There is a web authentication service (A) and a web service with secret information (B). There is a web client that sends a POST request to server A with a login and password. In case of success, it receives a token that attaches to requests to service B. Service B reads the token, and in case of validity, gives the secret information to the web client.

Question: how to encrypt a token so that it cannot be faked by the web client? What kind of logic should be on services A and B, provided that they absolutely do not know about the existence of each other?

  • If you encrypt a token so that the web client cannot decrypt it, how will it work with it at all? Or I did not understand the question ... - Ella Svetlaya
  • one
    Asymmetric encryption you do not need. It is enough that the token in some part contains information about the user and / or rights and expiration date in open or encrypted form. The second part of the token should be similar to an electronic signature. For example, the sha-1 sum from the first part of the token and some secret phrase that is known only on servers A and B. Thus, B can always check the validity of the token by checking the checksum. Without a knowledge of the secret phrase, it is impossible to forge a token - Mike
  • one
    I somehow did cross domain authentication. But there it was necessary to check the user only at the entrance to service B, and then service A worked with the user. If you were interested, there was such an algorithm: Service A generated a "transport token" that sent to Service B. Service B received a login from the user. password and if the authorization is successful, then generated an authorization token, which sent to service A, which in turn re-checked the validity of the token and service A with the request for service B and recognized the user as his own. Something like that, everything in the comments does not fit ... - Ella Svetlaya
  • one
    @MatveySafronov The phrase is permanent. Otherwise, how B will understand what phrase is needed for verification. And let the user information pick up as much as they want. Changing any bit of this information leads to the need to correctly calculate sha1, and without knowing the phrase this is impossible. Although of course it is better to encrypt the data with any symmetric algorithm - Mike
  • one
    Jwt ? Take a look. - D-side

1 answer 1

Service A and B have a secret phrase that is mixed with user information and converted to a SHA-1 string. Services are written to nodejs, and I used the "jsonwebtoken" package.

On service A, we generate jwt:

const SECRET_PHRASE = 'test'; let token = jwt.sign( { foo: 'bar' }, SECRET_PHRASE ); console.log( token ); // eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE0Njg4Njg1MzJ9.WzCfkIs4BkavFUUzEBS62FT-W9ZOMUVfXiSaRF5J3H8

On service B, we decode:

 let decoded = jwt.verify( token, SECRET_PHRASE ); console.log( decoded ); // { foo: 'bar', iat: 1468868532 }

Thank you @Mike and @ D-side