dimanche 21 juillet 2019

How to design to authenticate users based on links in email

I am working on a design problem where I need to authenticate users if they are coming from an email that I sent them. These are the details.

  1. I have users with email ID already created in my system.
  2. I will send emails to users with an encrypted link which has the user ID also with some metadata.
  3. If the user clicks on the email link, he should be directed to a website where he can see details related to him.

The website is a client-side only website which is calling a BE server to get data and display it the user. Now I want to have OAuth authentication for the api communication between the FE website and the BE server.

Assuming that we already have an Oauth2.0(2-Legged) implemented in BE APIs, the approach I am thinking for the same is

  1. When the user goes to website from the email, the FE application gets the encrypted token from the redirecting URL and call a BE API with the token in the payload.

  2. This particular BE API is not secured by OAuth as FE does not have a token yet and since it is a client-side application, I can not store the client id and secret in the codebase.

  3. The BE API parses the encrypted token, gets the User ID from it and also generates an oauth access token with grant type as "Implicit". This token is a short-lived token and scope is limited to the user ID.

  4. The BE API returns the token and the user ID to FE.

  5. FE uses the user ID and the token to acccess user data through other APIs as all the other APIs are secured with OAuth.

This flow is designed for easier access for the user to this data with maintaining acceptable security. The assumption is that with token encryption we have ensured enough randomness that a user will not be able to access somebody else's data by randomly modifying his token from the email.

This is an open-ended question. I am looking for suggestions on the above-mentioned approach.

Are there any obvious Gotchas that I am missing?
Is there any big security risk with the approach?
Am I using the correct grant type?
Are there well-documented approaches for the similar requirement?

Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)