Authentication Concept
- No session on server (should be able to deploy instance on multiple servers)
- Multiple clients (web, mobile, third-party sites)
- Remember-me functionality
- True logout (invalidate token)
Originally we considered setting up an OAuth 1/2 provider, but because of the complexity we decided to use a token-based authenticated method, which also meets our requirements. We will use JSON Web Tokens, which are more common than mod_auth_tkt (used in c2cgeoportal).
The advantage of RSA keys is that a client can verify the signature of a token with the public key. Because we are not planning to embed informations in the token (like the role), and because the server will be the one who does the last decision, we don't need to verify a token on the client-side. So, we will use a single master key, which is only known on the server.
For the website: A user logins, the server sets the token on a cookie (with the HttpOnly flag, so that the cookie can not be read on the client-side with JavaScript). The expiration date on the token is set to 2 (?) weeks. To renew a token, the client can call a dedicated web-service (once per day?).
The token is stored in a database, so that it can be invalidated when logging out.
For the mobile application: The main difference is that the expiration data is set to never, so that a user only has to log in once. Also the token will not be transferred as cookie, but for example in the Authorization header (still to check what works best).
With pyramid_jwtauth (Example).
- How to remove expired tokens from the database? (use Redis? use a task for Postgres?)
- Where to store the master key in a safe manner?
- ?
- 🏠 Home
- 📖 Changelog
- 🛠️ Dev tips
- 🍪 Production Recipes
- 🚀 Deployment
- 👨🎓 Useful informations
- ☠️ Legacy
New forum admin