Best way to create a TOKEN system to authenticate web service calls?

web-services security authentication authorization token
35,573

Solution 1

If you're only using one token which is given by the server on the initial authentication, it can be used for any request if it's intercepted. Your only defense is the expiration time.

Beyond that, it depends on what your implementation options are.

A more secure system is to add a timestamp (and possibly a nonce) to each request, sign that, and include that with each request. It requires that the client handles the authentication credentials, knows the signing implementation, and signs each request.

You could alternately have the server authenticate with each request (which could be done with OpenID) or hand out a number of tokens and re-authenticate when more are needed (which could be done with OAuth). If the client can store credentials, these can be invisible to the user. These are more complex, requiring an encrypted transport such as SSL for some of the interactions, and a client which can speak HTTP redirects and handle cookies or other stored state. The client wouldn't have to know how to sign, but if you can do SSL, you probably don't need the complexity in the first place.

If you don't need to be client-agnostic, you probably want to sign requests.

For signing implementations, examples, and libraries, look at Amazon Web Services, OpenID, or OAuth.

Regarding the token expiration time, it depends on your needs. A longer token life increases the window replay attacks. A nonce makes a token single-use, but requires more state on the server.

Solution 2

You should check out OAuth. It's a standard for API authentication, you can probably just plug an existing implementation into your service.

Share:
35,573

Related videos on Youtube

Neal
Author by

Neal

Updated on July 09, 2022

Comments

  • Neal
    Neal almost 2 years

    I'd like to create a web service architecture that can be called by various platforms such as mobile devices, winforms applications, iphone, blackberry, you name it. So going with something like WCF and wsHttp binding probably kills this and I would need to downgrade to a basicHttp binding for compatibility.

    With that said, I need a system to generate a token on initial login (authentication) and then use this token for all subsequent calls, I guess, to validate the authentication and allow the method to execute.

    Anyone have tips or suggestions on how to go about this? 1) Generate a token and what's involved in a secure token? 2) How long is the token good for, some users may use their application for hours and possibly even "sleep" their computer

    Thank you for the advice.

    • Neal
      Neal over 14 years
      My question is more on what is the best way to transport this token back and forth and with all calls, not so much on how to authenticate. Once the server generates this token (serialized class) what is the best way to attach it to all subsequent calls? As a parameter to methods or can it be attached as a header or something so it's transparent to all methods (service contracts)
  • Miha Hribar
    Miha Hribar over 14 years
    The OAuth protocol allows you to set the parameters to your liking. I would suggest you look at some service providers and check out what they have done with OAuth. wiki.oauth.net/ServiceProviders

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

JAX-WS webservice and @rolesAllowed
D-Bus authentication and authorization
REST Web Service authentication token implementation
WCF Authentication with custom ClientCredentials: What is the clientCredentialType to use?
How to create a authentication token using Java
Android: Is it a good idea to store Authentication Token in Shared Preferences?
Sessions vs. Token based authentication
Laravel: What is "remember_token" in the "users" DB table?
Best practices for server-side handling of JWT tokens
What is token-based authentication?