Token based authentication is essentially about authentication with the signed , self contained tokens which all the necessary information about authenticated user. So the id token is stateful and allows the server to be stateless .
The token can be set in the Authorization header of each subsequent request to your API. If the api is being called from javascript the id token has to be set in the webpage, one way of doing it is by setting it in master page (window.token = ${"<%= id_token %>;"},) and then getting it from anywhere in your JavaScript code.
The token could also be sent to webapp via cookies.
Advantages of token based authentication.
- The server can be stateless ie does not need have session store hence more scalable.
- Tokens allow the federated authentication pattern where in token generation is decoupled from services.
- Work for all app types (native/ spa/ web).
- Microservices friendly , Each microservice can independently verify that a token received from a client is valid. The microservice can further decode the token and extract relevant information . There is no need to access a centralized token store.
Disadvantages/Pitfalls of token based approach.
Tokens are signed to protect against manipulation and are easily decoded hence should not contain sensitive information.