3

In my asp.net web service user passwords has stored as hash values using 

 BCrypt.Net.BCrypt.HashPassword (password, BCrypt.Net.BCrypt.GenerateSalt ());

And my web service need to implement token-based authentication as well. I am new to this and as I understand from reading in a authentication token also password comes as a hashed string. So I have no clue how to validate the authentication token as I does not know the original password from either side. Is it really need to hash the password in a authentication token? or can I append the password to authentication token as a base 64 encoded string? is it safe?

Thudani Hettimulla
  • 754
  • 1
  • 12
  • 32

1 Answers1

3

A token is usually a random number/string which is not related to any other information like a password.

You can implement an authentication service, which needs a password once and can return a token if the password was correct. Later the client can send the token instead of the password, to authenticate the user. The application can ask the service if this token is valid.

Advantages are:

  • The application can delegate authentication to the service.
  • No need to expose user name and password for following requests.
  • Different applications can share the token, without knowing user name and password.
  • The service can handle expiry dates.
  • Tokens are much stronger than short user passwords and therefore can be handled simpler. Example: Hashes of the tokens can be fast and can be stored without salting so they can be searched for.
martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • Thank you. That means I need to store client tokens in the server side? – Thudani Hettimulla Jan 14 '16 at 09:38
  • @Diluu - Only the hash of a token should be stored, but yes, the authentication service has to store them somewhere together with user id, expiry date, maybe roles and more... Different applications can share the token and use the same service for authentication. – martinstoeckli Jan 14 '16 at 09:42
  • Thank you @martinstoeckli I'll try with such a approach. – Thudani Hettimulla Jan 14 '16 at 10:04
  • @Diluu - This [answer](http://security.stackexchange.com/q/19676/8343) could be helpful for you too. It recommends to store the tokens in a database, but it also shows how the information could be safely included into the token itself. – martinstoeckli Jan 14 '16 at 12:04