Should token authentication be tied to a specific user? Edit

183 views
Skip to first unread message

Rob Romano

unread,
Nov 19, 2012, 12:22:13 AM11/19/12
to django-res...@googlegroups.com

I looked at 2 other token based authentication schemes, django-tokenapi and tastypie. Both seem to tie the user ID into the token authorization header so that only (a combined user ID + token key), when found in the table, is a successful authorization.

The current Token model in REST Framework generates a random UUID and hashes it.  The chance for collisions seems low. 

I like the simplicity of the authtoken.Token model, but is there some chance we might mis-authenticate (by random chance) users by only looking at the hashed random uuid ?

Anyone here with experience in the design of a token based scheme (for mobile apps, for example) have any opinions?


Thanks!

Carlton Gibson

unread,
Nov 19, 2012, 2:41:24 AM11/19/12
to django-res...@googlegroups.com

Hi Rob, 

On 19 Nov 2012, at 06:22, Rob Romano <rro...@gmail.com> wrote:

The current Token model in REST Framework generates a random UUID and hashes it.  The chance for collisions seems low. 

I like the simplicity of the authtoken.Token model, but is there some chance we might mis-authenticate (by random chance) users by only looking at the hashed random uuid ?

Anyone here with experience in the design of a token based scheme (for mobile apps, for example) have any opinions?

Amongst a lot of small ones, I worked on a reasonably high traffic API which used a token model inline with DRF's current one (i.e. token only) for authentication. We had all manner of difficulties but token collision was never one of them. 

I'm yet to examine the UDID generation and hashing code but I assume it's robust. If so then this suggestion raises a, "meh". 

I've followed the discussion and there's nothing in the suggested code that offends me. HOWEVER, I would argue (not with massive zeal) against the change: the risk being covered is negligible, it would NEVER come up, and EVERY client that is ever written against DRF would be just that little bit more complicated because of it.

2¢.

Regards,

Carlton

Daniel Sokolowski

unread,
Nov 19, 2012, 12:49:40 PM11/19/12
to django-res...@googlegroups.com
MD5 hashes are 128 bit (32 characters), UUID are 128 bit too and by design unique so there is no chance of collision as your mapping in same size space. Now, do I sound like I know what I am talking about? Yes, am I confident I am 100% right ? No.

--

Rob Romano

unread,
Nov 19, 2012, 3:58:25 PM11/19/12
to django-res...@googlegroups.com
Thanks for the empirical data points!
Reply all
Reply to author
Forward
0 new messages