Authentication Concept
- Should be able to deploy instance on multiple servers
- Multiple clients (web, mobile, third-party sites)
- Remember-me functionality
- True logout (invalidate token)
Originally we considered setting up an OAuth 1/2 provider, but because of the complexity we decided to use a token-based authenticated method, which also meets our requirements. We will use JSON Web Tokens, which are more common than mod_auth_tkt (used in c2cgeoportal).
Although we only plan to use very basic functionnality of JWT (opaque token, no roles in payload or signature), we decided to try using it anyway since there are plugins to integrate JWT in pyramid and Angular applications.
The advantage of RSA keys is that a client can verify the signature of a token with the public key. Since our only use case is to check the token server side, we will use a single master key, which is only known on the servers.
The main advantage of using cookies is to hide the token from javascript by using HTTPOnly cookie. However, special care is necessary on the server side to handle CORS and avoid CSRF vulnerabilities. A more complex setup being more difficult to understand and to actually secure, the simpler method of retrieving and storing the token was chosen. This method is also the one used by the smartphone application.
A user logs in, the server creates a token with an (arbitrary) expiration date of 2 weeks. This token is sent in a JSON response together with information about expiration, roles, identity... To renew a token, the client can call a dedicated web-service; the old token is not invalidated to avoid concurrency issues.
The token stored in the database can be invalidated, notably when logging out. A cron removes expired cookies everyday.
With pyramid_jwtauth (Example).
- 🏠 Home
- 📖 Changelog
- 🛠️ Dev tips
- 🍪 Production Recipes
- 🚀 Deployment
- 👨🎓 Useful informations
- ☠️ Legacy
New forum admin