With the modern economy now increasingly online, websites providing e-commerce and financial services remain attractive targets for cyberattacks. As a result, businesses must adopt a vigilant approach to their web security footprint. For example, securing modern web applications also requires protecting the APIs that those apps leverage for business logic and data.
In these web applications, properly authenticating users – human or systems – becomes a crucial aspect of controlling access and protecting their underlying APIs. The best practice for this authentication involves using tokens. These small chunks of data are typically encrypted, offering another layer of security.
Let's explore the concept of token-based authentication in web APIs. We cover the tokens themselves, including their format and the data they typically contain. Understanding how they contribute to protecting a web application, including their APIs, is important. This is critical information for any web developer hoping to build secure applications.
The Differences between Token Authentication and Authorization
Before we dive into token-based authentication for web APIs, let's quickly examine the differences between API authentication and authorization. Understanding the two most relevant specifications for these concepts is helpful. The OAuth 2.0 specification focuses on authorizing users, human or system, for access to APIs and other web resources. Conversely, OpenID Connect (OIDC), built on top of OAuth, is the main standard for identity-based authentication.
Both OAuth 2.0 and OIDC use JSON Web Tokens (JWT) to provide proof of authorization and authentication, respectively. The authentication process typically involves logging in through a central identity provider (IdP). Once authenticated, an encrypted ID token is generated by the IdP framework. This token contains personal identification information on the logged-in user as well as other relevant data.
The authorization server supporting the OAuth 2.0 spec also issues an encrypted access token once the user logs in. This token contains a collection of key-value pairs known as claims, which define the access rights of that user. Using this kind of token manages access to a web app's resources, including data or APIs. An access token is also typically required for accessing external APIs hosted on a different server.
In short, token authentication focuses on the validation of a user, their identity, and session. At the same time, token authorization focuses on permitting access to web applications, APIs, and other resources. Understanding the subtle differences between the two plays a key role in fully grasping modern web application security.
A Closer Look at Token-Based Authentication in Web APIs
Now, let's dive into the details of leveraging token-based authentication for web APIs. Since OIDC functions on top of OAuth 2.0, they work in tandem when accessing web applications and their APIs. Note that Duende IdentityServer offers an effective security framework for both specifications, suitable for ASP.NET Core applications.
When a user logs into a web application through an IdP, the authorization server generates identity and access tokens. For example, with IdentityServer, expect the identity token to provide information on the user, the authorization process, and the session. The access token ultimately authorizes access to the APIs and resources used by the web application.
The web application requests access to specific scopes on behalf of the user. This process is either transparent or requires user consent. Upon a successful request, the app retrieves an access token validated for specific scopes. The API inspects the access token, leveraging its business logic to check whether the token is valid. A validated access token then ensures authorization to use the functionality within that API.
How to use an Access Token for Permission to the Web API
Once again, the access token authorizes requests from the web application to the API used by that app. Adding this functionality only requires a bit of straightforward programming. First, when calling an API, the application retrieves the access token from an encrypted authentication cookie created when the user logs in. The app embeds the token within an Authentication: Bearer HTTP header. Simply making that HTTP request now provides access to the API in question.
Note that a best practice is for access tokens to have a limited lifespan, and expire after a certain amount of time. As such, authenticated users simply use a refresh token to request a new access token from the authorization server. Due to this powerful functionality, protecting refresh tokens from cyberattacks remains crucial. In this scenario, adopting the backend for frontend pattern, which stores all tokens on the server rather than in the browser makes perfect sense.
The Advantages of Using Token-Based Authentication for Web APIs
Now, let's examine some of the most important benefits gained when leveraging token-based authentication. Use this information as food for thought when architecting and building your next web application.
• A Stronger Security Footprint: Using encrypted tokens for authentication and authorization for web applications and the APIs they use provides improved security. Remember, tokens have limited lifespans, minimizing the window of access for these web-based resources. Using the BFF pattern, as noted above, also keeps tokens from the web browser, enhancing their security footprint.
• Flexibility for Protecting Different Clients: In addition to web APIs and applications, tokens are also used for protecting mobile apps. This use case provides developers with significant flexibility when designing the cybersecurity approach for larger platforms. Users ultimately enjoy a seamless accessibility experience no matter their device.
• Suitable for Accessing Third-Party APIs: Some complex web and mobile applications leverage a mix of internal and external APIs. Adopting a token-based authentication strategy for these APIs effectively supports these kinds of cross-domain architectures.
Notably, some tech resources mention tokens being stored within a browser as a performance benefit for the host server. However, this approach remains a critical security risk, as cybercriminals find it easier to steal browser-based tokens. Duende recommends leveraging the Backend for Frontend pattern, ensuring all tokens are handled in a more secure server environment. Check out our BFF security framework for an effective strategy to protect your web applications and APIs.
If you want to implement token-based authentication in your company's ASP.NET Core applications, check out Duende IdentityServer. It offers an easy-to-learn and effective framework for supporting the OAuth 2.0 and OpenID Connect standards. Duende also offers industry-best documentation and tutorial resources, including source code, to help you get started. Contact our helpful sales team to help you get started or answer any questions.