Developer thoughts: Building the authentication mechanism
PostPosted:16 Nov 2014, 22:54
One important part of our game database will be:
Every registered user has to authenticate against our server. This way the user can edit his profile, his collection etc. And he can add or edit game information from our database.
During the next weeks and months I want to implement the authentication mechanism for Oregami. As we are going to use a REST based architecture, a session based approach cannot be used. Instead of this we are going to implement a token based authentication meachanism.
A nice overview of the advantages of a token based approach can be read here, let me quote a few things:
So I am going to create a solution based on JSON Web Token. I already have my local server application that creates such a token with the help of this library. I also found the project dropwizard-auth-jwt which gives interesting insights in the integration of JSON Web Tokens in a Dropwizard application.
Every registered user has to authenticate against our server. This way the user can edit his profile, his collection etc. And he can add or edit game information from our database.
During the next weeks and months I want to implement the authentication mechanism for Oregami. As we are going to use a REST based architecture, a session based approach cannot be used. Instead of this we are going to implement a token based authentication meachanism.
A nice overview of the advantages of a token based approach can be read here, let me quote a few things:
- Cross-domain / CORS: cookies + CORS don't play well across different domains. A token-based approach allows you to make AJAX calls to any server, on any domain because you use an HTTP header to transmit the user information.
- Stateless (a.k.a. Server side scalability): there is no need to keep a session store, the token is a self-contanined entity that conveys all the user information. The rest of the state lives in cookies or local storage on the client side.
- Decoupling: you are not tied to a particular authentication scheme. The token might be generated anywhere, hence your API can be called from anywhere with a single way of authenticating those calls.
- Mobile ready: when you start working on a native platform (iOS, Android, Windows 8, etc.) cookies are not ideal when consuming a secure API (you have to deal with cookie containers). Adopting a token-based approach simplifies this a lot.
- CSRF: since you are not relying on cookies, you don't need to protect against cross site requests (e.g. it would not be possible to <iframe> your site, generate a POST request and re-use the existing authentication cookie because there will be none).
- Performance: we are not presenting any hard perf benchmarks here, but a network roundtrip (e.g. finding a session on database) is likely to take more time than calculating an HMACSHA256 to validate a token and parsing its contents.
- Standard-based: your API could accepts a standard JSON Web Token (JWT). This is a standard and there are multiple backend libraries (.NET, Ruby, Java, Python, PHP) and companies backing their infrastructure (e.g. Firebase, Google, Microsoft). As an example, Firebase allows their customers to use any authentication mechanism, as long as you generate a JWT with certain pre-defined properties, and signed with the shared secret to call their API.
So I am going to create a solution based on JSON Web Token. I already have my local server application that creates such a token with the help of this library. I also found the project dropwizard-auth-jwt which gives interesting insights in the integration of JSON Web Tokens in a Dropwizard application.