rodneyosodo
commented
6 months ago There are two main methods to handle user authentication, that is session-based authentication and token-based authentication.
Session-based authentication
Session-based authentication relies on a server-side mechanism that creates and stores a unique identifier for each user session. When a user logs in, the server generates a session ID and sends it to the client as a cookie. The client then sends the cookie back with every request, and the server validates it against its session store.
Token-based authentication
Token-based authentication relies on a client-side mechanism that uses self-contained tokens to store and transmit user information. When a user logs in, the server generates a token that contains the user's identity, claims, and expiration time, and signs it with a secret key. The server then sends the token to the client, which can store it locally or in memory. The client then sends the token with every request, and the server verifies it by checking its signature and validity. This way, the server does not need to maintain a session store or state.
Differences
| Key | Session | Tokens |
|---|---|---|
| storage | on the server | on the client |
| state | stateful | stateless |
| Expiry | handled by server | handled by token itself |
| flexibility | more flexible |
Using JWT For Sessions
While JWT are commonly used for token-based authentication, they might not be suitable for session-based authentication due to security concerns. This article provides detailed insights into this matter.
Session Infrastructure
CREATE TABLE sessions (
id uuid NOT NULL,
issued_at timestamp DEFAULT CURRENT_TIMESTAMP NOT NULL,
expires_at timestamp NOT NULL,
authenticated_at timestamp NOT NULL,
identity_id uuid NOT NULL,
created_at timestamp NOT NULL,
updated_at timestamp NOT NULL,
access_token varchar NOT NULL,
refresh_token varchar NOT NULL,
active bool DEFAULT false NULL,
device_metadata JSONB NULL,
CONSTRAINT sessions_pkey PRIMARY KEY (id)
);NOTE
- We can consider employing Platform Agnostic Security Tokens instead of JWT for session-based authentication due to potential security risks.
- Session-based authentication proves ideal for UI backend implementations, while token-based authentication serves well for communication between Magistrala core and the UI.
Proposed Approach
Change Magistrala to use session-based authentication. Magistrala issues a session token which will be used to authenticate into the system.
Is your feature request related to a problem? Please describe.
Current JWT are stateless (which makes sense in many applications for the sake of efficiency and philosophy behind JWTs), but it would be good to have a stateful option as well
Describe the feature you are requesting, as well as the possible use case(s) for it.
For some applications it is important that session is controlled, stopped and tokens can be revoked
Indicate the importance of this feature to you.
Must-have
Anything else?
No response