Use Tokens for authentication
Introduction
To avoid unauthorized service access or operations, ZEGOCLOUD uses digital Tokens to verify user identity, control and validate user privileges. You will need to pass a Token when you log in to a room.
Understand the process
Your app clients request Tokens from your app server and provide the Token for privilege validation when logging in to a room.
The following diagram shows the process of room login privilege validation:
- Your app client requests a Token from your app server.
- Your app server generates a Token and passes it to the client.
- Your app client logs in to a room with userID, roomID, and the Token.
- The ZEGOCLOUD SDK sends the Token to the ZEGO server for validation.
- The ZEGOCLOUD server returns the validation result to the ZEGO Express SDK.
- The ZEGOCLOUD SDK returns the validation result to the app client. If the validation passes, the user logs in to the room successfully; otherwise, the login fails.
Get the AppID and ServerSecret
Go to ZEGOCLOUD Admin Console to get the App ID and ServerSecret of your project.
Generate a Token on your app server
After getting your AppID and ServerSecret, you can define the validation rules on your app server or client based on your business requirements.
Upon request from your app clients, your app server generates Tokens and sends the Tokens to the corresponding app clients.
ZEGOCLOUD provides an open-source Token generator plug-in on GitHub, which you can use to generate Tokens on your app server using different programming languages such as Go, C++, Java, Python, PHP,.NET, and Node.js.
Currently, the Token generator we provided supports generating the following two types of Tokens:
Token type | Description | Use Cases |
---|---|---|
User identity Token | Developers must include the Token parameter when logging into a room to verify the user's legitimacy. | The user identity Token is used for simple permission verification in most business scenarios. In most cases, generating this Token is sufficient. |
User privilege Token | To further enhance security, room ID and stream ID privileges are opened to verify the logged-in room ID and stream ID. | The general use cases for room ID and stream ID privileges are as follows: - Distinguishing between regular rooms and member rooms, and controlling non-member users from logging into member rooms. - In voice chat rooms or live streaming scenarios, ensuring consistency between streaming users and users on the microphone to prevent "ghost microphone" phenomenon, where non-microphone users' voices are heard in the room. - In games like Werewolf, preventing hackers from using other user IDs to log into the same room after cracking the application, obtaining game information, and cheating, which affects the gaming experience of normal users. |
When generating two types of tokens, the payload
requirements are as follows:
- User identity Token: To check the user's identity, you can pass null to the
payload
field. - User privilege Token: To check the user's permissions based on the room ID and the streamed ID, you need to generate a valid payload field according to the following validation rules:
- Validate room login permission only: Add the enable room validation configuration and disable stream publishing permission configuration to the
privilege
field of thepayload
. Setroom_id
to a valid room ID. - Validate stream publishing permission only: Add the disable room validation configuration and enable stream publishing permission configuration to the
privilege
field of thepayload
. Setstream_id_list
to a valid list of stream IDs. - Validate both room login and stream publishing permissions: Add the enable room validation configuration and enable stream publishing permission configuration to the
privilege
field of thepayload
. Setroom_id
to a valid room ID andstream_id_list
to a valid list of stream IDs.
- Validate room login permission only: Add the enable room validation configuration and disable stream publishing permission configuration to the
For business security, you must generate Tokens on your app server; Otherwise, there is a risk of ServerSecret being stolen.
Language | Supported version | Core function | Code base | Example - User identity Token | Example - User privilege Token |
---|---|---|---|---|---|
Go | Go 1.14.15 or later | GenerateToken04 | |||
C++ | C++ 11 or later | GenerateToken04 | |||
Java | Java 1.8 or later | generateToken04 | |||
Python | Python 3.6.8 or later | generate_token04 | |||
PHP | PHP 7.0 or later | generateToken04 | |||
.NET | .NET Framework 3.5 or later | GenerateToken04 | |||
Node.js | Node.js 8 or later | generateToken04 |
How to get a temporary Token
To make it easier for you to try and test the user authentication feature, ZEGOCLOUD Admin Console provides a tool for generating temporary Tokens, which you can use directly in a testing environment. In production, you must generate Tokens on your app server.
Use a Token
If you need to use a token instead of appsign, you can call newInstanceWithToken
to finish the initialization.
ZegoUIKitPrebuiltLiveAudioRoomFragment.newInstanceWithToken(appID, token, userID, userName, roomID, config)
Renew a Token
In most cases, the token retrieval approach mentioned above should work fine. However, in certain extreme situations, it may be unreliable.
To ensure the reliability of the token, you can make the following modifications:
- The validity period of the token should be set as long as possible, for example, 3 days.
- Listen to
onTokenWillExpire
callback and callrenewToken
to update new token.
ZegoUIKit.setTokenWillExpireListener(new ZegoUIKitTokenExpireListener() {
@Override
public void onTokenWillExpire(int second) {
// ...
ZegoUIKit.renewToken(token);
}
});
- Renew the token at the appropriate time, such as when the application enters the foreground.
// ...
ZegoUIKit.renewToken(token)