Authentication Methods
In web applications, including SaaS, there are two main authentication methods:
・Session-based authentication
・Token-based authentication
SaaSus Platform adopts token-based authentication.
The following sections provide an overview of each authentication method.
Types of Authentication
Session-Based Authentication
Session-based authentication is a method in which the client authenticates using a session ID generated by the server.
This method allows for stateful communication; however, it places a higher load on the server compared to token-based authentication.
Token-Based Authentication
Token-based authentication is a method in which the client authenticates using token information.
This method does not require the server to store authentication information, making it lower in server load compared to session-based authentication and enabling stateless communication.
Differences Between Session-Based and Token-Based Authentication
Session-based authentication stores authentication information on the server, whereas token-based authentication does not store authentication information on the server and relies solely on token validation for authentication.
Authentication in SaaSus Platform
SaaSus Platform adopts token-based authentication.
Token generation and validation are performed using the SaaSus Platform SDK, which calls the SaaSus Platform API.
Authentication Timing
When executing processes that require login, authentication must be performed at the time the server receives the request.
In SaaSus Platform, authentication is carried out for each request using the SaaSus Platform SDK.
By executing the user information retrieval process in the SDK, the following information can be obtained:
・Token validation
・Retrieval of logged-in user information (user data, tenant data, permissions)
If there are multiple processes that require login, it is necessary to check the login status by retrieving user information using the SaaSus Platform SDK at the start of each process.
As the number of processes increases, implementing authentication individually becomes challenging.
Therefore, it is recommended to utilize the middleware functionality of the framework to introduce a unified authentication check mechanism.
Types of Tokens
SaaSus Platform generates the following three types of tokens:
・ID Token
・Access Token
・Refresh Token
ID Token
The ID token is used for authentication and has a validity period of one hour.
Once the token expires, it becomes invalid, and the SaaS user will be logged out.
Refresh Token
If a longer login session is required, the refresh token can be used to regenerate the ID token, enabling continuous login.
The refresh token has a validity period of one month.
Access Token
The access token is required when using features that require authorization.
For example, it is used for functions that require specific permissions, such as inviting users to a tenant.