Token for authentication – Access Token, Refresh Token and Bearer Token

Why do we need tokens for authentication?

In our digital world, tokens play a crucial role in ensuring the security and integrity of our data via authentication and authorization processes.

These small digital objects serve as keys or credentials that enable digital systems to verify a user’s identity and grant them access to resources or services.

Only the use of tokens provides us with an efficient and secure method of ensuring that only authorized users can access certain data or functions, thus minimizing the risk of unauthorized access.

Importance of tokens in authentication systems

Tokens are ubiquitous in modern authentication systems and vary in their form and function. They are particularly valuable in distributed systems where identity verification and access control must be coordinated across different networks and services. By issuing and validating tokens, services can confirm the identity of a requestor without having to request direct authentication data such as passwords each time. This not only increases security by minimizing the amount of sensitive data transferred, but also improves the user experience through faster and smoother access to required resources.

Relevance of OAuth 2.0 and OpenID Connect

OAuth 2.0 and OpenID Connect are two key standards that have significantly shaped the use of tokens in modern security systems. OAuth 2.0 is an authorization framework that enables third-party providers to access Internet user accounts without exposing their passwords. It defines several types of tokens, including access tokens and refresh tokens, which are used to control access to protected resources. OpenID Connect, an extension of OAuth 2.0, adds an authentication layer and allows clients to verify the user’s identity and securely obtain basic profile information.

Both protocols use tokens to maximize security and user-friendliness in digital interactions. They ensure that tokens are created, transmitted and used in accordance with strict security standards. This helps to ensure that digital ecosystems remain secure and accessible for both users and providers.

Access Token

An access token is a small piece of data that acts as a security token. It is issued by an authentication server to a client or a Relying Party (RP) after the user has been successfully authenticated. Relying party refers to a system or application that relies on the authentication information provided by an authentication server.

Definition and purpose

The access token thus enables the client to access protected resources such as APIs, servers or applications. Since it is under the control of the client, not the user, it is protected against unauthorized manipulation by the user. This is achieved through secure storage mechanisms and authentication protocols that ensure that the token cannot be changed or viewed without appropriate security contexts and key access.

Manipulation of the token by the user would require compromising the client application or illegally obtaining highly privileged security data, which would significantly violate the security architecture.

Access tokens are an integral part of the authorization processes in many modern IT systems, including those that implement OAuth 2.0 and OpenID Connect. However, their main purpose is not to package authentication information of the user, but rather to ensure the authorization of the client. They enable the client to access protected resources after successful authentication of the user. The tokens, often in the form of opaque strings or as JWTs, store necessary authorizations to verify that the client has the required rights to use the requested services.

Service life and safety aspects

The lifespan of an access token is typically short, ranging from a few minutes to several hours. This short lifespan is an important security measure to minimize the risk of an intercepted or otherwise compromised token being misused. If a token expires, the client may have to use an existing refresh token to obtain a new access token.

Security aspects of access tokens cover several dimensions:

Access tokens play a crucial role in ensuring the security and integrity of transactions in modern IT systems. To ensure the security of these tokens, it is important to consider the following security aspects:

Encryption and integrity

It is strongly recommended to implement access tokens as JSON Web Tokens (JWTs) that support additional security measures such as signature and optional encryption and to implement these security mechanisms in full.

• Signed tokens: The signature of a JWT ensures that the content of the token has not been changed since it was generated by the issuer. This is crucial to ensure the integrity of the token and to verify that it comes from a trustworthy source.
• Encrypted tokens (nested JWTs): JWTs can be encrypted for an additional layer of security. This practice, known as “nesting”, involves signing the token and then encrypting the signed token. This protects the information contained in the token from access by unauthorized third parties, even if they intercept the token.

These security measures are particularly important in environments where sensitive information or critical functions need to be protected. The use of JWTs enables flexible handling of authorizations and provides robust tools to ensure security.

Secure transmission

• HTTPS: Regardless of the form of the token, it is crucial that all tokens are transmitted via secure channels such as HTTPS. This helps to prevent interception and man-in-the-middle attacks.

Access limitation

• Principle of minimum rights: Access tokens should only contain the minimum necessary authorizations that the client needs to perform its tasks. This reduces the risk and potential damage in the event of a security incident.

Use

Access tokens are used in a variety of use cases, especially in web-based and mobile applications, where they play a central role in security management. Some typical application scenarios include:

• Web APIs: Access tokens are used to authorize requests from front-end applications to back-end services by sending them as part of the HTTP header.
• Single Page Applications (SPAs): SPAs use access tokens to manage user sessions and dynamically load resources without the client having to be re-authenticated.
• Microservices architectures: In a microservices environment, different services use access tokens to authenticate and authorize each other so that client data can be managed securely and efficiently across different services.

The correct implementation and handling of access tokens is crucial to ensure the security of modern digital platforms and to protect the integrity and confidentiality of data.

Refresh Token

A refresh token is a special token that is used to extend the validity period of a client’s authorization without the user having to constantly re-enter their credentials.

Definition and purpose

It is crucial to understand that refresh tokens are not authentication tokens, but are used to maintain a client’s authorization session.

Refresh tokens facilitate the process of token renewal by enabling the client to obtain new access tokens as soon as the old ones expire. This reduces the need for users to authenticate themselves repeatedly and improves the user experience by enabling uninterrupted access to protected resources.

Application and functionality

While the client uses the Access Token to access protected resources such as the User Info Endpoint, which provides up-to-date user information, the Refresh Token ensures that the client continues to have access to such resources without the user having to actively intervene. This is particularly important in applications that require a permanent connection and constant access to user data.

Service life and management

The lifetime of a refresh token is usually significantly longer than that of an access token, which enables the client to receive authorization over longer periods of time. The secure storage and handling of these tokens is crucial, as compromising them can lead to unauthorized access to user data. It is therefore essential to implement strong security mechanisms to ensure that refresh tokens can only be used by authorized clients.

The management of refresh tokens requires careful consideration:

• Storage: Refresh tokens should be stored securely, both on the server and on the client. On the server, they should be stored in a secure, inaccessible database to minimize the risk of data leaks.
• Rotation: To further increase security, it is recommended that refresh tokens are rotated each time they are used, i.e. a new refresh token is issued together with a new access token and the old one is invalidated.
• Revocation: There must be a way to specifically revoke refresh tokens, especially in the event of security breaches or if the user deactivates their account.

Security risks

Due to their powerful role in extending access privileges, refresh tokens must be carefully secured. Recommended security measures include the use of HTTPS for all transmissions to and from the authentication server and strict guidelines for token validation and renewal to prevent misuse.

Even though refresh tokens offer numerous advantages – especially in terms of convenience features – they are also associated with specific security risks:

• Longer lifespan: The longer validity can pose a risk, as a compromised token could grant the attacker access over a longer period of time.
• Target for attacks: Due to their power and lifespan, refresh tokens are an attractive target for cyber attacks. Once a refresh token has been stolen, it can enable an attacker to repeatedly renew access tokens.
• Cross-Site Request Forgery (CSRF): When refresh tokens are used in web applications, they can be vulnerable to CSRF attacks, where an attacker executes a request on behalf of a user.

To mitigate these risks, it is essential that developers and system administrators implement a strong security architecture that includes continuous monitoring, strict access controls and regular security audits. By following these security practices, refresh tokens can be used effectively and securely to improve the user experience while ensuring the security of user data.

Bearer Token

A bearer token is a type of access token that grants the person who holds it (the “bearer”) access to a protected resource without further identity verification. This means that whoever is in possession of the token is considered authorized, regardless of whether they are actually the rightful owner or not.

Definition and characteristics

Bearer tokens are an integral part of many authentication standards, including OAuth 2.0, and are typically transmitted via HTTP headers in network requests.

Characteristics of Bearer Tokens:

• Ease of use: Bearer tokens do not require complex authorization verification mechanisms, which simplifies their implementation and use.
• Widely used: They are a common method of authentication and authorization in modern web and API-based applications.
• Stateless: Bearer tokens enable a stateless server architecture, as they contain all the necessary data for authentication and authorization.

Security risks

Despite their simplicity and efficiency, bearer tokens harbor considerable security risks:

• Token theft: Since the presence of the token is sufficient to gain access, anyone who steals or intercepts the token can gain access to the protected resources.
• Interception: Transmissions that do not take place via HTTPS are susceptible to man-in-the-middle attacks in which bearer tokens can be intercepted.
• Leakage through referrer headers: If a bearer token is contained in a URL, it could be forwarded to third parties through browser referrer headers.

Best practices for use

In order to minimize the risks associated with bearer tokens, the following best practices should be applied:

• Secure transmission: Always ensure that Bearer Tokens are only transmitted via secure channels such as HTTPS to protect the integrity and confidentiality of the tokens.
• Lifetime limitation: The validity period of bearer tokens should be kept as short as possible in order to minimize the risk in the event of theft.
• Use of HTTPS-only cookies: If possible, store bearer tokens in cookies marked as Secure and HttpOnly to prevent them from being accessible via client scripts.
• Token validation and rotation: Implement mechanisms for token validation and rotation to increase the security of token management.
• Scope restriction: Restrict the authorizations granted to a Bearer Token to what is absolutely necessary to limit potential damage in the event of misuse.

By following these practices, the security of bearer tokens can be significantly improved and the risk of unauthorized access reduced. Overall, the use of bearer tokens requires careful consideration and implementation to ensure that they can be used effectively and securely in modern digital systems.

Comparison of tokens: access, refresh and bearer tokens

The different types of tokens used in authentication systems have specific functions and characteristics that make them suitable for different applications.

Tabular comparison of the three token types

Our tabular comparison illustrates the differences between access tokens, refresh tokens and bearer tokens:

Practical examples of token use:

1. Access Token applications:
   • Web APIs: Access tokens are often used with web APIs, where they enable the client to access the API after a one-time authentication. One example is a developer who uses a REST API to retrieve data from a cloud service.
   • Single Page Applications (SPAs): In SPAs, access tokens are used to manage user sessions and dynamically reload content without the user having to log in again.
2. Refresh token applications:
   • Mobile apps: Refresh tokens are used in mobile applications to avoid the need for frequent logins. One example would be a shopping app that maintains user sessions over weeks.
   • Long-term web sessions: For services that require long-term user sessions, such as online banking or email services, refresh tokens help maintain security without compromising the user experience.
3. Bearer Token applications:
   • Microservices architectures: Bearer tokens are often used in microservices architectures where different services need to communicate securely with each other without going through complex authentication protocols.
   • Fast resource access: Bearer tokens are popular in environments where fast access is important, such as in high-performance backend systems, due to their ease of use.

Our overview shows how differently the various token types are used in authentication systems and emphasizes the need to carefully plan the protection and thus the lifespan of these tokens and to implement them accordingly in order to ensure the best possible security and at the same time the maximum possible user-friendliness.

Tokens and standards for authentication

Future trends, innovations and challenges

Our digital landscape around token-based authentication is constantly evolving. Driven by standardized IT standards, we are constantly improving the security of our data. It is therefore invaluable that you are familiar with the current standards. Only this enables us to make technological progress with correspondingly effective protection of our data. Security requirements are constantly changing.

A current trend is the increased use of machine learning (ML) and artificial intelligence (AI ) to detect and prevent the misuse of authentication tokens. These technologies can identify unusual patterns in token usage, enabling early warnings of potential security breaches.

Another trend is the adoption of zero trust architectures, which are based on the assumption that internal networks are just as vulnerable to compromise as external ones. Tokens play a central role in such systems, as they continuously check authorizations instead of granting one-off access.

Decentralized authentication technologies are also gaining in importance. These decentralized technologies make it possible to move authentication processes away from central instances and thus increase security and transparency.

Effects of new technologies

Decentralized infrastructures are becoming indispensable to ensure effective protection mechanisms against data manipulation and unauthorized access. The easy-to-understand management of authorizations is also becoming increasingly important in connection with Zero Trust and the almost infinite number of end devices and users.

The integration of biometric technologies and their protection are also important components of token authentication. By combining biometric data with traditional authentication tokens, security levels could be significantly increased, as physical proof of identity is difficult to falsify.

6.2 Extended security mechanisms for tokens

The constant development of security standards and technologies leads to the introduction of new mechanisms that further improve the security of token-based systems. These developments include the introduction of DPoP tokens and the encryption of UserInfo responses:

6.2.1 Demonstration of Proof of Possession (DPoP) Tokens

Demonstration of Proof of Possession (DPoP) tokens represent a significant improvement in security measures for bearer tokens. They are specifically designed to require proof of ownership by the client, mitigating the risks of token theft and misuse. https://datatracker.ietf.org/doc/html/rfc7516

• Specification and implementation: DPoP is described in the IETF as a draft, which was developed by the IETF (Internet Engineering Task Force). This can be implemented as a supplement to existing OAuth 2.0 mechanisms. This technique binds the token to a specific cryptographic key of the client, which means that only the legitimate owner can use the token. This security mechanism is presented here as a method because it is relevant that clients can use this technique to secure their token requests in OAuth 2.0 by proving possession of a cryptographic key.

6.2.2 Encryption of the UserInfo responses

In response to the vulnerabilities that can result from the theft of access tokens, some systems, such as the Italian SPID system, have implemented measures to encrypt responses from UserInfo endpoints.

• JSON Web Encryption (JWE)
  • JWE is a standard that was specified by the IETF and is part of the JOSE (JavaScript Object Signing and Encryption) specification series. JWE describes the encryption methods for JWTs in order to transfer their content securely.
  • Specification: Defined in RFC 7516.
• JSON Web Token (JWT)
  • JWT is a compact, URL-safe token format specified in the IETF. JWTs can be used for both authentication and information transfer and are specified in RFC 7519.
  • For encryption, the JWT structure is often used as a container for JWE in order to transport encrypted data securely.
• Technical details: The use of nested JWTs encrypted with JSON Web Encryption (JWE) ensures that even if the data is intercepted, it cannot be accessed or used without the corresponding key. This method significantly increases data security and protects the privacy of users.

These enhanced security mechanisms are exemplary of the efforts to improve the security and reliability of authentication systems in an increasingly networked and security-conscious world.

6.2.3 Real Use Case: The Italian SPID system (Sistema Pubblico di Identità Digitale)

The Italian SPID system – Sistema Pubblico di Identità Digitale – is a digital identity system developed by the Italian government to enable citizens and companies to securely access public services online. It uses strong authentication mechanisms and is an essential part of Italy’s digital infrastructure.

SPID Sistema Pubblico di Identità Digitale

For official information on the SPID system, you can visit the website of the Italian Agency for Digital Technology (Agenzia per l’Italia Digitale, AgID for short), which is responsible for the implementation and management of SPID. It provides comprehensive information about the system, how it works, the players involved and instructions for registration and use.

Conclusion

The right choice and implementation of tokens in security systems is crucial for the protection of digital resources.

Given the rapid pace of technological development and the constant emergence of new security threats, it is important that organizations remain agile and adapt the latest best practices and technologies.

• Diversity and function: Access, refresh and bearer tokens have specific functions and areas of use that influence their respective design and management.
• Security risks: Each type of token entails specific security risks that must be minimized through appropriate measures.
• Technological developments: New technologies such as decentralized infrastructures and AI offer valuable opportunities, even if various challenges for the further development of token-based authentication still need to be considered.

Future developments in token technology promise not only greater security, but also improved user-friendliness, which ultimately contributes to a more secure and efficient digital world.