Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to balance Token security and user experience, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following for you. I hope you can get something from this article.

Let's move on to a set of related concepts: Access Token & Refresh Token.

As we all know, as a user's credential to obtain protected resources, Token must set an expiration time, otherwise it can be used permanently after a login, and the authentication function will lose its meaning. But the contradiction is: if the expiration time is set too long, the security of user data will be greatly reduced; if the expiration time is set too short, users will have to log in again at regular intervals to obtain new credentials, which will greatly dampen the enthusiasm of users. To solve this problem, we can use the concept of Access / Refresh Token to balance Token security and user experience.

What is Access / Refresh Token?

Figure 1

The above figure shows the transfer relationship of Access/Refresh Token among client, authentication server and resource server. To put it simply:

Access Token, or "access token", is the credential used by the client to exchange resources from the resource server.

Refresh Token, that is, "refresh token", is the client's certificate to exchange Access Token from the authentication server.

How to use Access / Refresh Token?

Figure 2

The figure above shows how Access Token and Refresh Token are used together when the client requests a resource:

1. The user provides identity information (usually username and password) and uses the client to exchange Refresh Token and Access Token from the authentication server.

two。 The client carries Access Token to access the resource server, and the resource server recognizes the Access Token and returns resources.

3. When Access Token expires or expires, the client accesses the resource server again, and the resource server returns "invalid token" to report an error

4. The client exchanges Access Token to the authentication server through Refresh Token, and the authentication server returns a new Access Token.

Use a real-life metaphor to explain the use of Access/Refresh Token:

Suppose I booked a hotel online. If I want to stay in this hotel, I must show my identity information and order. The front desk of the hotel will register the relevant information and order information, and will give me a ticket and a room card after confirmation (the ticket records how many days I need to stay, while the room card gives me the right to stay that day). In the above scenario, "identity related information and order" is my user name and password, "ticket / room card" is Refresh/Access Token, "front desk" is the authentication server, and "room" is the resource server.

During the whole check-in process, "identity-related information and orders" are used only once at the front desk; the one who can actually enter the room is the "room card", but the room card is only valid for one day; if the room card expires, I need to use the "ticket" to renew the "room card" at the front desk to get the right to stay the next day. Split Token into two in order to resolve the contradiction between security and user experience--

Access Token is frequently used, is directly related to user data, and is sensitive to security, so the validity period is set to be short, and even if Access Token leaks, it will quickly expire. Taking advantage of the short expiration time, users' access rights can also be updated in a timely manner (for example, the administrator has reduced the access rights of an employee to company data, and the new Access Token obtained after the expiration of Token will immediately reduce its access to data).

While Refresh Token is only used to obtain new Access Token, it is used less frequently, it is not directly associated with user data, and the expiration time is allowed to be set longer. This solves the problem of users logging in repeatedly.

Implement the management of user sessions

From the point of view of the system administrator, it is easy to think of managing the user's session behavior. In general, you can manage user sessions by setting the Token expiration time, setting the behavior of ending the session, and manually ending the user session. Based on the application of Token standard, Yufu IDaaS provides custom session management for administrators to further improve the operation and maintenance experience of system administrators-- to enable administrators to truly "have the ability to manage" the Token issued by the system, such as session expiration time settings (figure 3):

Figure 3 end session behavior settings (figure 4):

Figure 4 manually ending the user session (figure 5):

Figure 5

To sum up, through the matching use of Access Token and Refresh Token, we can well balance the relationship between Token timeliness (security) and user experience, and make use of the characteristics of Refresh Token to make IT system administrators really have the ability to manage the Token issued by the system, and achieve "point-to-point" end session operation. IDaaS (Identity as a Service) is the identity authentication management cloud platform, which can provide a variety of standardization functions to help users achieve efficient and secure identity authentication management services, such as single sign-on, intelligent multi-factor authentication, account life cycle management and so on.

After reading the above, do you have any further understanding of how to balance Token security and user experience? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.