3

I read about token based authentication and get the general id. What I don't understand is why on the frontend (ember in my case) I would need such a token if all communication is with your own restful api backend (rails in my case). If you communicate strictly with your own backend, and you leave the authentication in that backend then why do you need the token in your ember app?

Your backend would serve as a proxy sometimes but is that bad? Is it better to do it directly from the ember app if possible? I would (mainly) go to twitter for queries.

Thanks for sharing your ideas.

Improve this question
3
  • Are you referring to Rails' authenticity token? It's purpose is to prevent CSRF: en.wikipedia.org/wiki/Cross-site_request_forgery Commented Dec 8, 2012 at 14:49
  • No, not so much the Rails's authenticity token, as that one will be there when I login on the server side. There are quite some posts about bringing the authentication token to the client for javascript based apps and I don't know if that is necessary if you do all restful communication strictly with the backend. Commented Dec 8, 2012 at 20:24
  • 1
    This is really about how you handle the session. If you are building a backbone app that will act as a client (e.g. On a mobile app) then you need to manage the session on client, lots of ways to do this. If your ember app is sitting in a rails app, served up as a part of a request in the browser to the rails app then you can have rails manage the session. Token authentication is just one way to tell your rails backend who is connecting to the server, essentially in a rails app this is what the cookie/session does. Typed from my mobile so might be a few typos. Commented Dec 8, 2012 at 20:46

1 Answer 1

Reset to default
4

I'm a bit new to this topic myself, but your question is also a bit unclear. If you mean the consumer key tokens that are used in oAuth systems, these are required to ensure that the third-party using your API has actually been granted access to use it - anyone without a consumer key cannot use your API.

Alternatively, if you are referring to users being authenticated using an authentication token... When you create a rails app that has authentication (for example using the devise gem) a sessions controller is also created/used. Sessions(/cookies) are basically a way of 'remembering' that the user has logged in. This avoids having to resend username/password with every action the user performs in order to authenticate him/her for that action.

This approach works perfectly fine when it comes to web apps because all browsers support cookies. However, this is not true when it comes to mobile apps. It is not possible to keep a session/cookies when using a native app (well it is technically possible, but from what I've read it seems to require quite a bit of manual labor and a bit of code wizardry to get it working correctly).

Now, when you create an API for your app, you need to bear in mind that your API may be used for creating a mobile app (either by you in the future or if you open it to the public). This means that using sessions probably isn't a good idea. For each request that requires authorization the username/password will need to be sent to ensure the user has access to perform the requested action. But sending username/password with each request is definitely a bad idea. That's where token authentication comes in. If you've ever used devise, you will notice there is an option to enable token authentication. This basically allows the 3rd party to send a token rather than the username/password and works just the same. The good thing about this approach is that even if a token gets stolen they can expire and a new one can be generated without the user even realising and without the users password being stolen.

(I'm fairly new to the topic myself, from what I've gathered so far that seems to be how things work. Now if I have made any mistakes in my explanation/understanding I hope people will jump in an correct me.)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Great point about mobile apps not supporting the session. So... what if you want your API to serve both a web app and a mobile app? I'm thinking that then you need to support both authentication methods (token and session). In a browser-based app, you still want session-based authentication so that the user will be remembered across tabs (or perhaps the client JavaScript could simulate a session by setting cookies itself to save the token?).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.