With all that huge number of attackers hunting users’ private information, it seems like we should work non-stop to fight the evil. Positive personages represented by testers and developers, do their best to use the newest tools, tricks, and ploys.
Today, we will talk about token based authentication for mobile applications. This is a huge part of a long and high security wall built by hundreds of technicians all over the world. We will learn more about a token itself and the process of its implementation. This is a story about a small piece of data, which plays a formidable role protecting users’ privacy.
Basically, the definition of a token based authentication is quite simple even for an amateur: at first, a customer enters his username and password with which he gets a token. It allows him to get to the particular resource without typing his private data again.
Consequently, a token is only a bit of information, which seems to have a little significance. But it becomes extremely important when you build a token based security system. If you ask us who would use tokens anyway, we say that plenty of web APIs you’ve come across are already on board: Facebook, Google+, Twitter, and many more others.
Benefits you get using tokens:
Before we dive into the token sea, we should firstly imagine the general process of a secure token authentication.
The scheme is simple but yet important to understand. When a user has just signed up for the application, he’s given an access token (D on the picture above). This token will be verified each time the user sends requests to the app. Having a token is not enough – it should be valid to continue the whole process. If the token is okay, the user gets an access to the protected resource (F on the picture).
At the beginning, let’s figure out what an authentication token means in our case. Let’s consider it as an access key, with which a user would be identified in the application without fail. Due to this definition, we can distinguish two main options on how to add such tokens to the app:
If you don’t have much time to deal with a brand new system of tokenization, just try to use libraries created for quick solutions. We suggest you learning more about JSON Web Token and Bearer Token as the systems you can rely on.
The JSON Web Token Spec describes the work of a bearer token. Such a token may consist of “key:value” pairs of attributes satisfying two types of security models: Attribute-Based Access Control (RBAC) or Role-Based Control (RBAC).
In their turn, JWT tokens are a structure of information, which has “name:value” pairs. Such tokens have three parts: Payload, Header, and Signature. They represent claims that the Payload of JSON Web Signature (JWS) consists of. Signature means the data can be affirmed by third parties without turning to the Identity Provider which generated the token. JSON Web Encryption (JWE) means that only those who were allowed to read the subject-matter of the token can do it.
OAuth allows users to get to protected areas by obtaining an access token. The OAuth 2.0 Authorization Framework defines a token as a string presenting an access to authorization given to the user.
The process of issuing tokens is held by an authorization server, and it should be approved by the owner of the resource. The token shows the scope of the grant, its duration, and other inherent features. These features are provided as an abstraction instead of concrete authorization constructs (username, password, assertion).
If you chose writing a tokenization system by yourself, it’s not that difficult as you might think. Actually, any random line can serve as a token. You should only keep in mind that such a token must be strongly and inseparably connected with the app and user.
You also have to remember that it’s better for a token to have a certain TTL (Time To Life). This concept lets a generated token to be valid during a certain period of time (for example, 30 days). Later on, the given token shouldn’t be identified as an adequate one – it has simply become obsolete and needs to be regenerated.
It’s a reason why some web platforms ask users to log in again even if they have been already authorized. But to be honest, this context is far from perfect. The token update should be imperceptible for a customer as most of the token libraries are able to refresh them on the basis of previous tokens.
As an authorization token, one may use HTTP Cookie. Meaning, we add the following pair in the attribute field of an HTPP request with the name “Cookie”:
Cookie: NAME1=VALUE_STRING1; NAME2=VALUE_STRING2 ...
Two-factor authentication (like sending an SMS) may also be regarded as a part of authentication group.
It means that when a customer tries to log in into the system, he gets a certain code on his smartphone. Entering the code in the field identifies him as a user of this concrete application.
Now, when we’re all packed with the basic information on implementing token-based authentication, we can move forward using security tendencies of current interest. But this way may be rather tricky requiring all your attention and eyes peeled.
Once, we already faced the problem of bugs in the API revealing user credentials. Dealing with tokens (as with any other security system), all your power should be directed on the weak spots of your application. And remember that any shortcoming has all chances to become a positive experience if noticed in time in the right hands.
There is no need to talk much about the importance of feeling safe. It just follows us wherever we go. Sometimes, we don’t go too far – we just open any mobile application and expect it to be secure. In this case, developers don’t have to reinvent the wheel – they just use the best practices existing on the market.
The security aspect of token based authentication has been already approved by such giant corporations as Facebook and Google+. That is why we give more diligence to learning basic information about tokens and their influence on the app’s success. Because as you know from Maslow’s hierarchy, safety is our vital need and it won’t go away.