Thursday, 21 April, 2016 UTC
Summary
In this modern era, software is often using token-based authentication so that parts of the software can be isolated as stateless processes.
Although this is a great practice and allows for highly scalable software, it increases the complexity for us, front-end developers, because we now also have to understand the nitty-gritty of token-based authentication.
In this article I share with you a powerful metaphor I use to easily remember how token-based authentication works.
The metaphorThe goal of this article is NOT to discuss technical implementation details of token-based authentication such as JWT.
The goal of this article is to make you understand the underlying concepts of token-based authentication in such a way that you can easily remember them and reason about them with non-technical people (e.g. your management) when needed.
Consider the following metaphor:
- think of your application as a hotel
- think of your authentication service as the hotel reception
- think of your application resources as hotel rooms
- think of an access token as a hotel key card
- think of credentials as your passport
Now carefully read the next few paragraphs, allowing your brain to map the authentication concepts to a very simple story.
In just a few minutes, you will never forget the mechanics of token-based authentication again for the rest of your life!
So let's get started!
Imagine that you arrive as a guest at the hotel. You can freely enter the public parts of the hotel, if there are any, such as the entrance hall and public bathroom.
However, to access restricted resources such as your room and the fitness area, you need a personal key card.
So you head over to the reception and show your passport. The receptionist checks your credentials and provides you with a key card.
Using your key card, you can now enter your room and the fitness area.
Your key card === you
As far as the hotel is concerned, whenever your key card is used, it will assume it is you that is holding it.
If you give your key card to someone else, the door lock will think it is you who requests access and thus grant access.
Do not take this lightly. Do not share your key card and make sure you don't lose it.
Your key card may expire
The receptionist has configured your key card to expire automatically.
After a predetermined period of time your key card is no longer valid and you are no longer able to access your room and the fitness area.
So even if you keep the key card in your pocket and come back to the hotel at a later time, it will no longer provide access to restricted resources.
Big consequences when you lose your key card
When you lose your key card, someone else that finds your key card can enter your room.
The finder would have to know which room to access, but if he or she does, your room's door lock will think it is you and provide access to the finder.
Luckily, some hotels have door locks that are equipped with a mechanism that is able to verify whether or not a key card has been invalidated before access is granted.
Such a mechanism works roughly like this:
- when you lose your key card, you notify the receptionist
- the receptionist deactivates the lost key card
- the door locks are made aware of the deactivated key card and deny further access
If a door lock is not aware that your key card was deactivated, it will think all is okay and grant access.
Even though hotel security is much tighter with locks that have a mechanism to handle invalidated key cards, the finder is still able to access your room from the moment you lose your key card till the moment that the door lock is aware the key card has been deactivated.
Different types of key cards
A hotel may carry different types of key cards.
For example: you may have a key card that only allows access to your own room and the fitness area. In contrast the cleaning crew may have a key card that allows access to all rooms.
Your key card is digitally signed
To make sure key cards cannot be tampered with, all key cards contain a digital signature.
As soon as you try to use a corrupted key card, the hotel is be able to detect your malicious intent and deny access.
Back to token-based authentication
If you have visited a hotel before, the scenarios we just described probably sound really familiar.
Now think of the exact same scenarios but:
- think of the hotel as your application
- think of the hotel reception as your authentication service
- think of the hotel rooms as your application resources
- think of your hotel key card as your access token
- think of your passport as your credentials
Now you know exactly what token-based authentication is all about.
Whenever you think of an access token in a token-based authentication scenario, think of a hotel key card and visiting a hotel.
Although actual implementations of token-based authentication systems may vary, keeping this metaphor in mind will make sure you never forget the underlying mechanics again.
It has helped me tremendously in the past. May it now benefit you too.
Have a great one!
PS: If you are interested in learning more about the technical details of token-based authentication, make sure to check out these articles:
- 10 Things You Should Know about Tokens
- The ins and outs of token-based authentication
- AngularJS Authentication Screencast