Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Change Log

WayGee

  • Initial Creation

Related Documents

Confluence Link

Overview

The USTA API uses AWS Cognito as an identity provider organized using the OAuth2 access model. Web and mobile applications interact with Cognito using https

Grant Types

Applications can use one of two OAuth2 grant types:

  • Authorization Code used for browser applications where the user authenticates as themself.

  • Client Credentials used for server-side applications where the service authenticates as the service and establishes a session.

Credentials

After discussion with the USTA API team, USTA will issue credentials for the appropriate grant type to the application developers.

Important Consideration

Due to AWS Simple Email Services constraints, it is imperative that you use real email addresses for registration and forgot password testing scenarios. Emails that cannot be delivered (considered a bounce) will count against the SES bounce score. When too many bounces are received in a 24 hour period, Amazon will suspend the operation of the USTA SES instance. This notice applies to registration and forgot password scenarios.

  • Please register using a valid email

  • Please use a real email when performing forgot password

On This Page:

Subtopics:


Tokens

There are three types of bearer tokens used by the API: Access, ID, and Refresh. By their nature, a bearer token is similar to cash money. Once a bad actor gets ahold of a bearer token, it cannot be clawed back and can be used until they expire.

It is the responsibility of the client app to store and protect the tokens.

Token Types

Tokens will grow in size over time as additional data are added to the system. Additional content and encryption contribute to the growth and variable size of tokens.

Token Type

Usage

Expiration

Token Size (Estimated)

Access Token

A JWT token used to access protected resources.

1 hr

2kb - 4kb

Refresh Token

An encrypted bearer token used to get another access token to extend the user session without interruption. (Not a JWT)

30 days

500b - 2kb

ID Token

A JWT token containing data claims (fields) such as UAID.

No expiration

500b - 1Kb

Best Practices

There is much debate surrounding OAuth 2.0 and storage of tokens. The size of the tokens and usage give clues to how a client app should handle the usage of the tokens.

The following is the recommended approach:

  • Store refresh token in a cookie. Make sure to set HTTP-Only=true to prevent misuse.

  • Store access token and id token using one of the following methods where design allows:

    • Serverside (best option)

    • Local Storage (2nd best option)

    • Session Storage (be careful because these are cleared when tabs close)

  • No labels