Reputation: 43153
Rails: token authentication from scratch
I've got a rails app I want to start enabling some iOS integration with. I have a basic authentication system built mostly from scratch with a little help from Sorcery.
My understanding is there's basically two options for mobile integration: HTTP Basic Auth or Token Auth. From what I've been able to find so far it looks like Token Authentication is the preferred method.
I am not familiar with what token authentication is or how it is supposed to work, and I have not really been able to find any decent guides on this, except for a few tutorials on how to use the relevant module in the Devise library.
So, my question is, what is the basic theory of Token Authentication, and what would a from-scratch token auth system in rails look like? I understand that sharing the code for the entire system might be overkill for an SO answer, but I would be very grateful if anyone can help me understand a basic schematic of how such a system is supposed to work. I'd also happily accept links to any good existing materials on how to do this from scratch, as the main problem is I haven't been able to find anything like that.
Thanks!
Upvotes: 10
Views: 3131
Answers (3)
Reputation: 1456
Devise and Authlogic have a nice Token Authentication solution. You can either use one of these gems or to implement your own check their source code for inspiration.
Below is my understanding of how token authentication works:
- The user signs in using a username/password combination through a post request.
- You authenticate the user and generate a unique token and store it in the db.
- You send this token back to the iOS device.
- The device stores this token in memory.
- Any subsequent call to the api need this token passed in as an additional param to auth the user.
- For this process to be secure this token needs to have an expiration date and the communication between the iOS device and the server must be encrypted through SSL.
- For convenience you can store the user credentials on the device using the iOS keychain.
I hope this helps.
Upvotes: 10
Reputation: 7684
ember-auth has a nice tutorial for token authentication for rails with devise and ember. However, it could also be applied to sorcery or to a custom authentication system. I think this is the best approach to authentication for an ember.js App.
https://github.com/heartsentwined/ember-auth-rails-demo
Upvotes: 2
Reputation: 4922
I think there are three difficulties here.
- There are very few books focused on authentication technique
- The key word "token authentication" is confusing to use in security/authentication field.
- Rails related documentation tend to be "how to."
So, Googling won't reveal good resources for this purpose. I know this field well, but it's difficult, especially due to reason 2.
In my understanding, "token" here work as an authenticated identity in the system, and provide bridge between authentication system and authorization system. But to understand this, you must understand overall system.
Let me provide few pointer with regard to authentication technique books and some papers here.
- Butler Lampson did many work related authentication, and some of the articles are very good material to understand authentication/authorization framework. that might be helpful. One of the example is Computer security in the real world(2004).
- Book written for Public Key Infrastructure(PKI) might be helpful. there are several of such. Such as Understanding PKI: Concepts, Standards, and Deployment Considerations, 2nd edition
Hope this helps.
Upvotes: 3
Related Questions
- Implementing JWT on Rails
- How to use the `authenticate_or_request_with_http_token` method
- How to authenticate an access token in rails?
- Generate Secure Token - Ruby on Rails
- Rails 4 Authenticity Token
- Token authentication
- Rails-api HTTP token authentication
- Implementing token authenticable with Rails and Devise
- Rails Full Authentication from scratch
- Rails secret token