Skip to content

Authentication Concept

gberaudo edited this page Dec 11, 2015 · 6 revisions

Requirements

  • Should be able to deploy instance on multiple servers
  • Multiple clients (web, mobile, third-party sites)
  • Remember-me functionality
  • True logout (invalidate token)

Authentication method

Originally we considered setting up an OAuth 1/2 provider, but because of the complexity we decided to use a token-based authenticated method, which also meets our requirements. We will use JSON Web Tokens, which are more common than mod_auth_tkt (used in c2cgeoportal).

Although we only plan to use very basic functionnality of JWT (opaque token, no roles in payload or signature), we decided to try using it anyway since there are plugins to integrate JWT in pyramid and Angular applications.

Master key vs. RSA keys

The advantage of RSA keys is that a client can verify the signature of a token with the public key. Since our only use case is to check the token server side, we will use a single master key, which is only known on the servers.

Cookies vs. token in web storage

The main advantage of using cookies is to hide the token from javascript by using HTTPOnly cookie. However, special care is necessary on the server side to handle CORS and avoid CSRF vulnerabilities. A more complex setup being more difficult to understand and to actually secure, the simpler method of retrieving and storing the token was chosen. This method is also the one used by the smartphone application.

Concept

A user logs in, the server creates a token with an (arbitrary) expiration date of 2 weeks. This token is sent in a JSON response together with information about expiration, roles, identity... To renew a token, the client can call a dedicated web-service; the old token is not invalidated to avoid concurrency issues.

The token stored in the database can be invalidated, notably when logging out. A cron removes expired cookies everyday.

Implementation

With pyramid_jwtauth (Example).

Links