iam:auth:token

About

A token is a authentication material

An access token is a token (string) representing an access authorization.

It is equivalent to a session identifier in format.
It's a token that serves as delegation-specific credential.

Authentication

Token-based authentication is implemented by:

generating a token when the user authenticates
and then setting that token in the Authorization header of each subsequent request to an API.

They carry just enough information to either:

authorize the user to perform an action,
or allow a client to get additional information about the authorization process (to then complete it).

The concept behind using tokens is that you can authenticate to a central authority and then have permissions granted to a separate system without needing to give that system your credentials.

If the server providing the service was compromised, credentials would still be safe, and the attacker would only have access to resources until the token expired. Hence tokens are generally short lived.

Benefits

Unique – tokens are specific and can be generated per use or per device
Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials
Limited – tokens can be narrowly scoped to allow only the access necessary for the use case
Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be

Security Consideration

You should give tokens an expiration because technically, once a token is signed, it is valid forever unless the signing key is changed.
Do not send tokens over non-HTTPS connections
Do not add sensitive / privacy data to the payload

Storage

Don't store them in place where third party could have access.

In HTTP:

Don't store it inside localStorage (or session storage) as it’s accessible by any script inside your page. (Xss, third party script (compromised or not), …)
The access token needs to be stored inside an httpOnly cookie as this cookie is not accessible from JavaScript code running in the browser
in memory

Usage

Oauth - Token
- What is a Oauth Access Token?
- Oauth - Refresh token

Format

Token type	Language	Size	Signature
What is a JWT or JWS token? (Json web signed token) - JSON Web Tokens (JWT)	Json	Low	public/private key
Simple Web Tokens (SWT)			Only symmetric
Security Assertion Markup Language Tokens (SAML)	Xml	High	public/private key
bearer	Generated or JWT
Hexadecimal nonce	String

Access tokens:

have an expiration date
are short-lived.

This information may live:

inside the structure of the token
or in a database/map