Mobile app authentication using Token based on OAuth2.0

1
votes

I'm building a REST API using Elixir's Phoenix framework. In the API, I need to authenticate the user by phone number i.e., via sending an SMS OTP code. After authenticating the user, the Auth server sends the Access token and Refresh token to the client. The client(mobile app) stores those tokens locally and sends the Access token in the HTTP header as Authorization: Bearer <Access_Token> in every request to resource server. My actual question is, how do resource server validates the Access token that is received from the mobile app/client?

Does resource server needs to contact Auth server to validate the Access Token? That would a lot of overhead. Please help me understand RestFull API Authentication.

Thanks for taking the time to read my question.

2
restelixirphoenix-framework
Y'know, you don't need to use Bearer Tokens to secure a web-service. I'm personally not a fan of Bearer Tokens because you can only safely use them in a secure communications channel. Have you considered using signed-requests instead?Dai
Also, authentication schemes have little to do with REST, and vice-versa. REST is specific technical term with specific narrow technical and theoretical definitions that are concerned with how application state is represented and managed over a given transport - you can use Bearer Tokens with non-REST web-services and you can use stateful authentication systems with otherwise stateless REST web-services.Dai
I've not heard of signed-requests so far, could you please tell me more about it or a blog/link would really help.user14142370
You can't get more canonical than the draft RFC for OAuth's signed requests feature: tools.ietf.org/html/draft-ietf-oauth-signed-http-request-03 - though the concept of signed-requests dates back to at least the (now deprecated) HTTP Digest authentication scheme. Though I'm sure there are other schemes that use signed transactions for authentication that predate HTTP (a very good example would be the US EAM system, which demonstrates the necessity for a distributed and decentralised authentication system).Dai
Historically, the same concept of signed messages that required an existing trust relationship goes back literally centuries because that's how the banking systems of the world worked in medieval times.Dai

2 Answers

0
votes

how do resource server validates the Access token that is received from the mobile app/client?

The same way a nightclub bouncer verifies your driving license as proof-of-age to let you in: by validating the authority and signatures, but it does not need to phone-up your DMV to verify that your license is real because it trusts the signatures (in this case, cryptographic signatures).

That said, some systems do use "reference tokens" which are short (say 32 bytes) of meaningless random data which are used as an unpredictable record identifier for some user-permissions record held by the authorization server. The resource-server will need to contact the auth server initially, but then it can simply cache the auth result itself for some time window.

0
votes

It sounds like you have everything working up to validating the token. You are going to need the public key for the server that signed the token. It depends on what auth server you're working with on how you get that. In some cases you may be able to preload this key as a configuration setting on your backend. Otherwise you can probably get it via https request to the auth server. Most auth servers these days I expect to provide a JWKS api that you can use to get the keys you need. Then with the token and the public key you can use your elixir jwt library to validate that the token you have was signed by the server you trust, meaning the SMS code was validated, and you can proceed with whatever is needed in the backend to handle the request.

If you're using Joken for elixir you can review https://hexdocs.pm/joken_jwks/introduction.html and https://hexdocs.pm/joken/introduction.html for more information.