These security tokens are considered to be bearer tokens. Giving access to the bearer of the token is what the name Bearer authentication assumes. Bearer tokens are usually generated by the server at the moment client logs in to the system.
The Bearer authentication method should only be used over HTTPS (SSL) for security reasons.
The Bearer authentication method can be used in combination with other schemes.
Bearer Authentication requires the SI (Sitecore Identity) server that provides tokens in JWT (JSON Web Token) format by default, an API application, and an MVC client application.
Currently, token-based authentication is widespread on the Internet and is best suited for it.
This access method involves
- Platform-as-a-Service applications as a service providing RESTful APIs used by various platforms and clients
- Mobile applications implementing native or hybrid mobile apps that interact with your services
- Single-page applications (SPA) that create modern applications with frameworks such as Angular and React
How it works
- User Requests Access with Username / Password
- Application validates credentials
- The application provides a signed token to the client
- The client stores the token and sends it along with every request
- The server verifies token and responds with data
There are several important aspects of choosing token-based authentication for your application. When choosing tokens, the following principles should be followed:
- Statelessness and scalability of the servers
- Mobile App Availability
- Transferring Authentication to Other Applications
- Extra security