4

I am implementing a REST API for our mobile applications in which user will login using the SDKs of various social media. Currently, the login strategy is as follows:

  • The token(s) (access_token in case of Facebook, access_token and refresh_token in case of Google+) being generated by the SDK are being sent to the login endpoint of the API server.
  • Upon verification of the token (using the respective endpoint of the social application), a JSON Web Token signed by a random string is generated and returned to the mobile application, which then persists it in a secure key-value store. This token will be kept an authorization header for any other requests.
  • The presence of the token means the user is logged in. When the user logs out (or the social media session expires), the token is deleted.

I have the following questions about this strategy:

  1. The token payload consists of the user id as well as an issue date. Currently, there is no expiry mechanism being implemented. Is this required in this case?
  2. Is this strategy secure? Can you see any shortcomings/loopholes in it?
  3. What strategy should be used to secure the login endpoint?
akashg
  • 143
  • 6

1 Answers1

2

Token expiration may take place on the server side causing the client to reauth after x time.

If youre looking to do social logins this method should be fine as long as youre transmitting the data over SSL and not saving credentials (U/P Combos) on your systems. The login endpoint should be running on HTTPS (again, read, secure) and should be connecting to the 3rd party endpoint, securely.

If you're looking for a good (free) solution, Firebase.com (mostly a cloud relational database) has a great section for including 3rd party authentication, its my preferred system, but i also use their database a lot.

Cheers HTH

Ajaxasaur
  • 466
  • 2
  • 7
  • Most definitely. Have already implemented SSL, so it seems that I'm on the right track. Thanks! – akashg Apr 01 '15 at 05:39
  • Just out of curiosity, what could happen if the token was not expired at all? – akashg Apr 01 '15 at 05:40
  • @ZeMoon when was the last time you had to log into facebook/twitter/socialnetwork on your phone? – Ajaxasaur Apr 01 '15 at 15:59
  • 1
    Been a long time. It seems like the tokens do not expire (I know they do). – akashg Apr 01 '15 at 16:01
  • 1
    @ZeMoon They may, I dont know, but saved credentials could be why things just autologin after expiration. Either way if the token never expires, then well, then token doesnt expire. – Ajaxasaur Apr 01 '15 at 16:10
  • 1
    Cool. Better to be safe than sorry and implement expiration. Thanks for the discussion. – akashg Apr 01 '15 at 16:12