Go to main content

Remote Administration Daemon Developer's Guide

Exit Print View

Updated: May 2019
 
 

RAD Authentication

With RAD, all communications between client and server are encapsulated within a connection. When a connection closes, all state associated with the connection is reclaimed by the RAD daemon. However, because RESTful interactions that happen over HTTP are stateless, a client must establish a connection and authenticate with each request.

Instead of having to re-authenticate for every request, RAD provides a token authentication mechanism. When a client connects to RAD and successfully authenticates, RAD generates a unique token for the client and then services the request. At the same time, RAD stores the token and details about the client connection. On subsequent requests, if a token is supplied, RAD uses the token to retrieve the previously authenticated connection, associates it with the incoming request, and processes the request.

    Because a token is generated when a client connects to RAD for the first time, the token is absent from the request. Tokens have the following characteristics:

  • Tokens are a 256-bit opaque value constructed from a random number, which provides security and minimizes the likelihood of collisions.

  • Tokens have a finite, configurable lifetime of up to a maximum of 24 hours. The default lifetime is 1 hour. The lifetime is configured as part of the initial authentication request. The expiry time of the token is reset or extended whenever an authenticated request is received.

  • If the token received in a request is invalid or has expired, an error is returned and the client must re-authenticate.

  • If the RAD slave is killed or if RAD is terminated, all tokens and their corresponding sessions are destroyed.