Episode- 02
Hello Friend!
In my previous article, I discussed What is Magic Link Authentication? and Why Magic Link Authentication? You can read that article here . In this article, I shall discuss different approaches used in the implementation. Let us examine the depth-in flow of magic link authentication.
Implementing the Magic Link Authentication
The communication flow between the user interacting the system
- User: Click the send Magic Link Button.
- System: Generate an authentication token that is unique to the user and embeds the generated token in the URL send to user by email.
- User: Click the magic link URL from the email inbox.
- System: Extract and verify the token in the magic link and return the authenticated status to the user if the token is valid.
The core of the implementation falls into two main things.
1.Token generation
2.Token validation
Different approaches to implement Magic Link Authentication.
Stateful Implementation
1. Generate an authentication token as an arbitrary string. (e.., a random string).
2. Store the generated tokens in the server’s data store with associate user info and expiration date.
3. Send generated token with the magic link.
4. Token verification is accomplished by matching the state of the token stored in the server’s data store.
Stateless Implementation
1. Generate an authentication token with user information that is digitally signed
2. Send generated token with the magic link.
3. Token verification is accomplished through electronic signature verification.
The main difference between these two types of implementation is that stateful implementation needs a separate datastore on the server-side whereas a stateless implementation does not require that. To achieve a stateless implementation JSON Web Token (JWT) can be used. Stateless authentication stores the user session data on the client-side. The data is signed by the key of IdP to ensure the integrity and authority of the session data. Since the user session is stored on the client-side, the server only can verify its validity by checking whether the payload and the signature match.
Why it is good to use JWT in Magic Link Authentication via Mail?
A Compromised email account seems to be a moot point because a password can be retrieved using a password reminder. We already depend on email accounts. Furthermore, the security around email is far superior (device recognition for example) to most self-built applications. Passing the JWT token as a query string parameter is not a risk if you use HTTPS.
You can experience the existing Magic Link implementations in Medium, Slack etc.
References
[2] https://product.qz.com/implementing-passwordless-login-with-magic-links
Thank you for reading …
