What is token-based authentication

Question

I want to understand what token-based authentication means  I searched the internet but couldn t find anything understandable

User · Answer

A token is a piece of data created by server, and contains information to identify a particular user and token validity. The token will contain the user's information, as well as a special token code that user can pass to the server with every method that supports authentication, instead of passing a username and password directly.

Token-based authentication is a security technique that authenticates the users who attempt to log in to a server, a network, or some other secure system, using a security token provided by the server.

An authentication is successful if a user can prove to a server that he or she is a valid user by passing a security token. The service validates the security token and processes the user request.

After the token is validated by the service, it is used to establish security context for the client, so the service can make authorization decisions or audit activity for successive user requests.

~~Source~~ (Web Archive)

User · Answer

A token is a piece of data which only Server X could possibly have created  and which contains enough data to identify a particular user   You might present your login information and ask Server X for a token  and then you might present your token and ask Server X to perform some user-specific action   Tokens are created using various combinations of various techniques from the field of cryptography as well as with input from the wider field of security research  If you decide to go and create your own token system  you had best be really smart

User · Answer

Token Based  Security   Authentication   means that In order for us to prove that we   ve access we first have to receive the token  In a real life scenario  the token could be an access card to building  it could be the key to the lock to your house  In order for you to retrieve a key card for your office or the key to your home  you first need to prove who you are  and that you in fact do have access to that token  It could be something as simple as showing someone your ID or giving them a secret password  So imagine I need to get access to my office  I go down to the security office  I show them my ID  and they give me this token  which lets me into the building  Now I have unrestricted access to do whatever I want inside the building  as long as I have my token with me   What   s the benefit of token based security   If we think back on the insecure API  what we had to do in that case was that we had to provide our password for everything     that we wanted to do   Imagine that every time we enter a door in our office  we have to give everyone sitting next to the door our password  Now that would be pretty bad  because that means that anyone inside our office could take our password and impersonate us  and that   s pretty bad  Instead  what we do is that we retrieve the token  of course together with password  but we retrieve that from one person  And then we can use this token wherever we want inside the building  Of course if we lose the token  we have the same problem as if someone else knew our password  but that leads us into things like how do we make sure that if we lose the token  we can revoke the access  and maybe the token shouldn   t live for longer than 24hours  so the next day that we come to the office  we need to show our ID again  But still  there   s just one person that we show the ID to  and that   s the security guard sitting where we retrieve the tokens

User · Answer

From Auth0 com     Token-Based Authentication  relies on a signed token that is sent to   the server on each request       What are the benefits of using a token-based approach          Cross-domain   CORS  cookies   CORS don t play well across different    domains  A token-based approach allows you to make AJAX   calls to any    server  on any domain because you use an HTTP header   to transmit the    user information    Stateless  a k a  Server side scalability   there is no need to keep a session store  the token is a self-contained entity that conveys    all the user information  The rest of the state lives in cookies or local storage on the client side    CDN  you can serve all the assets of your app from a CDN  e g     javascript  HTML  images  etc    and your server side is just the API    Decoupling  you are not tied to any particular authentication scheme     The token might be generated anywhere  hence your API can   be called    from anywhere with a single way of authenticating those   calls    Mobile ready  when you start working on a native platform  iOS     Android  Windows 8  etc   cookies are not ideal when consuming a    token-based approach simplifies this a lot    CSRF  since you are not relying on cookies  you don t need to protect    against cross site requests  e g  it would not be possible to    sib your site  generate a POST request and re-use the existing authentication cookie because there will be none     Performance  we are not presenting any hard perf benchmarks here  but    a network roundtrip  e g  finding a session on database    is likely to    take more time than calculating an HMACSHA256 to   validate a token and    parsing its contents

User · Answer

The question is old and the technology has advanced  here is the current state   JSON Web Token  JWT  is a JSON-based open standard  RFC 7519  for passing claims between parties in web application environment  The tokens are designed to be compact  URL-safe and usable especially in web browser single sign-on  SSO  context   https   en wikipedia org wiki JSON Web Token

User · Answer

It s just hash which is associated with user in database or some other way  That token can be used to authenticate and then authorize a user access related contents of the application  To retrieve this token on client side login is required  After first time login you need to save retrieved token not any other data like session  session id because here everything is token to access other resources of application  Token is used to assure the authenticity of the user  UPDATES  In current time  We have more advanced token based technology called JWT  Json Web Token   This technology helps to use same token in multiple systems and we call it single sign-on  Basically JSON Based Token contains information about user details and token expiry details  So that information can be used to further authenticate or reject the request if token is invalid or expired based on details

User · Answer

When you register for a new website  often you are sent an email to activate your account   That email typically contains a link to click on   Part of that link  contains a token  the server knows about this token and can associate it with your account   The token would usually have an expiry date associated with it  so you may only have an hour to click on the link and activate your account   None of this would be possible with cookies or session variables  since its unknown what device or browser the customer is using to check emails

User · Answer

I think it s well explained here -- quoting just the key sentences of the long article      The general concept behind a   token-based authentication system is   simple  Allow users to enter their   username and password in order to   obtain a token which allows them to   fetch a specific resource - without   using their username and password    Once their token has been obtained    the user can offer the token - which   offers access to a specific resource   for a time period - to the remote   site    In other words  add one level of indirection for authentication -- instead of having to authenticate with username and password for each protected resource  the user authenticates that way once  within a session of limited duration   obtains a time-limited token in return  and uses that token for further authentication during the session   Advantages are many -- e g   the user could pass the token  once they ve obtained it  on to some other automated system which they re willing to trust for a limited time and a limited set of resources  but would not be willing to trust with their username and password  i e   with every resource they re allowed to access  forevermore or at least until they change their password    If anything is still unclear  please edit your question to clarify WHAT isn t 100  clear to you  and I m sure we can help you further

[security] What is token-based authentication?

Examples related to security

Examples related to authentication

Examples related to token

Examples related to http-token-authentication