You might have heard about the word user authentication often, It’s nothing but verifying the user accessing to a system is genuine or not. There are many ways to accomplish this process, the most often used is authentication using passwords. A few major problems arose with this traditional authentication methods are,
The server needs to store the details of the authenticated user when there are many users using the system this increases the overhead of the server in terms of its memory usage.
As we are storing the details of the user in memory (sessions) this leads to the problem during scaling. For handling the application load cloud providers will replicate servers, having vital information in session will restrict our ability to scale.
When the data of our application is to be used by mobile devices we need to consider about cross-origin resource sharing (CORS). While using AJAX calls to access resources of other applications through their APIs our request can be forbidden.
We will also have protection against cross-site request forgery (CSRF). As the users are already authenticated with a system lets say an e-commerce site where he would have stored the details of his bank-like credit/debit cards, he will be susceptible to CSRF attacks this could be taken advantage of when visiting other sites.
With these problems, scalability being the main one, it made sense to try a different approach.
Token Based Authentication
Token-based authentication is stateless. We are not storing any information about our user on the server or in a session. This will be the solution to many of the problems with having to store information on the server. No session information means your application can scale and add more machines as necessary without worrying about where a user is logged in.
Although the implementation of token based authentication may, the general process is:
- Client access a restricted resource with Username / Password.
- The server validates credentials.
- The server provides a token to the client.
- Client stores that token and sends it along with every request.
- The server verifies token for each request and responds with the data.
Advantages of token based Authentication
- Tokens stored on client side. Completely stateless, and ready to be scaled.
- CSRF attacks can be prevented by using tokens.
- We can make the token to be valid for a particular period of time by setting expiry time for each token, so when a user tries to access the system with an expired token he will be required to login once again.
- We could even create a permission based token and pass this along to a third-party application (say a new mobile app we want to use), and they will be able to have access to our data.
Disadvantages of token based authentication
- The Client needs to send the access token to the server on every request, the server needs to retrieve the user who is accessing the resource from the databases based on the token. So server needs to interact with the databases on each request for obtaining the user details.
- If tokens are created without any expiry then these tokens can be misused by the attackers. Once an attacker gets a token, then he could get control of entire access.
- In the case of having the expiry time to a token then the user needs to log into the system frequently, this could irritate the user as he needs to enter his username, password as each token expires.
Let’s see how to overcome these disadvantages
As said earlier we need to make the token valid for a certain period only otherwise these tokens can be misused. But we need to consider the user experience too, as asking a user to login to the system frequently will irritate a lot. This can be solved using refresh token mechanism.
The server will provide two tokens to the user after a successful sign-in, refresh token, and access token. The access token is what we discussed, refresh token will be a unique token provided to a user. Refresh token differs from access token in the time limit for its expiry. A refresh token will have higher validity than that of the access token. So whenever an access token expires then the client should use the refresh token for getting a new access token, the newly obtained token can be used in further requests for accessing the application resources. We would force the user to enter his credentials only if the refresh token expires. This will solve the problem of forcing a user to provide his credentials frequently.
But how to solve the problem querying DB for getting the user details for each request, it is where JWT helps us.
Now let’s see about the JWT (JSON WEB TOKENS)
JSON Web Tokens
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.
The reason why JWT is used:
Because of its smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Since the tokens are compact, transmitting the token will be fast.
The payload contains all the required information about the user, avoiding the need to query the database more than once.
We have seen why we should we use token based authentication and how does token based authentication works and also the advantages of using Tokens for authentication and also its disadvantages along with the measures that can be taken to overcome these disadvantages and a small intro of JSON Web Tokens. In the upcoming blog, we will see how to use JWT for user authentication.
Junior ROR Developer,