Implementing Token-Based Authentication in Empress

Developers
1

Introduction

Welcome to this in-depth guide on Token-Based Authentication, a security feature that is intrinsic to the Empress system. As developers, understanding and implementing authentication mechanisms in your applications is not only essential but also a matter of security, scalability, and reliability.

The token-based authentication feature in Empress, starting from v11.0.3, validates the security token and processes user requests, enhancing the security and efficiency of your applications.

Understanding Token-Based Authentication

In the context of application development, authentication is the process of confirming user identity. Traditionally, applications persist identity through session cookies, relying on session IDs stored on the server-side. This approach often requires developers to create unique session storage for each server or a completely separate session storage layer.

Token-Based Authentication emerges as a modern and effective solution to the limitations of the traditional session ID storage mechanism. By using tokens instead of session IDs, you can significantly reduce your server load, thereby improving the scalability and performance of your applications.

Token CRUD

As a developer, you can leverage tokens for full CRUD (Create, Read, Update, Delete) operations. Once a token is generated, it can be used to authorize individual requests made by your users as they are passed to your application. Your application will validate the token sent along with each request.

A token is a combination of an API Key and an API Secret. This combination is used to authenticate you with your application and can be used to authenticate both RPC (Remote Procedure Call) and REST API.

Generation of Tokens

For every user, you can generate an API key and an API secret that together form a token.

  • The API Key is used to identify the user.
  • The API Secret is used to validate the request.

These keys can be generated from the web interface, from the command line, or by remote procedure call (RPC):

  • RPC: /api/method/frappe.core.doctype.user.user.generate_keys?user="user_name"
  • Command: bench execute frappe.core.doctype.user.user.generate_keys --args ['user_name']
  • Web: User -> Api Access -> Generate Keys

Please refer to the Guides / Integrations / Rest Api / Token Based Authentication section to understand how to use the token in an API request.

Important Note:

  1. The API key cannot be re-generated.
  2. Only users with the system manager role can generate keys.

Conclusion

The Token-Based Authentication feature in Empress is a powerful tool that allows developers to implement secure and scalable authentication mechanisms in their applications. By understanding how to generate and use tokens, you can create applications that are not only secure but also highly efficient.

Remember, the strength of your applications lies in the robustness of your authentication methods. Therefore, make the most of the Token-Based Authentication feature in Empress and build applications that are secure, scalable, and reliable.