Token For Password

0 views
Skip to first unread message

Amie Mandy

unread,
Aug 4, 2024, 7:38:38 PM8/4/24
to juncnilite
Tokenbased authentication is a type of authentication that generates encrypted security tokens. It enables users to verify their identity to websites, which then generates the unique encrypted authentication token. That token then provides users with access to protected pages and resources for a limited period of time without having to re-enter their username and password.

Token-based authentication proves that the user has been provided access to applications, websites, and resources without having to verify their identity every time they navigate to a new site. Websites can also add additional layers of security beyond traditional passwords without forcing users to repeatedly prove their identity, which improves both user experience and security.


Hardware tokens, sometimes called authentication or security tokens, are physical devices that enable the authorization of users to access protected networks. The purpose of a hardware token is to add a layer of security via two-factor or multi-factor authentication. The token user links the token to the system or service they want to access.


Hardware tokens are designed for seamless user experience and customizability which allows them to be available in multiple forms. The most common types of tokens are key fobs, USBs, and wireless tokens. Hardware tokens can be divided into three categories:


A JSON Web Token is an open standard (RFC 7519). It defines a simple, self-contained method for transmitting information between parties securely. A JWT standard uses JavaScript Object Notation (JSON) objects to transmit tokens between parties. These tokens can be used for authentication, and for the transfer of additional information about the user or account.


One-time password (OTP) tokens are secure hardware devices or software programs that can generate one-time passwords. Most commonly, these are personal identification numbers (PIN), numeric codes between 4-12 digits.


One-time password tokens enhance existing identity and password systems by adding dynamically generated credentials. Depending on the provider, OTP tokens generate PINs either synchronously or asynchronously:


API tokens are used as unique identifiers of an application requesting access to your service. The service then generates an API token for the application to use when requesting your service. The API Token can then be matched with the one you have stored to authenticate and provide access.

API tokens have gained popularity as they have replaced the unsafe practice of sending username and password combinations over HTTP.


This token-based process proves that the user has been provided access to applications, websites, and resources without having to verify their identity every time they navigate to a new site. Websites can add additional layers of security beyond traditional passwords without forcing users to repeatedly prove their identity, which improves both user experience and security.


As cybercrime becomes more sophisticated, managed service providers must continuously update their security techniques and policies. Due to the increase in attacks that target credentials via methods like phishing, or brute force and dictionary attacks, authentication can no longer rely on passwords alone.


When combined with additional authentication techniques, token-based authentication can create a more complex barrier to prevent sophisticated hackers from exploiting stolen passwords. Tokens are only retrievable from the unique device that created them such as a smartphone or key fob, making them a highly effective authorization methodology today.

It should be noted that while there are many advantages to authentication token platforms, some risk always remains. Tokens that are housed in mobile devices are convenient to use but may be exposed through device vulnerabilities. If the tokens are via SMS, they can easily be intercepted in transit. If a device is lost or stolen, a malicious actor can gain access to the tokens stored in it.


I disagree here. Setting up your own internal API connection would be much easier than setting up zapier, parsing the email, etc. Not to mention the extra costs of zaps as what @code-escapee mentioned


Why not just have a field in the DB, Save the token there via a backend workflow, then parse it to front for user to reset their password?

After user resets password, run a workflow to clear the field you stored the token in.


I believe this logic would make sense with the current password reset setup. (ie. the email link goes to your password reset page, then Bubble only checks to see if the request is valid once the request is submitted, not on page load).


I am an Auth0 noob, and am able to create a new user with the Management API after I get a token for the using the Management API for my specific Auth0 application. My question is, how do I procure a authentication JWT for a specific user using username and password, but with using API, not a browser based method like Lock. Please provide examples with links to the correct URLs within Auth0. I have been looking for this for a while now with no success. If I may provide general advice on your tutorials and documentation. I find you folks overuse several terms that is horribly confusing. These terms are API, application, client and token. It would be a lot easier with pictures. Thanks.


The Resource Owner Password endpoint can obtain an id_token through the API (non browser-based). Please ensure to read the Remarks about setting the grant_types for your client to support this endpoint:


Well, I tried the resource owner password endpoint, and I keep getting the following error:

"error":"unauthorized_client","error_description":"Grant type 'password' not allowed for the client.","error_uri":" -grant-types" I think we could benefit from a simple workflow for non-interactive clients to create a user and then get a token for that user.


Thanks, Prashant. I was able to get this working. So, I have management API working for creating users etc. and then the authentication API working for getting an access_token for a user. How does one validate a user for that access_token using your API (I assume use Authentication API, but what REST API)?.


Personal access tokens are intended to access GitHub resources on behalf of yourself. To access resources on behalf of an organization, or for long-lived integrations, you should use a GitHub App. For more information, see "About creating GitHub Apps."


GitHub currently supports two types of personal access tokens: fine-grained personal access tokens and personal access tokens (classic). GitHub recommends that you use fine-grained personal access tokens instead of personal access tokens (classic) whenever possible.


Organization owners can set a policy to restrict the access of personal access tokens (classic) to their organization. For more information, see "Setting a personal access token policy for your organization."


If you choose to use a personal access token (classic), keep in mind that it will grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account.


As a security precaution, GitHub automatically removes personal access tokens that haven't been used in a year. To provide additional security, we highly recommend adding an expiration to your personal access tokens.


Personal access tokens are like passwords, and they share the same inherent security risks. Before creating a new personal access token, consider if there is a more secure method of authentication available to you:


When using a personal access token in a script, you can store your token as a secret and run your script through GitHub Actions. For more information, see "Using secrets in GitHub Actions." You can also store your token as a Codespaces secret and run your script in Codespaces. For more information, see "Managing your account-specific secrets for GitHub Codespaces."


Under Resource owner, select a resource owner. The token will only be able to access resources owned by the selected resource owner. Organizations that you are a member of will not appear unless the organization opted in to fine-grained personal access tokens. For more information, see "Setting a personal access token policy for your organization."


Under Repository access, select which repositories you want the token to access. You should choose the minimal repository access that meets your needs. Tokens always include read-only access to all public repositories on GitHub.


Under Permissions, select which permissions to grant the token. Depending on which resource owner and which repository access you specified, there are repository, organization, and account permissions. You should choose the minimal permissions necessary for your needs.


The REST API reference document for each endpoint states whether the endpoint works with fine-grained personal access tokens and states what permissions are required in order for the token to use the endpoint. Some endpoints may require multiple permissions, and some endpoints may require one of multiple permissions. For an overview of which REST API endpoints a fine-grained personal access token can access with each permission, see "Permissions required for fine-grained personal access tokens."


If you selected an organization as the resource owner and the organization requires approval for fine-grained personal access tokens, then your token will be marked as pending until it is reviewed by an organization administrator. Your token will only be able to read public resources until it is approved. If you are an owner of the organization, your request is automatically approved. For more information, see "Reviewing and revoking personal access tokens in your organization."


Note: Organization owners can restrict the access of personal access token (classic) to their organization. If you try to use a personal access token (classic) to access resources in an organization that has disabled personal access token (classic) access, your request will fail with a 403 response. Instead, you must use a GitHub App, OAuth app, or fine-grained personal access token.

3a8082e126
Reply all
Reply to author
Forward
0 new messages