validity of auth token

[arpitamunjal]

Hi,
1)How to determine the validity of auth token in zimbra on what attrib its based
2)How zimbra creates auth token based ?

[dkarp]

Auth tokens are valid for 12 hours by default. This can be overridden at account/COS level using the zimbraAuthTokenLifetime attribute. (Note that admin tokens use a different default/override.)

See com.zimbra.cs.account.AuthToken.java for details on how auth tokens are constructed.

[arpitamunjal]

Once the user gets authenticated thru my own application ,i get the token from my application and now i redirect to Zimbra.
1)Do i need create Zimbra token for using all the services of Zimbra like eg mail.
2)what does Zimbra do with the token thet it create in AuthToken.java file.
I find so many auth token var in Zimbra API's like e_authtoken,than authauthtoken etc.

[dkarp]

Look at the documentation for preauth. I think that's what you want.

[arpitamunjal]

Hi,
Sorry but i think i am not able to express my prob.
Let me put it again my design.
1)I have a client which logins in some auth service outside zimbra and returns me token(not a zimbra token) .
2)next now i am in zimbra after getting token from someother party,now i am using all services of zimbra but i want to use my token instaed of zimbra token.
3)zimbra uses his own token to run all the applications ie mail etc.
So do i need to override my token with zimbra token or its not needed.What i want is whenever zimbra tries to validate its token i override that method so that it uses my API' method to check the validity of token.
Than i looked at the code and Zimbra has a method isExpired() so override that and call my API's method which will tell whether my toke is valid or not.Would this solve my purpose ,wee i am not sure.

Also i am thinking do i need to change in all places ACCOUNT_STATUS.
Please help

[fernandoflorez]

I would suggest using your token for your own app and zimbra's for your communication with it.

Changing the token zimbra uses will require a recompile of zimbra and a lot of testings.

Another solution is to use zimbra's token for everything.

[arpitamunjal]

Thanks but the problem is i dont want to use zimbra token for vaildation and zimbra is using its token for validation everywhere(if it does validation everytime).
So i was thinking there has to be at the bottomline some method where each service first or anytime checks whether the token is valid and if yes than it performs all the services.Please help me find that method

Also can u tell me the validity of zimbra token is based on what parameters like expire time,ACCOUNT_STATUS and what.

I want to just use my token for authentcaion and for rest zimbra token can work.Zimbra should not give me invalid token but my application call should give me that.So i need that method wher comparison with zibra token to ? is done
I am passing my token to zimbra

Thanks

[fernandoflorez]

I don't think i get you right.

You have an application with it's own token, right? Do you have that app already built or you are starting to architect it?

What's the problem with using the zimbra token?

I don't recommend hacking the zimbra method, apart from being a little too much work for smth like that you may open a security door doing so.

Can you give us a little more info about what you are trying to achieve?

Thanks,

[arpitamunjal]

Hi thanks first for the quick response.
Ya i already have an application built on some open souce API's thru which auth is done and this application also gives token and expiration time.
So want to incorporate that feature.Take a scenario where i create my own mail server based on open source API's of zimbra and incorporate my authentication stuff in it.but as i am passing my auth token everywhere in my mail server that i plan to create.
So i am asking does zimbracheck for each of its service whether token is valid or does it take something from its Account object to verify the token.
Or u can tell what zimbra does after it gets it auth token for the first time.All the services do they do anything with it after getting the first token

Or just bypass the zimbra token whenever any service wants to check with it and use my token:----anyway out

[fernandoflorez]

I suggest storing zimbra's token somewhere and use that for the zimbra<->your app communication rather than modifying zimbra.

Doing this will be less work than understanding zimbra, hacking zimbra, recompiling zimbra, testing zimbra and testing your app with zimbra.

Why this is a no-go for you?