IT:AD:Bearer Token
- See:
Summary
Notes
$.ajax({ cache: false, url: "http://localhost:7001/api/appointments", headers: { "Authorization": "Bearer " + access_token } });
Pointers
- Tokens need to be stored somewhere (local/session storage or cookies)
- Tokens can expire like cookies, but you have more control
- Local/session storage won't work across domains, use a marker cookie
- Preflight requests will be sent on each CORS request
- When you need to stream something, use the token to get a signed request
- It's easier to deal with XSS than XSRF
- The token gets sent on every request, watch out its size
- If you store confidential info, encrypt the token
- JSON Web Tokens can be used in OAuth
- Tokens are not silver bullets, think about your authorization use cases carefully