I am trying to implement token based authorization in rails, with devise_token_auth (https://github.com/lynndylanhurley/devise_token_auth#conceptual).
When I post uid and password against sign_in method, it returns access-token, client (and uid itself) in header. I understand that token based authorization works like this:
- User posts
uid(id) andpasswordto api server. - Api server validates the
uidandpassword - Issues Token and returns it, if the
uidandpasswordmatched. - Client receives the Token.
- Client whenever client wants to access the authentication required apis, Client uses the
uidand the Token in order to prove that this client is in fact already authenticated.
I can understand that access-token corresponds to the Token described in above explanation. That leads to me a question of what the client header value is, because it seems that, according to the official Wiki (https://github.com/lynndylanhurley/devise_token_auth#usage-tldr), devise_auth_token library not only use requires access-token but also client value.
Question:
- In devise_token_auth, what is the purpose of
clientheader value? Why is it also needed for identifying the user? Couldn't that be included in (or, concatenated to) theaccess-tokenvalue?
The
clientheader is generated for every different device accessing the API. Its purpose is to maintain more than one session active for a specific user (web client, mobile client, etc.).You can test this by signing in with the same user on 2 separate web clients and checking
user.tokens, there should be 1 set of tokens for every client.