What is token-based authentication?

security authentication token http-token-authentication
431,122

Solution 1

I think it's well explained here -- quoting just the key sentences of the long article:

The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site.

In other words: add one level of indirection for authentication -- instead of having to authenticate with username and password for each protected resource, the user authenticates that way once (within a session of limited duration), obtains a time-limited token in return, and uses that token for further authentication during the session.

Advantages are many -- e.g., the user could pass the token, once they've obtained it, on to some other automated system which they're willing to trust for a limited time and a limited set of resources, but would not be willing to trust with their username and password (i.e., with every resource they're allowed to access, forevermore or at least until they change their password).

If anything is still unclear, please edit your question to clarify WHAT isn't 100% clear to you, and I'm sure we can help you further.

Solution 2

From Auth0.com

Token-Based Authentication, relies on a signed token that is sent to the server on each request.

What are the benefits of using a token-based approach?

  • Cross-domain / CORS: cookies + CORS don't play well across different domains. A token-based approach allows you to make AJAX calls to any server, on any domain because you use an HTTP header to transmit the user information.

  • Stateless (a.k.a. Server side scalability): there is no need to keep a session store, the token is a self-contained entity that conveys all the user information. The rest of the state lives in cookies or local storage on the client side.

  • CDN: you can serve all the assets of your app from a CDN (e.g. javascript, HTML, images, etc.), and your server side is just the API.

  • Decoupling: you are not tied to any particular authentication scheme. The token might be generated anywhere, hence your API can be called from anywhere with a single way of authenticating those calls.

  • Mobile ready: when you start working on a native platform (iOS, Android, Windows 8, etc.) cookies are not ideal when consuming a token-based approach simplifies this a lot.

  • CSRF: since you are not relying on cookies, you don't need to protect against cross site requests (e.g. it would not be possible to sib your site, generate a POST request and re-use the existing authentication cookie because there will be none).

  • Performance: we are not presenting any hard perf benchmarks here, but a network roundtrip (e.g. finding a session on database) is likely to take more time than calculating an HMACSHA256 to validate a token and parsing its contents.

Solution 3

A token is a piece of data which only Server X could possibly have created, and which contains enough data to identify a particular user.

You might present your login information and ask Server X for a token; and then you might present your token and ask Server X to perform some user-specific action.

Tokens are created using various combinations of various techniques from the field of cryptography as well as with input from the wider field of security research. If you decide to go and create your own token system, you had best be really smart.

Solution 4

A token is a piece of data created by server, and contains information to identify a particular user and token validity. The token will contain the user's information, as well as a special token code that user can pass to the server with every method that supports authentication, instead of passing a username and password directly.

Token-based authentication is a security technique that authenticates the users who attempt to log in to a server, a network, or some other secure system, using a security token provided by the server.

An authentication is successful if a user can prove to a server that he or she is a valid user by passing a security token. The service validates the security token and processes the user request.

After the token is validated by the service, it is used to establish security context for the client, so the service can make authorization decisions or audit activity for successive user requests.

Source (Web Archive)

Solution 5

Token Based (Security / Authentication)

This means that in order for us to prove that we’ve access we first have to receive the token. In a real-life scenario, the token could be an access card to the building, it could be the key to the lock to your house. In order for you to retrieve a key card for your office or the key to your home, you first need to prove who you are and that you in fact do have access to that token. It could be something as simple as showing someone your ID or giving them a secret password. So imagine I need to get access to my office. I go down to the security office, I show them my ID, and they give me this token, which lets me into the building. Now I have unrestricted access to do whatever I want inside the building, as long as I have my token with me.

What’s the benefit of token-based security?

If we think back on the insecure API, what we had to do in that case was that we had to provide our password for everything that we wanted to do.

Imagine that every time we enter a door in our office, we have to give everyone sitting next to the door our password. Now that would be pretty bad because that means that anyone inside our office could take our password and impersonate us, and that’s pretty bad. Instead, what we do is that we retrieve the token, of course together with the password, but we retrieve that from one person. And then we can use this token wherever we want inside the building. Of course, if we lose the token, we have the same problem as if someone else knew our password, but that leads us to things like how do we make sure that if we lose the token, we can revoke the access, and maybe the token shouldn’t live for longer than 24 hours, so the next day that we come to the office, we need to show our ID again. But still, there’s just one person that we show the ID to, and that’s the security guard sitting where we retrieve the tokens.

Share:
431,122
csharpbaby
Author by

csharpbaby

Updated on July 15, 2022

Comments

  • csharpbaby
    csharpbaby almost 2 years

    I want to understand what token-based authentication means. I searched the internet but couldn't find anything understandable.

  • Bob Aman
    Bob Aman over 14 years
    Generally, if you want token-based authentication, you should start with OAuth.
  • yfeldblum
    yfeldblum over 14 years
    OAuth is certainly viable in a Web-based application. But, for example, operating system login sessions use token systems as well, as do many other kinds of software program, so this idea is not limited to the Web.
  • AJP
    AJP over 11 years
    Am I correct in thinking that in a web application, one (or more) cookies from the remote web site performs the function of the token?
  • AJP
    AJP over 11 years
    From the W3 article you referenced: "Typical web-authentication is cookie-based..."
  • Spring
    Spring over 11 years
    @Alex Martelli hi if connection is over HTTPS does that make a difference to send token as parameter or in header?
  • BenM
    BenM over 10 years
    As tokens are stored as cookies, is there anything in place to stop a person stealing that cookie/token and using it themselves, tricking the server into thinking they are the authorized user? Obviously they could only use it for x amount of time, but during that period they could do all the damage they needed to.
  • Donny V.
    Donny V. over 10 years
    @Chibbles You can use anti-forgery tokens for that. Also you could make sure the connection is encrypted with https.
  • Elisabeth
    Elisabeth over 10 years
    @Rondles For this you secure your ressource with SSL which prevents the man in the middle from stealing your token. And if he steals your token you can still encrypt your token.
  • Keith Robertson
    Keith Robertson over 10 years
    @Spring No, it makes no difference. In http(s), the requested resource, including the path and query string (i.e. parameters), and the headers are all sent as data, so both are therefore encrypted.
  • KevinManx
    KevinManx about 10 years
    A token is probably also preferable for a non-public customer support system. The company controls the username/password and issues & controls the token.
  • Saurabh Verma
    Saurabh Verma over 9 years
    How is this different from SessionAuthentication, where user can obtain a session_id by enterting his username and password, and then uses this session_id in subsequent request ?
  • user137717
    user137717 over 9 years
    @AlexMartelli Let's say I'm using JWT as my token. Where do I store the token on browser side and do I need to manually send it back to server with each subsequent request or does the browser automate that somehow? I'm also having trouble understanding how it only provides limited access to resources. Please explain further.
  • Alex Martelli
    Alex Martelli over 9 years
    @user137717, your response's Set-Cookie: name=value (&c) header instructs the browser to store the cookie (no idea what you mean by "using JWT as my token") and the browser sends it back in requests to the same domain as the Cookie header. (You can take control w/Javascript if you're writing a client-side app to run in the browser, of course). The limits on the access granted (both in time and scope) are up to your server code to enforce.
  • Anthony To
    Anthony To about 9 years
    if the token expires does the user have to log in again to get a new token?
  • Alex Martelli
    Alex Martelli about 9 years
    @AnthonyTo, depends on the token auth system -- you could get a "persistent token" that you're able to "refresh", or not, depending on the system!
  • richard
    richard almost 9 years
    You don't need to store the token in a cookie. You can store it in local storage.
  • Kebman
    Kebman almost 9 years
    @SaurabhVerma it's different from a session because you don't have to store the information in a cookie. That is great for mobile devices, some of which have restrictions on cookie usage.
  • Matias Cicero
    Matias Cicero over 8 years
    The problem with cookies is that the user must have them enabled, otherwise your authentication would not work. I'd recommend sending the token via the Authorization header to work around this fact. Also, it fits nicely to REST services, which are supposed to be stateless and may be hosted in a different domain.
  • xastor
    xastor about 8 years
    As a note : the fact that tokens are only valid for a limited time is an important distinction with sessions. When a token is intercepted it can only be abused for a limited time.
  • svlada
    svlada almost 8 years
    @Asik All points here are valid except "Stateless" when you start dealing with token revocation, blacklisting, reply attack prevention etc.
  • ASalazar
    ASalazar over 7 years
    The cited site recommends a newer article on the same topic: auth0.com/blog/cookies-vs-tokens-definitive-guide
  • Nidhin David
    Nidhin David over 7 years
    'statelessness' and 'performance' holds as longs as you don't need to 'immediately' revoke the token. Otherwise at-least one db access per api call is necessary.
  • Emile Bergeron
    Emile Bergeron over 7 years
    One-time token/link is a different concept than token based authentication.
  • Juraj Martinka
    Juraj Martinka about 7 years
    You might want to read "Stop using JWT for sessions": cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessi‌​ons
  • mc9
    mc9 over 5 years
    I do not think that JWT represents the current state of technology for implementing token based authentication. It is just one way of implementing it and with many flaws which are eloquently put by articles such as cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessi‌​ons
  • Elliptical view
    Elliptical view almost 5 years
    Link is now broken.
  • Suraj Jain
    Suraj Jain about 4 years
    Access token is token, and it is not stateless.
  • sajjad Yosefi
    sajjad Yosefi about 4 years
    The name of what you say is also token. But that's not the question
  • RaGe
    RaGe over 2 years
    Access Card feels like a poor analogy for tokens - in that after proving who I am and obtaining an access card, I can freely hand it to anyone to come and go as they please. There is no checking that the access card belongs to the holder, at the time of access. Isn't that closer to API key usage pattern rather than a token?
  • Eric Burel
    Eric Burel about 2 years
    @Kebman so a token stored in a cookie is equivalent to a session? We can say that session based authentication relis on token based authentication?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

REST Web Service authentication token implementation
Best way to create a TOKEN system to authenticate web service calls?
How to create a authentication token using Java
Sessions vs. Token based authentication
Laravel: What is "remember_token" in the "users" DB table?
Best practices for server-side handling of JWT tokens
Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
php not redirecting and logging in
ASP.Net Authentication using <credentials> in web.config
ASP.NET Core using custom authenticationhandler with cookieauthentication