Voximplant. Blog

Authorization using tokens instead of passwords

Storing and saving passwords inside applications is not safe. For better security our SDK provides two additional login methods: with the one-time login keys and with the renewable tokens. Keys omits the need to store passwords entirely by using your own backend that will generate a one-time login key each time your application needs to login the Voximplant cloud. Although very secure, the keys require your own backend to be created, while the “tokens” can be used entirely on the SDK side with some security and usability trade-offs that are explained in this article.

After the successful login with a username and a password, the AuthResult event is fired by the SDK. The actual way to receive the event depends on the SDK platform. For the JavaScript SDK you should use the addEventListener method with the VoxImplant.Events.AuthResult identifier, for Android an object should implement the VoxImplantCallback interface with the onLoginSuccessful method and the object should be registered with the setCallback method, and so on. Please refer to the target SDK documentation for the details.

The AuthResult event comes with the tokens object that contains information about the login tokens. The most important field in that object is the accessToken, which can be used with a special version of a the login method in place of a password. The special versions of the login method are named according to the target platform style guide. For example, for JavaScript Web SDK it will be the loginWithToken method. Saving the token instead of a password removes a “password disclosure” vulnerability. But if the token itself is stolen it can be used to login.

For the additional security, the token lifespan is limited (1 month by default, but can be changed in the future). The token should be refreshed periodically by an application using the special refreshToken token and the corresponding “refresh token” method. The “refresh token” method is also named according to the target platform style guide. For example, for JavaScript Web SDK it will be the tokenRefresh method. The lifespans for the both tokens are received alongside with the token strings. accessExpire specifies the access token lifespan in seconds and refreshExpire specifies the refresh token lifespan in seconds.

Tagged in