'Best practice: Generate email link to bypass authentication
I've got standard oAuth model for authenticating users via email/password combination.
I would like to implement my own mechanism to generate one-time token, store in DB and use have this token be part of a URL that gets sent to the user in an email. Anyone who has this URL will be able to authenticate into the app without a password - provided the token in is valid. Token expires after X hours, after which the URL is no longer valid.
I have not seen this approach being taken often by other apps - is this generally a good practice or are there security concerns with this? If so what are they and what are general guidelines for this method of authentication?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|