spring - Token based authentication for user and separate module -

-

i have 2 scenarios want implement token based authentication:

  1. i want implement token based authentication when user logs in. i.e.. based on username , password , user should token , token should used every request.

  2. i have separate independent module has id , secret key. has communicate server in specific interval. want implement token based authentication module also.

in both cases token should have these properties:

  1. it should in payload.
  2. it should have timeout period
  3. when token expires server should provide new token,if session not expired else should logout.

is oauth 2.0 right choice? if other approach better, please tell me. should solve problem? best place put token in request -payload or header? , why?

oauth 2.0 choice requirements mentioned: timeout period , refresh-ability.

stormpath has excellent oauth2.0 implementation gives looking out of box.

stormpath has both remote , local oauth2 implementations , both freely available. remote case can rely on our backend using rest client (http://docs.stormpath.com/guides/token-management/) , of our sdks. local case can use our servlet plugin run web-app out of box oauth2 support. using docs link above, can find documentation these resources.

using stormpath spring boot integration, instance, this:

http -v --form post http://localhost:8080/oauth/token \ > 'origin:http://localhost:8080' \ > grant_type=password username=micah+demo.jsmith@stormpath.com password=<actual password>

(this example uses httpie interact locally running spring boot instance). line i've bolded above conforms oauth2.0 spec authenticating usernames , passwords. response like:

http/1.1 200 ok cache-control: no-store content-length: 325 content-type: application/json;charset=utf-8 date: tue, 04 aug 2015 16:02:08 gmt pragma: no-cache server: apache-coyote/1.1 set-cookie: account=eyjhbgcioijiuzi1nij9.eyjqdgkioiixndqynmqxmy1mnthiltrhndetymvkzs0wyjm0m2zjzdfhyzailcjpyxqioje0mzg3mdqxmjgsinn1yii6imh0dhbzoi8vyxbplnn0b3jtcgf0ac5jb20vdjevywnjb3vudhmvnw9nnfdjm1a0eel3cdrxauriumo4mcisimv4cci6mtqzodk2mzmyoh0.wcxrs5ygtuoewakqoql5jhiq109s1fmnopl_50hr_t4; expires=wed, 05-aug-2015 16:02:08 gmt; path=/; httponly  {     "access_token": "eyjhbgcioijiuzi1nij9.eyjqdgkioiixndqynmqxmy1mnthiltrhndetymvkzs0wyjm0m2zjzdfhyzailcjpyxqioje0mzg3mdqxmjgsinn1yii6imh0dhbzoi8vyxbplnn0b3jtcgf0ac5jb20vdjevywnjb3vudhmvnw9nnfdjm1a0eel3cdrxauriumo4mcisimv4cci6mtqzodk2mzmyoh0.wcxrs5ygtuoewakqoql5jhiq109s1fmnopl_50hr_t4",     "expires_in": 259200,     "token_type": "bearer" }

this provides bearer token can used on subsequent requests expiration. plus, has advantage of being jwt - json web token. jwt cryptographically signed ensure hasn't been tampered , can decoded provide additional meta-information client, including user information, access controls , expiration.

you similar using grant_type=authorization_code interacting using id , secret, such independent module mentioned.

this article goes more detail on token authentication java.

full disclosure: stormpath employee , wrote article referenced above.


Comments

Post a Comment

Popular posts from this blog

yii2 - Yii 2 Running a Cron in the basic template -

-
i have seen instructions on running cron in advanced template, cant figure out how on basic template. have following controller in basic controllers folder. <?php namespace app\controllers; use yii\console\controller; /** * cron controller */ class croncontroller extends controller { public function actionindex() { echo "cron service runnning"; } public function actionmail($to) { echo "sending mail " . $to; } } i have navigated root of application , tried these comands yii cron php yii cron im getting unknown comand "cron" i know old question failed find actual answer this. if @ code yii exec file you'll notice requires /common/config/aliases.php file console/config/main.php. can naturally change these or copy on these advanced template. hope solves problem wanting same thing.
Read more

asp.net - 'System.Web.HttpContext' does not contain a definition for 'GetOwinContext' Mystery -

-
i realize question might seem trivial some, it's these types of things find myself fighting quite bit , want make sense of despite seeming losing battle in .net (for me anyway). so, if following: using system.web; ... applicationuser user = system.web.httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); that produces error in title , red getowincontext() , error cannot resolve symbol 'getowincontext()' however, if following (remove system.web in front of httpcontext ), works expected (or @ least no errors): using system.web; ... applicationuser user = httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); however, if (same line that's working using system.web commented out): //using system.web; ... applicationuser user = httpcontext.getowincontext().getusermana...
Read more

mercurial graft feature, can it copy? -

-
there new feature in mercurial 3, called 'graft' (graft local). job of moving change-set different branch. is there way "copy" change-set branch? i interested in in moving stuff qa branch production branch, still need code reside in qa. want copy. found , have tried few things, maybe it'll become clear more tinkering , reading... does have better way of 'cherry picking' change-sets move cross branch (or trunk)??? graft copies changesets, doesn't move them. hg graft (emphasis mine): this command uses mercurial's merge logic copy individual changes other branches without merging branches in history graph. known 'backporting' or 'cherry-picking' . default, graft copy user, date, , description source changesets.
Read more