Skip to content

Authentication Concept

Jump to bottom Edit New page
gberaudo edited this page Nov 6, 2015 · 6 revisions

Requirements

  • Should be able to deploy instance on multiple servers
  • Multiple clients (web, mobile, third-party sites)
  • Remember-me functionality
  • True logout (invalidate token)

Authentication method

Originally we considered setting up an OAuth 1/2 provider, but because of the complexity we decided to use a token-based authenticated method, which also meets our requirements. We will use JSON Web Tokens, which are more common than mod_auth_tkt (used in c2cgeoportal).

Although we only plan to use very basic functionnality of JWT (opaque token, no roles in payload or signature), we decided to try using it anyway since there are plugins to integrate JWT in pyramid and Angular applications.

Master key vs. RSA keys

The advantage of RSA keys is that a client can verify the signature of a token with the public key. Since our only use case is to check the token server side, we will use a single master key, which is only known on the servers.

Concept

For the website: A user logins, the server sets the token on a cookie (with the HttpOnly flag, so that the cookie can not be read on the client-side with JavaScript). The expiration date on the token is set to 2 (?) weeks. To renew a token, the client can call a dedicated web-service (once per day?); the old token is invalidated. The expiration time and maybe other information would be available in a separate cookie, readable by client.

The token is stored in a database, so that it can be invalidated, notably when logging out.

For the mobile application: The main difference is that the expiration data is set to never, so that a user only has to log in once. Also the token will not be transferred as cookie, but for example in the Authorization header (still to check what works best).

Implementation

With pyramid_jwtauth (Example).

Open questions

  • How to remove expired tokens from the database? (use Redis? use a task for Postgres?)
  • Where to store the master key in a safe manner?
  • Generate CSRF and embed it, crypted, inside the token? Check the referer instead?
  • How to authenticate different domains by a unique auth service? Will the cookies be overwritten?
  • How to load a protected page like "http://site/admin" in the browser (no CSRF header)?

Links

⛰️ Production UIProduction APIProd 🧗‍♀️

Clone this wiki locally