I have a private API, that I want 3rd party clients to authorize without sending sensitive information to the client, like a password. The usual flow in this case is:
- We give a secret one time token to a client
- Upon activating this token (e.g. calling api with this token)he's able to create an account by providing a password.
- Client authorizes with this password and receives a secret token
- This secret token is used with every api call.
The issue with this flow is when we're sending him one time token. If someone uses it first, he receives all the data he wanted.
Atm asymmetric encryption is used everywhere, https (ssl) is based on it. I wonder if there's such thing as asymmetric authentification. As I see this flow is:
- A client and a server generates 2 magic tokens
client_private_token,client_secret_token,server_public_token,server_secret_token. - We save opponents public tokens for example in settings files on both sides.
- The server responds with
server_public_token - The client uses
client_private_tokento generate somesession_tokenand send it with every request that requires authorization - The server uses its
server_private_tokenanduser_public_tokento verify that thissession_tokenis valid.
The flow is very similar to ssl, but instead of encrypting data we just generate magic strings that proof that it's we.
Please don't confuse it with JWT, as JWT is just a payload with some information and server signature with it. To create a JWT user needs to be authorized in the first.
Also if there are such things it would be great to have clients to modern languages like java, js, python etc
