Exploring Access and Refresh Tokens: A Deep Dive into Authentication and Authorization
Ever feel like you're constantly logging in to websites and apps? Those logins rely on a fascinating behind-the-scenes dance between access tokens and refresh tokens. In this blog post, we'll break down these digital keys and how they work together to keep your information secure while streamlining your online experience. Get ready to unlock the secrets of authentication and say goodbye to login fatigue!
Authentication and Authorization
Authentication and authorization are the key aspects of developing a secure application
Lets understand this with an example :
Let's consider that we have an online food ordering application where the users can choose items from the menu and place an order, and the owner of the shop accepts the order and then the food gets prepared and delivered
Authorization defines the permissions and level of access of a particular user which dictate the ability to interact with the resources and functionalities of the system. The user can only select the items and place the order but cannot modify the items in the menu because he does not have the authority to modify the items in the menu. Whereas the owner has the authority to modify the items in the menu.
Authentication is the process of confirming the identity of the user and ensure that they are whom they claim to be using credentials or other forms. When an user wants to place an order the user has to login by giving his credentials which verifies if the user has been registered and has the permission to order, similarly the owner has to login in order to ensure that he is the owner and has the permission to edit the menu or accept the orders etc.
In summary authorization is like giving keys to different doors in a building. Before you get those keys, there's another step called authentication, where you prove who you are. Once authenticated, authorization kicks in and determines which doors (or parts of the system) you're allowed to access. It's about controlling who can do what, making sure everyone stays in the areas they're supposed to and keeping everything secure.
Access Tokens
Access tokens are act like digital id cards in the online world. Just as we use physical ID cards to gain access to specific services or areas in the physical world, such as the classroom or college library, access tokens are used to authenticate an user and provide them with access to certain services and functionalities within a website.
When you log in to a website, you're given two things: an access token and a refresh token (we'll talk more about refresh tokens later). Whenever you want to do something on the website, like accessing a service or using a feature, you give these tokens to the website.
In the online shopping world, picture the frustration of constantly re-entering your credentials every time you move to a different page, add items to your cart, or proceed to checkout on Amazon. But fear not! Access tokens swoop in to save the day. Once you log in, you're provided with an access token. This token acts as your digital identity, ensuring seamless navigation throughout the website without the tedious repetition of entering your credentials. With each action you take, whether it's browsing different pages or adding items to your cart, the access token accompanies your request, quietly authenticating you in the background. This not only saves time but also enhances your overall shopping experience by removing the interruptions and frustrations associated with frequent logins.
Access tokens can be provided to the web server in the following ways :
Bearer tokens : This is one of the most commonly used methods in which the access token in sent in the Http authorization header in the following format
Authorization: Bearer <access_token>
Parameters : The access token is sent as a query parameter in the url
https://api.example.com/resource?access_token=<access_token>
Cookies : The access token is stored in cookies of a web application
Form data : The access token is included in the request body and sent through the post method
Client side storage : The access token can be stored in the local storage of the client or the session storage of the website
Access tokens typically have short expiry times to minimize the window of opportunity for attackers who may gain unauthorized access using stolen tokens. By limiting the duration in which access tokens remain valid, the security of the website is bolstered, and the privacy of users is better preserved. This proactive measure helps mitigate the risks associated with security breaches, reducing the likelihood of unauthorized access and enhancing overall security."
Refresh token
Refresh tokens act as a backup mechanism that provides a new access token when the current access token expires without needing to login again.
Consider the amazon shopping scenario we use the access token to get access to the website's services. However, due to the limited lifespan of the refresh token they eventually expire. Ideally we must get prompted to provide our credentials and login again. But this doesn't happen in practice instead the refresh token that we have is compared with the refresh token stored in the server. If the tokens match we will be provided with a new access token and we can continue our shopping. But if the tokens fail to match we will not be provided with the access token and we can no longer use the services.
Common refresh token storage mechanism's
Client side : Typically includes the browser cookies, local storage or session storage
Server side: Includes the database or the cache memory
Token vaults : Dedicated token management systems used to store and manage the tokens
Secure cookies : The Http only cookies that can be only be manipulated from the server side
In conclusion, access tokens and refresh tokens are the unsung heroes of online security, working tirelessly behind the scenes to ensure your data remains protected and your online experiences are seamless. By understanding their roles and how they work together, we can navigate the digital landscape with confidence and peace of mind. Stay informed, stay secure, and stay tuned for more insights into the ever-evolving world of online security. Thanks for joining us on this journey!