Authentication with WebTools, MailLink, and Pocket

Letā€™s look at how SuperID changes authentication for WebTools, MailLink, and Pocket.

Before SuperID

  • We use proprietary tickets representing the user for authentication. A ticket is valid for a 10-hour sliding window.

  • WebTools, MailLink, and the mobile client use classic usernames and passwords. The password is stored encrypted on the device.

  • A user must re-authenticate when changing the password.

  • Double-clicking the WebTools owl icon will sign the user directly in to the tenant.

šŸ›ˆ Note
An invalid cached password will sometimes result in locking the user account.

With SuperID

  • We use industry-standardĀ OAuth 2.0 access tokens and refresh tokensĀ representing a user signed in to an application.

  • The access token is valid for 1 hour. The refresh token is valid for several years.

  • Access tokens canā€™t be shared between applications.

  • The tokens are unique per user and application and are stored on the device.

  • WebTools, MailLink, and the mobile client all use industry-standard OAuth 2.0 for Native Apps (RFC 8252).

  • Double-clicking the WebTools owl icon will send the user to the tenant. If the user is not signed in, the user will be redirected back to the sign-in dialog, must clickĀ Next, and then possibly authenticate to sign in.