An access token is the equivalent of "personal access tokens" at GitHub (see https://github.com/blog/1509-personal-api-tokens). It acts as the couple login-password except that :
- a user can have multiple tokens
- a token can have a limited scope of permissions
- a token can be revoked
- a token has a name
The use-case planned for this version is to generate access tokens for scanners, so the permissions are restricted to the scan a project. See the MMF for more details.
Technically an access token is not an OAuth token. Web server is still stateful by storing user sessions. The access token is "just" a different way to send credentials.
Contrary to OAuth tokens, an access token does not expire and is not "ephemeral". It has to be stored in database. It is good enough for security as long as an attacker cannot create a valid token by himself (at least probably must be almost null). Length of token must be at least 16 bytes and produced with a cryptographically strong PRNG (java.security.SecureRandom for instance).
As passwords, token values must be accessible and displayed only when being created. Then there are no ways to retrieve the value.
I suggest to create :
- the db table USER_TOKENS with columns ID, LOGIN, NAME, TOKEN_HASH, CREATED_AT. The couple [LOGIN, NAME] must be UNIQUE. The TOKEN_HASH must be UNIQUE. All columns are NOT NULL.
- the WS api/users/create_token with required parameters "login" and "name". Requires global administration permission.