All geek questions in one place

Token-based authentication from a mobile application

I am studying token-based authentication using JSON Web Tokens, and here is how I see it now for a mobile application built using, for example, Swift:

  • I can create an object inside the application using user input like

    {username: "patrickbateman", password: "ismyknifesharp", role: "regular", ...}

  • Then I can generate a JWT token from it using.

  • Then I send it to a supported API endpoint, for example /api/contacts/list . Or do I need to send a login / password so that they authenticate?
  • The server somehow checks the correctness of the token. But how? Should this server token be stored in the database and used as a key? Or do I need to generate a token on the server every time I receive a request from a client and compare it with a client token?
  • Get and manage all the necessary data.

Here are my findings:

  • I do not need to send a pair of passwords / passwords to the server for user authentication.
  • I need to send a token every time I need to receive data for authentication only.
  • I have to implement some algorithm that modifies the generated token due to some factors, such as the passage of time, to make the tokens available.
  • I have to send the token inside the headers, but not necessarily, as this can be done inside the body of JSON requests.

Are these conclusions correct? How to check the token that the client sends?

+5
source share
1 answer

My opinion:

  • We must not store the user password on the client. The client must send the password to the server during registration / login and do not save it anywhere in the client. The request must be https , and the password must not be encrypted. We will encrypt the password later on the server side.

  • The server will generate a token for this user after the user has successfully logged in. token will contain the expired date on its own. We will use a token to authenticate permission with the server.

  • I think that every API request should provide a token, with the exception of registering / logging in / forgetting the password.

  • The token should be placed in the request header.

  • The server should allow the client a new token with the old token (possibly expired)

And the answer for "How does the server verify the token from the client?". There are many ways to do this. Below is my approach:

A token is created on the server side, which is the encrypted user info string (for example, the token expiration time, userid, role ... user) and password (stored only on the server side) using HMAC or RSA algorithms, when the user sends a token , the server can decrypt and get user info elapsed time without a request from the database.

In any case, this question is not related to the Swift tag.

+1
source

Source: https://habr.com/ru/post/1235667/

More articles:


All Articles