what’s i am going on ?
Authentication server is a very important part of your whole project , which is responses for user authorization ,role identify and so on. Now days ,token based authentication is becoming more and more prevailing with the thrilling developments of web app and SPA which may have requirements of multi device login and working with scalable RESTful back end.So …no more talking ,let’s start.
what is token based authentication?
At the early time of Web development , it’s a era of session cookie.To be concise , session cookie authentication is a strategy that browser store the session id of a session in the cookie and take the session cookie alongside each http/https request , then the servers can identify the user by it session id.This authentication strategy works well with conventional website.But people are always discontent, especially when we meet the amazing magic of SPA and WebApp.The conventional cookie based authentication are not convenient any more when it encounter the demands of multi device login ,user role management ,system scalability and security.
To solve those problems, we need token based authentication.In a word token based authentication is a strategy that client end communicates with the server end by a token which is encrypted by cryptographic algorithem .And a exclusive advantage of it is that we can use token based authentication to enable the third part have the access to protect resource by api.
There many method to encode your message and yield a token you can use ,but today we will use the JSON Web Token(initial: JWT) . JWT is a standard method to encode and generate a token.It consists of three part: header ,payload and verify signature.To get more information about JWT.
A complete authorize process is show below.
Client end need to request Auth Server with account info to get validating and if success Auth Serve will response with a access token for client end.And client end need to take the token alongside its request when touch the protected resources.If the token expired or invalid, Api Server will response with an unauthorized error.
As a consequence of the stateless feature of JWT, we will encounter some problems when user change their password or logout all sign-in devices.We use algorithem to validate whether a token is valid or invalid, so if the valid token isn’t expired the validate results will always be ok no matter whether the user has logon out or changed password.This is very mortal for some monetary servers and online mall.
We have many methods to resolve that issue, but all of them are based on storing the generated token into the database ,which can not circumvent to have a database query in each request.Here we meet a dilemma , if we store token into database , this gives it state feature but will lose the performances.Oppositely ,we will lose the security of token based authentication.So how about do some compromise , we can use another token called refresh token ,which can be used to get an access token when it expired.In this way ,we can set the expired time of access token to very short such as 3 to 5 minutes and set the refresh token’s to 14days or longer.Below let’s see some brief schematic.
In this case, client end request the Auth Server to apply authorize , the server end will response a refresh token and access token after validating the account and password.And sequently client will use the access token to request the Api server.As we set the access token life time very short ,after its expired, server will response a unauthorized error to ask the client end to get the access token with previous refresh token.Then client request with refresh token and server verify the refresh token by querying in the database.
Though with this method ,we still need to persist the token into database ,but we decrease the database query times.To optimize this, we even can use REDIS to improve the database query performance.
