What is token-based authentication?

by

I think it’s well explained here — quoting just the key sentences of the long article:

The general concept behind a
token-based authentication system is
simple. Allow users to enter their
username and password in order to
obtain a token which allows them to
fetch a specific resource – without
using their username and password.
Once their token has been obtained,
the user can offer the token – which
offers access to a specific resource
for a time period – to the remote
site.

In other words: add one level of indirection for authentication — instead of having to authenticate with username and password for each protected resource, the user authenticates that way once (within a session of limited duration), obtains a time-limited token in return, and uses that token for further authentication during the session.

Advantages are many — e.g., the user could pass the token, once they’ve obtained it, on to some other automated system which they’re willing to trust for a limited time and a limited set of resources, but would not be willing to trust with their username and password (i.e., with every resource they’re allowed to access, forevermore or at least until they change their password).

If anything is still unclear, please edit your question to clarify WHAT isn’t 100% clear to you, and I’m sure we can help you further.

More Related Contents:

  1. Best practices for server-side handling of JWT tokens [closed]
  2. JWT (JSON Web Token) automatic prolongation of expiration
  3. Authentication versus Authorization
  4. Where to store JWT in browser? How to protect against CSRF?
  5. Non-random salt for password hashes
  6. JWT refresh token flow
  7. Cross Domain Login – How to log a user in automatically when transferred from one domain to another
  8. Where do you store your salt strings?
  9. SPA best practices for authentication and session management
  10. How do I store and retrieve credentials from the Windows Vault credential manager?
  11. Symfony2 extending DefaultAuthenticationSuccessHandler
  12. Best way for a ‘forgot password’ implementation? [closed]
  13. What is the best Distributed Brute Force countermeasure? [closed]
  14. Should I hash the password before sending it to the server side?
  15. https URL with token parameter : how secure is it?
  16. How to do stateless (session-less) & cookie-less authentication?
  17. Using Symfony2’s AccessDeniedHandlerInterface
  18. How to manually decrypt an ASP.NET Core Authentication cookie?
  19. Secure Google Cloud Functions http trigger with auth
  20. Google Authenticator available as a public service?
  21. What are best practices for securing the admin section of a website? [closed]
  22. Securing an API: SSL & HTTP Basic Authentication vs Signature
  23. Prevent PDF file from downloading and printing
  24. Token based authentication in Web API without any user interface
  25. What is the most secure seed for random number generation?
  26. How to build RUNAS /NETONLY functionality into a (C#/.NET/WinForms) program?
  27. Is it worth encrypting email addresses in the database?
  28. What is the appropriate way to manage API secrets within a Google Apps script?
  29. SSO with CAS or OAuth?
  30. Has Hardware Lock Elision gone forever due to Spectre Mitigation?

Leave a Comment