Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sharing REST tokens between servers

I have a requirement for a REST API that has token-based authentication: we will have replicated application servers with a load balancer, since tokens are generated by one server when a user is authenticated, and different requests from the same client can be handled by different servers, is there a generic technique or technology to share those tokens between the different servers?

About technologies, we will be using the Java stack, more specifically Grails.

About the application servers, we might have more than one database. This comment is important because discussing with colleagues, someone suggested to manage the token sharing using the same database from all application servers. I'm looking for a solution that doesn't need a centralized database, that let us scale on the DB side.

like image 377
Pablo Pazos Avatar asked Jul 24 '15 01:07

Pablo Pazos


People also ask

Can tokens be shared?

There are different ways in which such token can be shared: The same token can be reused. A different token can be embedded in the original token. The original token can be exchanged.

Is it safe to send token in header?

In JWT token authentication, the server-provided token should always be sent as a header with the Authorization: Bearer <token> format. The website then should check the validity of the token when a request comes and handle it accordingly. Yes, the use of HTTPS is mandatory.


2 Answers

When using token based authentication, there's a server that authenticates the user and issues a security token. Authenticating the user can be done in many ways (verifying username/password against a database, verifying a certificate on a smart card etc).

Once the token is issued and signed by the authentication server, no database communication is required to verify the token. Any service that accepts the token will just validate the digital signature of the token.

The client (caller of your service) is responsible to send the token along with the request. So no matter which server behind your load-balancers handles the incoming request, it only needs the public key associated with the signing key to verify whether the request is valid.

Which security protocol to chose depends on the requirements you have. OAuth is used often for internet applications. WS-Federation and SAML-P are used a lot in enterprise environments.

like image 53
MvdD Avatar answered Sep 29 '22 18:09

MvdD


As far as I see JWT (JSON Web Token) is supported in grails - it seems that this is what you're looking for. Basically you need to separate the authentication server as in this image. Authentication verifies the user/pass being sent and issues a token that is easily parseable without any further access to DB. To only thing that needs to be shared is the key that will be used to decode the incoming JWT. See, how it works.

like image 37
Opal Avatar answered Sep 29 '22 18:09

Opal