Skip to main content

Authentication Methods

In web applications, including SaaS, there are two main authentication methods:
・Session-based authentication
・Token-based authentication

SaaSus Platform adopts token-based authentication.
The following sections provide an overview of each authentication method.

Types of Authentication

Session-Based Authentication

Session-based authentication is a method in which the client authenticates using a session ID generated by the server.
This method allows for stateful communication; however, it places a higher load on the server compared to token-based authentication. 01

Token-Based Authentication

Token-based authentication is a method in which the client authenticates using token information.
This method does not require the server to store authentication information, making it lower in server load compared to session-based authentication and enabling stateless communication. 02

Differences Between Session-Based and Token-Based Authentication

Session-based authentication stores authentication information on the server, whereas token-based authentication does not store authentication information on the server and relies solely on token validation for authentication.

Authentication in SaaSus Platform

SaaSus Platform adopts token-based authentication.
Token generation and validation are performed using the SaaSus Platform SDK, which calls the SaaSus Platform API. 03

Authentication Timing

When executing processes that require login, authentication must be performed at the time the server receives the request.

In SaaSus Platform, authentication is carried out for each request using the SaaSus Platform SDK.
By executing the user information retrieval process in the SDK, the following information can be obtained:
・Token validation
・Retrieval of logged-in user information (user data, tenant data, permissions)

If there are multiple processes that require login, it is necessary to check the login status by retrieving user information using the SaaSus Platform SDK at the start of each process. 04

As the number of processes increases, implementing authentication individually becomes challenging.
Therefore, it is recommended to utilize the middleware functionality of the framework to introduce a unified authentication check mechanism. 05

Types of Tokens

SaaSus Platform generates the following three types of tokens:
・ID Token
・Access Token
・Refresh Token

ID Token

The ID token is used for authentication and has a validity period of one hour.
Once the token expires, it becomes invalid, and the SaaS user will be logged out.

// In the case of Laravel, use the standard Auth Middleware of the SaaSus SDK in the routing file.
// Define routes for features that require authentication on the SaaSus Platform.
Route::middleware(\AntiPatternInc\Saasus\Laravel\Middleware\Auth::class)->group(function () {
Route::get('/userinfo', [IndexController::class, 'userinfo']);
Route::get('/users', [IndexController::class, 'users']);
Route::get('/tenant_attributes', [IndexController::class, 'tenantAttributes']);
Route::get('/user_attributes', [IndexController::class, 'userAttributes']);
Route::post('/user_register', [IndexController::class, 'userRegister']);
Route::delete('/user_delete', [IndexController::class, 'userDelete']);
Route::get('/delete_user_log', [IndexController::class, 'deleteUserLog']);
Route::get('/pricing_plan', [IndexController::class, 'pricingPlan']);
Route::get('/tenant_attributes_list', [IndexController::class, 'tenantAttributesList']);
Route::post('/self_sign_up', [IndexController::class, 'selfSignUp']);
Route::post('/logout', [IndexController::class, 'logout']);
});

Refresh Token

If a longer login session is required, the refresh token can be used to regenerate the ID token, enabling continuous login.
The refresh token has a validity period of one month.

public function refresh(Request $request)
{
// Obtain the refresh token
$refreshToken = $request->cookie('SaaSusRefreshToken');
if (!is_string($refreshToken)) {
return response('Refresh token not found', Response::HTTP_BAD_REQUEST);
}

try {
$authClient = $this->client->getAuthClient();

// The first argument is for setting the temporary code, so specify Blank.
// Set the authentication flow to refreshTokenAuth in the second argument, and set the refresh token retrieved from the Cookie in the third argument.
$response = $authClient->getAuthCredentials([
'',
'refreshTokenAuth',
$refreshToken
]);

return response()->json($response->getBody());
} catch (\Exception $e) {
return response('Error occurred', Response::HTTP_INTERNAL_SERVER_ERROR);
}
}

Access Token

The access token is required when using features that require authorization.
For example, it is used for functions that require specific permissions, such as inviting users to a tenant.

    // Retrieve information from the request.
$email = $request->input('email');
$tenantId = $request->input('tenantId');
if (!$email || !$tenantId) {
return response()->json(['message' => 'Missing required fields'], Response::HTTP_BAD_REQUEST);
}

// Retrieve UserInfo.
$userInfo = $request->userinfo;
if (!$userInfo) {
return response()->json(['detail' => 'No user'], Response::HTTP_BAD_REQUEST);
}

try {
// Retrieve the access token of the user creating the invitation.
$accessToken = $request->header('X-Access-Token');

// If the access token is not included in the request header, return an error.
if (empty($accessToken)) {
return response()->json(['error' => 'Access token is missing'], 401);
}

// Create the parameters for the tenant invitation.
$createTenantInvitationParamEnvsItem = new CreateTenantInvitationParamEnvsItem();
$createTenantInvitationParamEnvsItem
->setId(3) // Specify the ID of the production environment: 3.
->setRoleNames(['admin']);
$createTenantInvitationParam = new CreateTenantInvitationParam();
$createTenantInvitationParam
->setEmail($email)
->setAccessToken($accessToken)
->setEnvs([$createTenantInvitationParamEnvsItem]);

// Call the tenant invitation API.
$authClient = $this->client->getAuthClient();
$authClient->createTenantInvitation(
$tenantId,
$createTenantInvitationParam
);

return response()->json(['message' => 'Create tenant user invitation successfully']);
} catch (\Exception $e) {
Log::error($e->getMessage());
return response()->json(['detail' => $e->getMessage()], Response::HTTP_INTERNAL_SERVER_ERROR);
}