0

I am currently following the instructions for getting an access token on behalf of a Twilio user described here

enter image description here

The part that is confusing me where it seems to generate an access token then proxy it back to the client. I guess the idea is the access token is being made for the user on behalf of the application but that seems off to me. Is this a correct way to handle geting an access token to the browser? Are there limits to when you can pass back access tokens (besides ssl)? Shouldn't it be using a refresh token?

An example of how this works in practice see this example...

const token = new AccessToken(
  process.env.TWILIO_ACCOUNT_SID,
  process.env.TWILIO_API_KEY,
  process.env.TWILIO_API_SECRET
);
...
app.get('/', function(request, response) {
  const identity = request.query.identity || 'identity';
  const room = request.query.room;
  response.send(tokenGenerator(identity, room));
});

https://github.com/TwilioDevEd/video-access-token-server-node/blob/master/index.js

Jackie
  • 171
  • 1
  • 1
  • 5

1 Answers1

0

Yes, this is acceptable. The client needs to access some resource (in this case, a video chat room). Your server verifies that the client has the appropriate permissions, and if so, it hands back a limited token that grants access to a specific resource. If the client is not authorized, it refuses. The client cannot access the resource without passing an authorization check.

This is effectively no different than issuing any other token credential, say, to your own API. A refresh token is not needed here because the lifetime of the original token is intentionally limited (video meetings are usually relatively short) and if more access is needed, the client can make another request to get another token, at which point its permission to access will be checked again. Effectively, your session management is acting as the overarching access control here, and the Twilio token allows access to a specific portion of whatever the user could normally access.

It is absolutely required that you use TLS in this case, including for the authentication stage. Otherwise, an attacker can replay previously seen login credentials and steal tokens. TLS is always required for security when passing bearer credentials.

bk2204
  • 7,828
  • 16
  • 15