IT:AD:Bearer Token


Any party in possession of a bearer token (a “bearer”) can use it to get access to the associated resources (without demonstrating possession of a cryptographic key).
To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport (ie IT:AD:SSL / it:ad:tls).

    cache: false,
    url: "http://localhost:7001/api/appointments",
    headers: { "Authorization": "Bearer " + access_token }

  • Tokens need to be stored somewhere (local/session storage or cookies)
  • Tokens can expire like cookies, but you have more control
  • Local/session storage won't work across domains, use a marker cookie
  • Preflight requests will be sent on each CORS request
  • When you need to stream something, use the token to get a signed request
  • It's easier to deal with XSS than XSRF
  • The token gets sent on every request, watch out its size
  • If you store confidential info, encrypt the token
  • JSON Web Tokens can be used in OAuth
  • Tokens are not silver bullets, think about your authorization use cases carefully
  • /home/skysigal/public_html/data/pages/it/ad/bearer_token/home.txt
  • Last modified: 2023/11/04 03:21
  • by