Difference between #1 and #2 of
HOW TO: Use token based authentication

Revision #2 has been created by le_top on Jan 15, 2014, 1:53:42 PM with the memo:

Some updates regarding the presentation of the explication.
« previous (#1) next (#3) »


Title unchanged

HOW TO: Use token based authentication

Category unchanged


Yii version unchanged

Tags unchanged

webservice, token, Authentication, CWebUser

Content changed

In my particular implementation, the token is an encrypted value which is related to a context. Each context has its own encryption key.
The context index is shown in clear, and the token is encrypted information.
The decrypted information is in JSON format.
That information has at least:

- t - time information which allows limitation of the token in time; - id - The user id The way I make it work is:
- The client application gets a token from the server based on login credentials. This can be a third party server.
- The token provided by the server is encrypted JSON data with time information (t) and user id information (id). The time field (t) ensures that the token changes over time and that the web services can check its age.
- The advantage over the database approach is that no database is required (so no specific token management) and that a third party can generate the token (shared key).
This method also allows signing in to the application (front office) using a token encrypted by a third party.

in the code below converts the "remote_id" provided in the token to the local id. You may not need this conversion. In my application, I allow serveral online shops to log in to my platform (including new users). So you might have a user_id 10 in all online shops which in fact corresponds to a different user each time. So in the Yii application a new user id is created and a database table makes the link between (context_id,remote_user_id) and (user_id). The 'getRemote' method gets the local user_id (and creates it if needed).

The timestamp is also checked.
/* enable cookie-based authentication */
'loginUrl' => array('access/login'),
//'loginRequiredAjaxResponse'=>'{"error":403,"message":"User not authenticated"}',
2 0
Viewed: 39 443 times
Version: 1.1
Category: How-tos
Written by: le_top
Last updated by: CeBe
Created on: Jan 14, 2014
Last updated: 7 years ago
Update Article


View all history