IT:AD:Bearer Token

Summary

Any party in possession of a bearer token (a “bearer”) can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).
To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport (ie IT:AD:SSL / TLS).

  $.ajax({
    cache: false,
    url: "http://localhost:7001/api/appointments",
    headers: { "Authorization": "Bearer " + access_token }
  });

Pointers

  • Tokens need to be stored somewhere (local/session storage or cookies)
  • Tokens can expire like cookies, but you have more control
  • Local/session storage won't work across domains, use a marker cookie
  • Preflight requests will be sent on each CORS request
  • When you need to stream something, use the token to get a signed request
  • It's easier to deal with XSS than XSRF
  • The token gets sent on every request, watch out its size
  • If you store confidential info, encrypt the token
  • JSON Web Tokens can be used in OAuth
  • Tokens are not silver bullets, think about your authorization use cases carefully