In this article I’m going to show you a few common patterns for client authentication based on tokens, and how can they be implemented in a Python API back end. This method of authentication works well for rich clients, like JavaScript-based front end applications running in the browser, or perhaps a command-line (CLI) application. By Miguel Grinberg.
In terms of their composition, there are two large groups or categories of tokens that I’m going to discuss in this article. Depending on the needs of your application you will have to choose which type of token works best. To be honest, I do not know if there are formal names for these, so I’m going to name them myself. The two groups are random tokens and signed tokens.
The article is split into following sections:
- Types of tokens
- Random tokens
- Signed tokens
- How does the client get the token?
- Copy/Paste method
- Auth endpoint method
- Authenticating API endpoints
- Token revocation
An important security consideration when working with token authentication is making it easy to revoke tokens. This is not only important to control a leak, but also as a “logout” mechanism that clients can use to disable a token once they don’t need it anymore, ensuring that even if this discarded token is leaked it won’t be of use. Good read!
[Read More]