It has some limitations, but would probably work for my needs. The idea is fairly simple and doesn’t require any outside service.
Goals
- Avoid storing “long lived” tokens on the client device due to security vulnerabilities
- Allow multiple Single-Page-Apps (same domain) to automatically authenticate
- Simple for the user and the developer
Probably not good for general public apps.
Key idea is the token is constantly being changed during the course of normal processing.
Basic Steps of Process
- User is setup in app owner’s system and emailed token
- User opens app portal page and enters token value (1st time only)
- Token is saved to device local storage by portal web page
- App requests use this token for authentication & identification
- Data (not code) requests are indicated with url query string value
- These data requests are sent a new token in the response
- Client code replaces the token in local storage (best way to handle ?)
- On the server, the previous token expires within short time
- Still need to figure best way to deal with multiple devices for same user, errors, etc.
Any thoughts, criticisms, suggestions appreciated.