request. There are predefined key-value pair fields in the payload that can be used to offer extra information about the received request. Here is an explanation of common payload fields.
\nA cryptographic operation is performed on the JWT data to obtain this signature. It takes in the payload, secret key, and header value of a JWT. The signature is then generated by applying a function to these obtained values.
\nThe server and user can verify this signature to know about the data's security and integrity. If this signature matches at both ends, then the data is considered secure, and all other transactions can occur.
\nAs you've understood everything about JWT, let's secure your PHP API using JWT. Follow the code along, and, in the end, you'll create a tamper-proof PHP API.
\nThis article creates a simple login page and authenticates it using JWT. This will help you get started with JWT and PHP.
\nTo follow along, you'll need to have PHP and composer installed on your computer.
\nIf you haven't already installed composer on your computer, you can learn how to install composer here. Once you've installed composer, run the tool from your project folder. Composer will assist you in installing Firebase PHP-JWT, a third-party library for working with JWTs and Apache.
\nOnce the library is installed, you'll need to set up a login code in authenticate.php. While you do this, put a code piece that checks and gets the autoloader from the composer tool. The below code helps you achieve this.
<?php\ndeclare(strict_types=1);\nuse Firebase\\JWT\\JWT;\nrequire_once('../vendor/autoload.php');When the form gets submitted, you need to check the entered data with a data source or database. For our purpose, let's create a hasValidCredentials variable and set it to true. Setting this variable to true means that the data is checked and valid.
<?php\n// extract credentials from the request\nif ($hasValidCredentials) {Any further coding will be wrapped in this block itself. The value of the hasValidCredentials variable governs all code related to the production and validation of the required JWT. If its value is true, the JWT shall be created; otherwise, an error will be shown.
Let's start creating the JWT. First, you need to generate some more variables to aid in this process. As you saw in the payload section, you must create:
\nJWT's can be easily inspected and checked at client-side browsers. So it is better to hide your secret key and other important information in some environment file, which the user cannot access through client-side requests.
\n$secret_Key = '68V0zWFrS72GbpPreidkQFLfj4v9m3Ti+DXc8OB0gcM=';\n$date = new DateTimeImmutable();\n$expire_at = $date->modify('+6 minutes')->getTimestamp(); // Add 60 seconds\n$domainName = "your.domain.name";\n$username = "username"; // Retrieved from filtered POST data\n$request_data = [\n 'iat' => $date->getTimestamp(), // Issued at: time when the token was generated\n 'iss' => $domainName, // Issuer\n 'nbf' => $date->getTimestamp(), // Not before\n 'exp' => $expire_at, // Expire\n 'userName' => $username, // User name\n];Now you have all the required data in hand; you can easily create a JWT. Here, you'll use the PHP-JWT package's encode() method. This method helps transform your data array into a JSON object.
Following the conversion to a JSON object, the encode function produces JWT headers and signs the received payload with a cryptographic combination of all the information and the given secret key.
\nIt is essential to supply three arguments to the encode() method to utilize it correctly. The first argument should be the payload information, which is the data array in this instance. Secondly, you must supply the secret key as an argument; and finally, you must define the cryptographic technique that the function should use to sign the JWT.
To obtain and return the JWT, you'll have to use the echo method above the encode method, as shown below.
\n<?php\n // Encode the array to a JWT string.\n echo JWT::encode(\n $request_data,\n $secret_Key,\n 'HS512'\n );\n}Now that you have obtained the JWT token, you can transfer it to the client-side and save it using any web programming language of your choice. Let's start with a short JS demonstration of the route ahead.
\nFirst, when a successful form submission takes place, save the created and received JWT in client-side memory. To display some output about the JWT's success, remove the login form and merely display a button that retrieves and displays the JWT's timestamp to the user when it is clicked.
\nHere is some sample code for the process mentioned above.
\nconst storeJWT = {}\nconst loginBtn = document.querySelector("#frmLogin")\nconst btnResource = document.querySelector("#btnGetResource")\nconst formData = document.forms[0]\n\n// Inserts the jwt to the store object\nstoreJWT.setJWT = function (data) {\n this.JWT = data\n}\n\nloginBtn.addEventListener("submit", async e => {\n e.preventDefault()\n\n const response = await fetch("/authenticate.php", {\n method: "POST",\n headers: {\n "Content-type": "application/x-www-form-urlencoded; charset=UTF-8",\n },\n body: JSON.stringify({\n username: formData.inputEmail.value,\n password: formData.inputPassword.value,\n }),\n })\n\n if (response.status >= 200 && response.status <= 299) {\n const jwt = await response.text()\n storeJWT.setJWT(jwt)\n frmLogin.style.display = "none"\n btnResource.style.display = "block"\n } else {\n // Handle errors\n console.log(response.status, response.statusText)\n }\n})You've already produced and submitted the JWT to the user. So now it's time to put the JWT to use on the user side.
\nAs previously stated, if the form submission is successful, you'll display a button to obtain a timestamp. This button will invoke the GET method on the resource.php script. The resource.php script will then set the JWT received after successful authentication in the authentication header.
The following code will help you achieve this feat.
\nbtnResource.addEventListener("click", async e => {\n const result = await fetch("/resource.php", {\n headers: {\n Authorization: `Bearer ${storeJWT.JWT}`,\n },\n })\n const timeStamp = await result.text()\n console.log(timeStamp)\n})Once you've written this code, run the program and enter your credentials into the form fields. A GET request will be sent when you click the submit button. Here is a sample GET request to assist you in making the correct identification.
\nGET /resource.php HTTP/1.1\nHost: yourhost.com\nConnection: keep-alive\nAccept: */*\nX-Requested-With: XMLHttpRequest\nAuthorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvcWEtYXBpLndlbGx2aWJlLmNvbVwvYXBpXC9hdXRoXC9sb2dpbiIsImlhdCI6MTYzMDQ3OTA5NSwiZXhwIjoxNjMwNDgyNjk1LCJuYmYiOjE2MzA0NzkwOTUsImp0aSI6Imtsa3hHUGpMOVlNTzRSdUsiLCJzdWIiOjc3ODE4LCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3IiwidXNlcnNfaWQiOjc3ODE4LCJtZW1iZXJzX2lkIjo3Nzg4MzMsInByb3h5X3VzZXJfbWVtYmVyc19pZCI6bnVsbH0.TxXwLLu1zWBe7cLLYdFYy3P2HX4AaLgc7WfSRtTgeiIIf you've followed along until here, everything should be working fine. Now, let's begin with validating the JWT.
\nTo get help with this operation, you've previously added the composer's autoloader function. You'll now use the preg match function to extract the token from the Bearer header. For this extraction, you'll use the preg match function and supply a regular expression.
if (! preg_match('/Bearer\\s(\\S+)/', $_SERVER['HTTP_AUTHORIZATION'], $matches)) {\n header('HTTP/1.0 400 Bad Request');\n echo 'Token not found in request';\n exit;\n}The code above attempts to extract the token from the Bearer header. In this case, error handling is utilized. Thus if the token is not discovered, an HTTP 404 error is displayed to the user.
\nTo validate the JWT, you must first compare it to the previously created JWT.
\n$jwt = $matches[1];\nif (! $jwt) {\n // No token was able to be extracted from the authorization header\n header('HTTP/1.0 400 Bad Request');\n exit;\n}The extracted JWT is saved at the first index of the matches array. If the matching array is empty, it means no JWT was extracted. If the preceding code runs successfully, it implies that the JWT has been extracted, and you may now proceed.
\nDecoding the received data is required for verifying a JWT. Only the secret key may be used to decode the received data. Once you've obtained the secret key, you may use the static decode function of the PHP-JWT module.
\nThe decode method requires three arguments, which are as follows.
\nIf the decode method succeeds, you may proceed to validate the JWT. The code below will assist you in decoding and validating a JWT.
\n$secret_Key = '68V0zWFrS72GbpPreidkQFLfj4v9m3Ti+DXc8OB0gcM=';\n$token = JWT::decode($jwt, $secret_Key, ['HS512']);\n$now = new DateTimeImmutable();\n$serverName = "your.domain.name";\n\nif ($token->iss !== $serverName ||\n $token->nbf > $now->getTimestamp() ||\n $token->exp < $now->getTimestamp())\n{\n header('HTTP/1.1 401 Unauthorized');\n exit;\n}This code will provide all the necessary parameters to the decode function and save the method's result. Then, to prevent unauthorized access, error handling is employed. If any of the fields in the JWT are unavailable, an HTTP 401 error indicating unauthorized access will be issued to the user.
\nInstead of using the process discussed above, you can use LoginRadius Identity Platform to authenticate your PHP APIs quickly. You can start by referring to LoginRadius PHP documentation.
\nIn addition, you can use LoginRadius PHP SDK, which, in turn, simplifies signup and login for your users by eliminating the need for remembering an extra set of credentials for your app.
\nIn this tutorial, you've learned about JWT. Then created a PHP web application and secured it with JWT authentication.
\nYou understood how easy and important it is to secure a web application.
\nYou can find the complete code used in this tutorial here.
\nDon't forget to try this out for your more significant projects.
\nFinally, if you face any problems following this tutorial or have questions, please feel free to comment below. We'll respond as soon as we can to clarify your questions.
\n","frontmatter":{"date":"December 24, 2021","updated_date":null,"description":"This tutorial helps you understand why you should secure your PHP API. Then, it helps you learn how to use JWT with Apache to secure your PHP API.","title":"How to Secure a PHP API Using JWT","tags":["PHP","JWT","Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/0d1302ecbb6ca63f354aabd22a131331/ee604/jwt.png","srcSet":"/static/0d1302ecbb6ca63f354aabd22a131331/69585/jwt.png 200w,\n/static/0d1302ecbb6ca63f354aabd22a131331/497c6/jwt.png 400w,\n/static/0d1302ecbb6ca63f354aabd22a131331/ee604/jwt.png 800w,\n/static/0d1302ecbb6ca63f354aabd22a131331/f3583/jwt.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Harikrishna Kundariya","github":"espark-biz","avatar":null}}}},{"node":{"excerpt":"Introduction Identity management is swiftly becoming the need of the hour in a digitally advanced world where data breaches aren’t uncommon…","fields":{"slug":"/growth/questions-to-ask-your-identity-provider-2022/"},"html":"Identity management is swiftly becoming the need of the hour in a digitally advanced world where data breaches aren’t uncommon, and cyber criminals continuously explore new ways to exploit sensitive consumer information.
\nYes, gone are the days when online businesses collecting user information considered identity management a luxury; it’s the absolute necessity of every enterprise seeking a competitive edge with the highest level of security.
\nSo, does it mean that every business on the verge of digital transformation can’t navigate their digital business success without a reliable consumer identity and access management (CIAM) solution?
\nUnfortunately, yes!
\nCIAM is the backbone of every mobile application or website that collects user information, providers sign-in/sign-up, and maintains user data.
\nSo, if you’re thinking about getting a CIAM solution, here are some questions that you need to ask your identity provider in 2022.
\nIt’s crucial to know about the number of ways a user can authenticate themselves using a CIAM solution. The more the number of authentication methods, the better and user-friendly the CIAM is.
\nEnterprises are inching towards passwordless login capabilities to enhance the user experience for their consumers. You must ensure your CIAM offers cutting-edge technology with passwordless login capabilities just like LoginRadius.
\nSingle Sign-On (SSO) is the most advanced way of creating a frictionless experience for clients when they switch from one application to another within a single platform. Ensure your CIAM offers SSO capabilities at no extra cost.
\nIt’s essential to ensure seamless access through SSO when a user switches from website to mobile app without the hassle of re authentication since users find it pretty annoying to authenticate themselves again and again.
\nOne of the essential aspects to consider while choosing a CIAM is to ensure whether the product offers GDPR, CCPA, and other data regularization compliances or not. Using a CIAM in certain states without complying with their local data privacy regulations could entail the enterprise for hefty fines.
\nCIAM that supports third-party integration always offers a competitive advantage to an organization. Businesses can get valuable insights into user behavior and past purchase history to create better marketing strategies.
\nBefore making a purchase, make sure you precisely examine the authentication and authorization security mechanism of your CIAM.
\nLoginRadius supports risk-based authentication for the highest level of security. RBA, aka adaptive authentication, is a security mechanism for high-risk scenarios. Businesses collecting sensitive information regarding clients should always prefer risk-based authentication in addition to multi-factor authentication.
\nMake sure your CIAM vendor offers social login authentication, email login authentication, and phone/email authentication for maximum convenience and security.
\nSome CIAM vendors like LoginRadius offer data export from a previous CIAM vendor. This helps in a flawless transition from a conventional vendor to a cutting-edge new-age CIAM.
\nIt’s important to learn about the features of the CIAM from a marketing and sales perspective. Your CIAM shouldn’t just provide a seamless login experience, but help improve conversion rates.
\nEnsure that you get every vital feature as a part of the standard subscription plan.
\nIt’s always a great idea to book a free personalized demo before making a purchase. A customized demo helps you understand how the product works for your business since you get hands-on experience with every feature tailored for your organization.
\nLeading CIAM vendors like LoginRadius provide you an option to import your previous consumer data like a breeze. Ensure your new CIAM vendor supports the same.
\nDevelopers’ satisfaction regarding the product shouldn’t be ignored since they’re the backbone of the website/ application. Always choose a vendor offering transparency and total control to developers.
\nBased on your cloud deployment requirement, always enquire about multi-tenant and single-tenant cloud deployment well in advance.
\nYou need to ensure that your business niche market players trust the CIAM you consider. This will help you make a more intelligent choice.
\nDon’t forget to inquire about the up-time of the servers since consumer experience is everything you need to focus on while choosing a CIAM. LoginRadius identity management solution offers 100% uptime.
\nIt’s essential to know about the physical location of the data centers to ensure data is securely collected, managed, and saved.
\nYou shouldn’t miss data localization compliance in your next CIAM since data privacy and security regularizations are becoming increasingly stringent globally.
\nThe peak load capacity of the CIAM defines how good and reliable a CIAM is handling a massive number of users at once. Always choose the one offering higher peak load capacities like LoginRadius CIAM offering 180K logins/second.
\nLast but not least, you need to ask your vendor regarding the total number of identities that they have secured till data. Choosing the one with a higher number of secured identities could be the game-changer for your business, just like LoginRadius that has secured over 1.17 Billion identities to date.
\nChoosing a reliable CIAM isn’t a piece of cake, and organizations should strictly examine the aspects mentioned above in the form of questions that they need to ask CIAM vendors.
\nHowever, LoginRadius offers endless possibilities and provides all the features, compliances, and capabilities mentioned above.
\nYou can choose LoginRadius as your CIAM to witness substantial business growth. Reach us for a free personalized demo today.
\n\n","frontmatter":{"date":"December 21, 2021","updated_date":null,"description":"CIAM is the backbone of every mobile application or website that collects user information. So, if you’re thinking about getting a CIAM solution, here are some questions that you need to ask your identity provider in 2022.","title":"What Should You Ask Your Identity Provider in 2022","tags":null,"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.4492753623188406,"src":"/static/ae4dd8293a822f8fc63799b8bc6c184b/33aa5/id-provider.jpg","srcSet":"/static/ae4dd8293a822f8fc63799b8bc6c184b/f836f/id-provider.jpg 200w,\n/static/ae4dd8293a822f8fc63799b8bc6c184b/2244e/id-provider.jpg 400w,\n/static/ae4dd8293a822f8fc63799b8bc6c184b/33aa5/id-provider.jpg 768w","sizes":"(max-width: 768px) 100vw, 768px"}}},"author":{"id":"Yash Rathi","github":"yashrathi29","avatar":null}}}},{"node":{"excerpt":"In a modern, digitally advanced environment, business systems undergo complex interactions and communicate autonomously to execute business…","fields":{"slug":"/identity/loginradius-m2m-authorization-data-access/"},"html":"In a modern, digitally advanced environment, business systems undergo complex interactions and communicate autonomously to execute business functions.
\nEvery day, millions of devices constantly gather and report data, especially concerning the Internet of Things (IoT) ecosystem, which doesn’t even require human intervention.
\nHence, business systems need to efficiently and securely share this data during transit to the suitable systems and issue operational instructions without room for tampering.
\nHere’s where LoginRadius’ Machine to Machine (M2M) authorization comes into play.
\nMachine-to-machine (M2M) authorization ensures that business systems communicate autonomously without human intervention and access the needed information through granular-level access.
\nM2M Authorization is exclusively used for scenarios in which a business system authenticates and authorizes a service rather than a user.
\nLet’s dig deeper into this and understand the role of M2M authorization and how it helps diverse businesses.
\nM2M Authorization is the process of providing remote systems with secure access to information. Using M2M Authorization, business systems can communicate autonomously and execute business functions based on predefined authorization.
\nM2M apps use the Client Credentials Flow (defined in OAuth 2.0 RFC 6749), in which they pass along secure credentials to authenticate themselves and receive an authorization token.
\nLoginRadius understands the risks associated with data transfers, especially in cases where millions of interconnected applications and devices contact each other to gain access to specific resources or devices. This access requires a robust authorization mechanism.
\nMachine-to-machine authorization from LoginRadius acts as a game-changer for the business that requires frequent autonomous interactions.
\nServices require authorization while saving and reading the data to and from the storage as a part of standard process and security measures. Businesses can use LoginRadius for autonomous authorization by creating two dedicated M2M apps with write and read permissions.
\nFor each M2M application, LoginRadius issues secure credentials, and services automatically get the authorization token from LoginRadius using these secure credentials to perform read or write operations.
\n\nIn a nutshell, LoginRadius acts as an authorization server.
\nBenefits of LoginRadius’ M2M Authorization
\nM2M Authorization offers secure access to improve business efficiency and ultimately enhances customer experience. M2M provides several business benefits, including, but not limited to:
\nBusinesses these days require a robust authorization and authentication mechanism that can carry data access requests like a breeze without hampering the overall business process.
\nWith LoginRadius M2M authorization, businesses can ensure a secure and reliable method of autonomous interactions since it aids business systems to achieve efficiency and, at the same time, eliminates the need for human intervention.
\nLoginRadius M2M helps businesses to provide flexible machine-to-machine communication while ensuring granular access, authorization, and security requirements are enforced.
\n\n","frontmatter":{"date":"December 15, 2021","updated_date":null,"description":"Machine to Machine (M2M) authorization ensures that business systems communicate autonomously without human intervention and access the needed information securely and reliably.","title":"LoginRadius Launches M2M Authorization for Seamless Business Operations","tags":["industry-news","authorization","authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/f118b3f7ee6801914b66c5a2e8352b5a/14b42/m2m-cover.jpg","srcSet":"/static/f118b3f7ee6801914b66c5a2e8352b5a/f836f/m2m-cover.jpg 200w,\n/static/f118b3f7ee6801914b66c5a2e8352b5a/2244e/m2m-cover.jpg 400w,\n/static/f118b3f7ee6801914b66c5a2e8352b5a/14b42/m2m-cover.jpg 800w,\n/static/f118b3f7ee6801914b66c5a2e8352b5a/16310/m2m-cover.jpg 1024w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}}]},"markdownRemark":{"excerpt":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards…","fields":{"slug":"/identity/developer-first-identity-provider-loginradius/"},"html":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards and refining approaches to building secure, seamless experiences.
\nWe’re here to support developers on that journey. We know how important simplicity, efficiency, and well-structured documentation are when working with identity and access management solutions. That’s why we’ve redesigned the LoginRadius website—to be faster, more intuitive, and developer-first in every way.
\nThe goal? Having them spend less time searching and more time building.
\nLoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve spent the last few months redesigning our interface— making navigation more intuitive and reassuring that essential resources are easily accessible.
\nHere’s a closer look at what’s new and why it’s important:
\n
Developers spend long hours working in dark-themed IDEs and terminals, so we’ve designed the LoginRadius experience to be developer-friendly and align with that preference.
\nThe new dark mode reduces eye strain, enhances readability, and provides a seamless transition between a coding environment and our platform. Our new design features a clean, modern aesthetic with a consistent color scheme and Barlow typography, ensuring better readability. High-quality graphics and icons are thoughtfully placed to enhance the content without adding visual clutter.
\nSo, whether you’re navigating our API docs or configuring authentication into your system, our improved interface will make those extended development hours more comfortable and efficient.
\n![\"This](\"/e5358b82be414940f3fb146013845933/capabilities.webp\")
We’ve restructured our website to provide a straightforward breakdown of our customer identity and access management platform capabilities, helping you quickly find what you need:
\nThis structured layout ensures you can quickly understand each capability and how it integrates into your identity ecosystem.
\n![\"This](\"/a8c155c2b6faf3d5f4b4de4e2b14d763/developers-menu.webp\")
We’ve been analyzing developer workflows to identify how you access key resources. That’s why we redesigned our navigation with one goal in mind: to reduce clicks and make essential resources readily available.
\nThe new LoginRadius structure puts APIs, SDKs, and integration guides right at the menu bar under the Developers dropdown so you can get started faster. Our Products, Solutions, and Customer Services are also clearly categorized, helping development teams quickly find the right tools and make informed decisions.
\n![\"This](\"/b2f9a964a2da0ea83e2f8596b833bba7/we-support-your-tech-stack.webp\")
Developers now have a clear view of the tech stack available with LoginRadius, designed to support diverse business needs.
\nOur platform offers pre-built SDKs for Node.js, Python, Java, and more, making CIAM integration seamless across popular programming languages and frameworks.
\nCheck out our revamped LoginRadius website and see how the improved experience makes it easier to build, scale, and secure your applications.
\nDo not forget to explore the improved navigation and API documentation, and get started with our free trial today. We’re excited to see what you’ll build with LoginRadius!
\n","frontmatter":{"date":"February 21, 2025","updated_date":null,"description":"LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve redesigned our website interface, making navigation more intuitive and reassuring that essential resources are easily accessible.","title":"Revamped & Ready: Introducing the New Developer-First LoginRadius Website","tags":["Developer tools","API","Identity Management","User Authentication"],"pinned":true,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7857142857142858,"src":"/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp","srcSet":"/static/80b4e4fbe176a10a327d273504607f32/61e93/hero-section.webp 200w,\n/static/80b4e4fbe176a10a327d273504607f32/1f5c5/hero-section.webp 400w,\n/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp 800w,\n/static/80b4e4fbe176a10a327d273504607f32/99238/hero-section.webp 1200w,\n/static/80b4e4fbe176a10a327d273504607f32/7c22d/hero-section.webp 1600w,\n/static/80b4e4fbe176a10a327d273504607f32/1258b/hero-section.webp 2732w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}},"pageContext":{"limit":6,"skip":324,"currentPage":55,"type":"///","numPages":161,"pinned":"ee8a4479-3471-53b1-bf62-d0d8dc3faaeb"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}