How Authorization Token Works?

Question

I am trying to understand how the Token system works between Web api and Angular JS for the authentication purpose. Please correct me if I am wrong. The token is stored in a database table and add the token manually on our client application to accompany every request we make from the client. Thanks.

depends on the token type you use. Json Web Token (JWT) is pretty much used these days and thats a self contained token that has basic info about user embedded into it so you dont have to go to db for each request. Also, you can choose whatever info you want to put into it. — dee zg, Oct 24 '17 at 04:14
I would recommend u to read this great blog post on how to implement a simple token based auth server http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/ — Marcus Höglund, Oct 24 '17 at 06:23

score 1 · Answer 1 · answered Oct 24 '17 at 04:41

As @dee said it depands upon the approach you are using.The approach you are talking about has following steps

1.Send login request to web api

2.If success Generate a token on server side and store it in db and return as response as well

3.On client side store the token somewhere may be in browser memory

4.Use $http Interceptors to interpt every api request and append the token to headers suppose header name is x-access-token

5.On api side create some custom aurization attribute check the x-access-token header for every request get the token out of it and match it in db

score 1 · Accepted Answer · answered Oct 24 '17 at 06:14

Most tokens are JSON Web Tokens these days. Introduction to JWTs: https://jwt.io/introduction/.

The calling app presents some credentials to the token service and asks for a token for some API
Service generates a token with some claims in it that say who the caller is and what permissions they might have on the API
Service signs the token with a digital signature (so it can't be modified) and returns it to the calling app
Calling app can then attach the token to AJAX requests to the API
The API can validate the token by validating the digital signature
If the token is valid, the API can get the caller info from the claims in the token

You don't need to store the tokens anywhere on the service side. The signatures allow any service to validate the token without DB calls.

Thanks for the explanation. Is JWT dependent on a third party server which we need to pay? — MACMAN, Oct 24 '17 at 06:20
No, you can setup your own JWT server with e.g. IdentityServer. — juunas, Oct 24 '17 at 06:21

score 1 · Answer 3 · answered Oct 24 '17 at 13:46

1

If you are new to the web API, i can offer you an advance seed project for web api.

This project will help you with token work logic and many other topics and will allow you to develop applications faster.

Web Api Advance Seed

answered Oct 24 '17 at 13:46

anıl yıldırım

953
1
10
17

How Authorization Token Works?

3 Answers3