it:ad:bearer_token:home

IT:AD:Bearer Token

Summary

Any party in possession of a bearer token (a “bearer”) can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).
To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport (ie IT:AD:SSL / it:ad:tls).

Notes

  $.ajax({
    cache: false,
    url: "http://localhost:7001/api/appointments",
    headers: { "Authorization": "Bearer " + access_token }
  });

Pointers

  • Tokens need to be stored somewhere (local/session storage or cookies)
  • Tokens can expire like cookies, but you have more control
  • Local/session storage won't work across domains, use a marker cookie
  • Preflight requests will be sent on each CORS request
  • When you need to stream something, use the token to get a signed request
  • It's easier to deal with XSS than XSRF
  • The token gets sent on every request, watch out its size
  • If you store confidential info, encrypt the token
  • JSON Web Tokens can be used in OAuth
  • Tokens are not silver bullets, think about your authorization use cases carefully

Resources

* https://tools.ietf.org/html/rfc6750 * https://connect2id.com/learn/openid-connect * https://auth0.com/blog/ten-things-you-should-know-about-tokens-and-cookies/ * https://auth0.com/blog/angularjs-authentication-with-cookies-vs-token/

  • /home/skysigal/public_html/data/pages/it/ad/bearer_token/home.txt
  • Last modified: 2023/11/04 03:21
  • by 127.0.0.1