All geek questions in one place

Implement Token Authentication

What steps should I follow to implement token authentication on my web page?

Any resume or links would be appreciated.

I want to implement, like Facebook or Google, the first loggin client and get a token, and then use it in the next steps. I also read about OAuth, but I do not want to provide third-party access to my application.

Thanks for the long answer, and it seems to me that I need to know more about this.

I want to know the β€œsteps” for implementing a basic web application that uses token authentication. This user is registered once, and then can perform some actions: add content, edit, etc.

I know what I'm saying, it looks like a session where the server adds the SESSION_ID in the HTML header, and a subsequent request is identified and associated with this session. I read that sessions are not suitable for scaling, so I want to implement a similar system like gmail or facebook before going to OAuth. I'm probably talking about something like oauth (I don't read in depth), but witj is two-legged, instead of three-legged.

+4
source share
2 answers

You should think about your requirements, choose the appropriate protocol and some decent part of the software that implements it.

It is hard to say more without additional information:

  • Are you talking about authentication for one or more web applications? Do you need a single sign between different web applications?
  • all user data must be stored on your server or the user must log in, for example. with google account?
  • should the token contain user information?
  • What platform are your applications developed on?
  • What authentication method should be used?
  • Do you want to implement a portal?

There is a very wide range of protocols and tools that may or may not meet your requirements:

http://en.wikipedia.org/wiki/Category:Authentication_methods

http://en.wikipedia.org/wiki/Category:Identity_management_systems

I personally like CAS ( http://www.jasig.org/cas ) for single sign-on for tokens between multiple web applications. It is based on Java, but also has some support for PHP and .Net.

OpenID is fine if you want to allow users to log in with their Google, Yahoo, any account (custom ...) and don’t want to store information about themselves on their own.

Kerberos / SPNEGO is the way to go if you want to integrate windows-sso for enterprise intranet applications.

For university applications, SAML / Shibboleth is probably best. Outside of universities, he is somewhat less popular, probably giving him a rather complicated protocol.

Oh, and I almost forgot: most web frameworks / standards have their own version of plain old forms-based authentication. When the user goes to the login form, he enters his username and password. Both with or without SSL are transmitted to the web application server. The server checks it for the presence of any database and gives the user a cookie, which is transmitted and checked every time the user sends a request. But besides all these brilliant protocols, it looks pretty boring :-)

And before you do anything with web authentication, you can think about web security in general ( http://journal.paul.querna.org/articles/2010/04/11/internet-security-is-a- failure / http://www.eff.org/files/DefconSSLiverse.pdf ) and what you can do to not make it worse on your site ( http://www.codinghorror.com/blog/2008/08/ protecting-your-cookies-httponly.html http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf ).

+7
source

see your point.

At the protocol level, a very simple approach to tokens is basic HTTP authentication. But this is often not suitable, since there is no exit function, etc.

A custom cookie-based simple method might look something like this:

  • The server is generating some kind of secret (a value that is hard to guess)
  • When a user tries to access a protected resource, he is redirected to the login form
  • After successful authentication, it receives a cookie. This cookie contains three values: username, timestamp, and hash {username server-secret timestamp}.
  • with each user request, the server recalculates the hash values ​​and compares it with the value that the client sends in its cookie

(more attention needed: httponly and safe flag, transport layer security, repeated attacks, etc.)

Amazon S3 stores its authentication token in the HTTP header and uses the HMAC to calculate it. This is described here: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?S3_Authentication.html (optionally recommended for use with a browser-based web application)

If there's a book about REST next to you, you can see if it has a chapter on authentication. Perhaps here it is much nicer to explain here than here :-)

There are several frameworks that can perform this type of authentication. For security reasons, it would be wise to test them before implementing your own things.

+1
source

Source: https://habr.com/ru/post/1334128/

More articles:


All Articles