H
H
HeyAway2018-02-10 14:59:03
API
HeyAway, 2018-02-10 14:59:03

How to sign a token in RestAPI?

Hello! There was quite a bit of experience in matters related to authentication, authorization, registration, signatures and tokens. There is a lot of information about this, but it already makes my head spin. So much so that it is unrealistically very confused. Ahem, why is this:
Is the scheme correct:
1) The user sends a GET request, for example, to /api/user/auth with his login and password
3) /api/user/auth checks login: pass and returns data like: access_token , refresh_token, sign
4) The user remembers the data and is going to work with the /api/news method, sending access_token and sign in the header
50) The server checks the access_token (for a match and whether it has expired). Verifies the signature. If all is well - success.
So, please share your experience of how to collect a signature? What data should be put there to determine that right now the right user is working with the API? In the first paragraph, add sending secret, which will be set by the user? Or is there no need for a signature at all?
Some details:
There is an application, there is a web version. Users - only admins, moderators, well, read-only.
The application only receives information (read only). That is, for example, it calls the /api/news method and the like.
With one caveat: to connect push notifications, the application needs to poison the data. Simply put, there is only one method to which the application sends data.
In the web version, it is possible to create a user (administrator, moderator, read-only), log in under him and manage content.
So, dear users of the toaster, help me deal with the porridge in my head. You are welcome.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
X
xmoonlight, 2018-02-10
@xmoonlight

Scene 1:
Client: "Server, I want to log in"
Server: "Really?! Now we will try you through our DNSBL and SpamBL database... Well, it seems to be normal. Here, catch the TEMPORARY PUBLIC KEY and wait for your login in 5 seconds and password, signed with my temporary key! It's time!"
If the client managed to correctly enter the login and password on the client within the allotted time of the public key, hash it, sign it with the server key and send it to the server, the user is considered authorized.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question