Token verification Detailed

Source: Internet
Author: User
Tags http authentication
Why Use token authentication:

Token-based authentication is ubiquitous in the Web realm. In most Internet companies that use Web APIs, tokens is the best way to process authentication under multiple users.

The following features allow you to use token authentication in your program

1. No State, scalable

2. Support for mobile devices

3. Cross-Program invocation

4. Security

Those who use token-based authentication.

Most of the APIs and Web apps you've seen use tokens. such as Facebook, Twitter, Google +, GitHub and so on.

The origins of token

Before introducing the principles and advantages of token authentication, you might want to take a look at how the previous certifications are done.

Server-based Authentication

We all know that the HTTP protocol is stateless, this stateless means that the program needs to authenticate each request to identify the identity of the client.

Prior to this, the program identifies the request by using the login information stored on the server side. This approach is typically done by storing the session.

With the advent of the web, applications, which have moved the end of the way, this kind of validation has gradually exposed the problem. Especially in terms of scalability.

Some problems exposed based on the server authentication method

1.Seesion: Each time an authenticated user initiates a request, the server needs to create a record to store the information. As more and more users are sending requests, the overhead of memory is increasing.

2. Scalability: Use Seesion to store login information in the server's memory, with scalability issues.

3.CORS (cross-domain resource sharing): Sharing Cross-domain resources can be a daunting problem when we need to make data available across multiple mobile devices. When you use Ajax to crawl resources from another domain, you can get a stop request.

4.CSRF (cross-site request forgery): When users visit a bank site, they are vulnerable to a cross station request for forgery and can be exploited to access other sites.

Among these problems, the extensible row is the most prominent. Therefore, it is necessary for us to seek a more effective method.

The principle of verification based on token

Based on token authentication is stateless, we do not have user information in the server or session.

This concept solves many of the problems of storing information on the server side

Nosession means your program can add and subtract machines as needed without worrying about whether the user is logged in or not.

The process of token based authentication is as follows:

1. The user sends the request by user name and password.

2. Program verification.

3. The program returns a signed token to the client.

4. The client stores the token, and each time it is used to send the request.

5. Service-side validation token and returns data.

Every request requires a token. Token should be sent in HTTP headers to ensure that HTTP requests are stateless. We also allow the server to accept requests from all domains by setting the server properties access-control-allow-origin:*. The main requirement is that when the Acao head is marked (designating) *, it must not be accompanied by certificates such as HTTP authentication, client SSL certificates and cookies.


code Instance Flow:

User logon for the first time
Username pwd Client_type
Interface judgment
if (Token&uid) {
Query token table
$token =where UID =uid
if ($token ==token) {
Login successful ...
Returns token and UID
}else{
Login failed.
}
}

if (usename powd client_type) {
Verify user name and password
if (correct) {
Get UID and generate token (MD5 (Uid.pwd.time () define rules))
If (UID does not exist) {
into token table ID UID token
}else{
Where uid= $uid Modify token
}
Returns token and UID
}else{
Returns an error message;
}
}

Client C for file storage UID and token

Use UID and token the next time you log on


Enable user login to play each other


After we have authenticated the information in the program and obtained token, we can do many things through this token.

We can even transfer to third party applications based on the creation of a token, which can obtain our data (of course only in the specific token we allow)

Advantages of Tokens

No state, extensible

The tokens in the client store is stateless and can be extended. Based on this stateless and not storing session information, a load balancer can upload user information from one service to another server.

If we save the authenticated user's information in session, each request requires the user to send authentication information (called session affinity) to the authenticated server. When users are large, they can cause

Some jams.

But don't worry. After using tokens, these problems are solved because tokens himself hold the user's authentication information.

Security

Sending a token in a request instead of sending a cookie can prevent CSRF (Cross station request forgery). Even if the cookie store is used on the client side, it is only a storage mechanism and not a token,cookie for authentication. Do not store the information in the session, let us less of the session operation.

The token is time-sensitive and the user needs to be authenticated after a period of time. We also do not need to wait until the token automatically expires, token has a recall operation, through the token revocataion can make a specific token or a group of the same authentication token invalid.

Scalability ()

Tokens can create programs that share permissions with other programs. For example, you can associate a casual social account with your own large (fackbook or Twitter). When you log on to Twitter via the service (we will buffer this process), we can attach the buffer to the stream of Twitter data (we are allowing buffer to post to our Twitter stream).

When using tokens, you can provide optional permissions to third party applications. When a user wants to have another application access their data, we can create our own APIs to derive special permissions from the tokens.

Multi-platform cross-domain

We'll talk about it in advance. Cors (cross-domain resource sharing), when extending applications and services, involves a variety of devices and applications.

Have our APIs just serve data, we can also make the "design" choice to serve assets from a CDN. This eliminates the "issues" CORS brings up after we set a quick header configuration to our application.

As long as the user has a validated token, data and resources can be requested on any domain.

<span style= "margin:0px; padding:0px; Color:rgb (255,255,255); Background-color:rgb (0,0,0) "><code class=" Language-javascript "style=" margin:0px; padding:0px ">          access<span class=" token operator "style=" margin:0px; padding:0px ">-control<span" class= "token operator" style= "margin:0px; padding:0px ">-allow<span class=" token operator "style=" margin:0px; padding:0px ">-origin<span class=" token punctuation "style=" margin:0px; padding:0px ": <span class=" token operator "style=" margin:0px; padding:0px ">*       <br style= margin:0px padding:0px"/></span></span></span></ Span></span></code></span>

Based on standard

When creating a token, you can set some options. We'll do a more detailed description in a subsequent article, but the standard usage will be reflected in the JSON Web tokens.

The most recent programs and documents are supplied to the JSON Web tokens. It supports a large number of languages. This means that in future use you can really convert your authentication mechanism.

Summarize

This article simply describes why you chose token authentication and how to use it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.