Authorization: renewable tokens
Storing and saving passwords inside applications is not safe. For better security, our SDK provides two additional login methods: with one-time login keys and with renewable tokens. Keys omit the need to store passwords by using your own backend that will generate a one-time login key each time your application needs to log in to the Voximplant cloud.
Although the keys are very secure, they should be created by your own backend, while the "tokens" can be used entirely on the SDK side with some security and usability trade-offs that are explained in this article.
After a successful login with a username and a password, the AuthResult event is fired by an SDK.
The actual way to receive the event depends on the SDK platform. For the Web SDK, you should use the addEventListener method with the VoxImplant.Events.AuthResult identifier, for Android an object should implement the VoxImplantCallback interface with the onLoginSuccessful method, and the object should be registered with the setCallback method, and so on. Please refer to the target SDK documentation for the details.
The AuthResult event comes with the tokens object that contains information about the login tokens. The most important field in that object is the accessToken, which can be used with a special version of the login method in place of a password. The special versions of the login method are named according to the target platform style guide. For example, for the Web SDK, it will be the loginWithToken method.
Saving the token instead of a password removes a "password disclosure" vulnerability. But if the token itself is stolen it can be used to log in. For the additional security, the token lifespan is limited (1 month by default, but can be changed in the future).
The token should be refreshed periodically by an application using the special refreshToken token and the corresponding "refresh token" method. The "refresh token" method is also named according to the target platform style guide. For example, for the Web SDK, it will be the tokenRefresh method.
The lifespans for both tokens are received alongside the token strings: accessExpire specifies the access token lifespan in seconds and refreshExpire specifies the refresh token lifespan in seconds.
Example
The following code illustrates how loginWithToken works in the Web SDK. Create an index.html file with this code and don't forget to change the value of the HTML inputs. Then serve the file with the local server like Web Server for Chrome or the live-server utility.
Open the link provided by your local web server in a browser and open the developer console. Then, specify the use password in the empty input, and click Log in. This will log your user in (you will see "Login with the provided credentials: true" in the console) and save a generated token to localStorage.
After that, you can refresh the page and click Log in without specifying the user password. The Web SDK will use the token from localStorage and log your user in successfully (you will see "Login with the token: true" in the console).