Login Tokens
Ariana.luna (Talk | contribs) (→connection_id) |
Ariana.luna (Talk | contribs) (→user_token) |
||
| Line 39: | Line 39: | ||
APIs: | APIs: | ||
* The [[PUT login/users/:user_id/token]] API updates a user's token. | * The [[PUT login/users/:user_id/token]] API updates a user's token. | ||
| − | * Given a user_token, it | + | * Given a user_token, it is possible to log in a user on a Social Login session (generating a new connection_id) using the [[socialid.login.loginUserToken]] JavaScript API. |
== Security == | == Security == | ||
Revision as of 11:21, 6 November 2014
Contents |
Tokens
login_token
It is the token generated each time a visitor performs a social login.
The token is returned on the socialid.events.onLoginSuccess event or sent as a parameter to the callback url configured on the Social Login application.
Characteristics:
- Updates: every time the user logs in.
- Validity: expires in 1 hour.
APIs:
- It is used to authenticate the GET login/info API call.
connection_id
It is an identifier generated for each visitors' active connection. It represents the Social Login session for the current visitor.
The Social Login widgets automatically identifies users logged in, given the connection_id saved on a cookie on the visitor's browser.
Characteristics:
- Updates: every time the user logs in or using an API call.
- Validity: expires in 15 days.
APIs:
- It is possible to generate a new connection_id given a user id using the POST login/apps/:app_id/sign_ins REST API.
- Given a connection_id, it is possible to log in a user on a Social Login session using the socialid.login.loginConnection JavaScript API.
- To log off a user from a Social Login session, use the socialid.login.logout JavaScript API or the DELETE login/connections/:id REST API.
user_token
It is a token used in a few JavaScript APIs to identify the user in a secure way.
Characteristics:
- Updates: every time the user logs in or via API.
- Validity: never expires.
APIs:
- The PUT login/users/:user_id/token API updates a user's token.
- Given a user_token, it is possible to log in a user on a Social Login session (generating a new connection_id) using the socialid.login.loginUserToken JavaScript API.
Security
The REST APIs use the HTTP Basic protocol for authentication. See the Authentication documentation.
The JavaScript APIs use the session of the user currently logged in Social Login or identifiers like connection_id and user_token as authentication parameters.
JavaScript APIs required a bigger effort to ensure security because they are used on the visitor's browser (i.e. it's not possible to guarantee JavaScript code validity) and in unpredictable conditions (i.e. in public, non-encripted Wi-Fi networks). As with any browser session, JavaScript APIs may be subject to Session Hijacking or Man-in-the-middle, among others.
To minimize security risks, we show below a list of good practices. Developers using our APIs need to be aware that the indiscriminate use of connection_id and user_token identifiers may increase those risks.
Good Practices
- Log off the user from Social Login every time he logs off your application. Use the socialid.login.logout JavaScript API or the DELETE login/connections/:id REST API.
- Update user_token periodically using the PUT login/users/:user_id/token REST API. As the user_token doesn't expires and may be used on critical JavaScript APIs (e.g. to log in or move users), it's advisable to update this token periodically to avoid Session Hijacking.
- Use secure connections (HTTPS) on your website to avoid tokens to be intercepted by attackers on unprotected networks. See Man-in-the-middle attack.
- Avoid storing any token in cookies. If you must do it, use the "secure" attribute on the cookie.
- Use RESTful APIs only on backend, never via JavaScript (frontend). The API ID and Secret that are used as Authentication must not be exposed on users's browsers.
- Use extra authentication (e.g. login / password authentication) in critical operations on your website (financial operations, credit card data management, etc).
