API tokens are small chunks of data that play a critical role in the security of web applications. For example, when logging into your banking app, it will generate different types of tokens used to identify you and your access permissions. These tokens are typically encrypted, providing another layer of security.
The most important tokens used in web application security are access tokens and identity tokens. The functionality of each is highlighted by its name. Identity tokens are used to provide information on the logged-in user and their session. Access tokens are used to authorize permission to use a web app and its resources. Both work together to secure web and mobile applications and the APIs that those apps leverage.
Let's explore everything about using API tokens in web applications. We cover their generation and storage as well as analyzing some strategies for ensuring their security. Once again, API tokens remain an important piece of securing web applications. Understanding them is required for anyone involved in web development.
What is an API Token?
Simply put, an API token is a small entity containing data used for securing applications and APIs. So, what is an API?
API stands for Application Programming Interface. It serves as an interface for different software components to communicate with another, even within the same application. In a practical sense, they encapsulate programmatic functionality, allowing other apps to use it. In modern applications, an API has grown to mean any remote server providing functionality and/or data. They ultimately simplify the programming process for developers writing web and mobile applications.
Accessing APIs requires some form of validation to prevent unauthorized access. As such, API tokens are like virtual tickets providing authentication and authorization functionality for an application's users. These users include both humans and even other programs or systems. In addition to their critical role in securing modern web applications, they also facilitate their functionality.
Examining the Contents of an API Token
While API tokens can be opaque, there are a few standards that benefit from structured data. The JSON Web Token (JWT) format supports storing this data. JWT-based tokens typically contain three different components. Let's examine all three:
• Header: The header includes metadata on the token itself. This includes the token type as well as the algorithm used to generate its signature.
• Payload: The payload contains the "meat" of the token. This typically includes data describing the user's identification data and permissions. It also might include other relevant information, such as the token's expiration timestamp.
• Signature: The signature ensures the security of each token. Cryptographic algorithms generate a unique signature for each token when created. The API validates this signature upon every request.
API Token Types
Now, let's explore the most common API token types.
• Access Tokens: Access tokens are commonly used to authorize access to applications and APIs. Their encryption and limited lifespan provide a measure of security. These tokens typically use the JWT format, which is described below.
• Refresh Tokens: Refresh tokens are used to generate new access tokens without forcing a user to log in again.
• Identity Tokens: Identity tokens are generated when a user logs in through a central identification provider (IdP). Importantly, the OIDC specification stipulates that these tokens use the JWT format.
Exploring the Most Common API Token Formats
Understanding the most widely-used token formats offers insights into how they are used for protecting applications and APIs. Here are some of the most important ones you need to know.
• JSON Web Tokens (JWT): The JWT effectively serves as an identity token format standard for OpenID Connect. They play a key role in the authorization and authentication process for web and mobile applications and their APIs. The JSON (JavaScript Object Notation) format is also commonly used and familiar to most programmers.
• OAuth Tokens: OAuth tokens are used to provide authorization to access APIs without requesting ID credentials. These see wide use in delegated authorization scenarios when accessing external APIs.
• Single Sign-On Tokens (SSO): SSO tokens are generated by identity providers for access to multiple apps and APIs without having to log in to each.
How are API Tokens Generated?
Duende IdentityServer provides a framework supporting both OAuth 2.0 and OIDC for ASP.NET Core applications and APIs. One of its core functions involves serving as a token engine for web apps and APIs on the .NET platform. Let's examine how tokens are generated by IdentityServer.
IdentityServer supports all of the endpoints defined in the OAuth 2.0 and OIDC specifications, including the authorize and token endpoints for token generation. When a user is authenticated, the token endpoint generates an identity token in the JWT format. This token contains information identifying the user, the token expiration time, as well as security properties and other data.
In addition to the identity token, the endpoint also generates and returns access and refresh tokens, which can be used to access APIs and prove IdentityServer issued the token, or refresh the tokens with IdentityServer once they expire.
Check out Duende's robust documentation library for more details on this token request and generation process. It covers both the machine-to-machine and end-user scenarios.
Strategies for Storing and Securing API Tokens
Since API tokens contain critical data for accessing applications and APIs, they remain attractive targets for cyberattacks. As such, developers and software architects need a proactive strategy for securing identity, access, and especially refresh tokens. Note that storing these tokens within a web browser makes it easier to steal and access their embedded data.
To protect API tokens, consider leveraging the Backend for Frontend (BFF) pattern in your web application architecture. This approach ensures all tokens are stored in the more secure environment of a server. Check out the Duende BFF security framework for a platform that seamlessly works with IdentityServer, OAuth 2.0, and OpenID Connect.
Remember, if you need an effective identity and access management solution for your ASP.NET Core applications, look no further than Duende IdentityServer. It's an OpenID Connect-certified solution that also serves as an effective token engine for your software. Leverage this opportunity to protect your applications, data, and customers from cyberattacks. Check out our demo today!