Hey everyone! I'm diving into how APIs authenticate their calls and I'm a bit lost on the purpose of using a session token for short-term credentials. So far, the responses I've gotten seem a bit off, and I'm hoping to gain some clarity here.
From my research, many say these tokens allow for stateless validation of the credentials issued by STS and streamline the checking process due to their expiration time, meaning no need for a database query during verification.
But I'm confused because:
1. If the API request is encrypted or signed with a secret key, you'd still need to look up the secret key in the database to validate the response, right? So, checking for expiration seems like another step.
2. If the token confirms the credentials came from STS, couldn't this just be verified by querying the database for the secret key?
Also, I've heard that it's easy to revoke these temporary credentials with the session token system in place. How does that actually work? Revoking a session token in a web console doesn't change the token stored in my shell; the receiving service still sees it as valid.
So, what am I missing here? Why is it not enough to simply sign or encrypt the API calls using the secret access key? Thanks for your insights!
5 Answers
Your first point has a bit of a gap. The STS service generates the token using a private key, and they use a corresponding public key for validation. That's why there's no lookup necessary!
STS tokens are short-lived, so if they do leak, they expire quickly. Also, they can be revoked by adding an authorization policy that denies all access based on creation time. That means, even if the token is still valid, it won't have any permissions if it's been revoked. Plus, STS tokens can require MFA to enhance security and can limit permissions when created, which is pretty neat! By the way, what’s your system setup?
Tokens are stateless, meaning AWS can verify them without querying a database. They just check if the token was issued by STS (via a signature from AWS's private key) and verify the expiration date. So there's no database look-up when validating, it's streamlined! But a service is needed to generate new tokens on demand since they're short-lived.
Check out this video, it might clarify things for you!
[YouTube Link](https://youtu.be/tPr1AgGkvc4)
The idea behind session length is similar to token expiration in OAuth: it limits how long a token is vulnerable in case it gets compromised, keeping things safer overall!
Yeah, I get why stateless can sound tricky. They definitely hold some state, but that aspect is mostly hidden from the user.