I am planning out how I will make an app. It will handle all main interactions over websockets / polling.
My question is about securing the websocket connection endpoints.
I will use other providers for authentication, like google. I was planning on using 2 different providers.
The client apps ( web and native mobile) will login and get a token from the provider of their choosing.
My idea is that the clients will send the outside authentication provider tokens to custom endpoints on the server side that will verify them.
The custom endpoints will return an access token generated by the server, that will be put in the header when they connect to the websocket endpoint.
The reason for generating my own token is so that I don't have to figure out where the token came from when the client tries to get a socket connection.
Another idea is instead of generating tokens, the server will just use the google / whatever tokens as it's own.
I am leaning heavily toward the second idea because it would simplify the token system since I don't have to do anything except check if they are valid.
Is there any flaw with this? Is there maybe something it looks like I don't understand?
All of life is a contant education - Eleanor Roosevelt. Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop