Javascript is actually
a good thing!
Make sure it's turned on
so that pingidentity.com can work properly.
Token-based Authentication | Ping Identity
Identity Fundamentals
Expand All | Collapse All
Identity and Access Management
Identity Providers and Service Providers
Centralized and Decentralized Identity Management
Zero Trust Security
Authentication
Authorization
Authorization Methods
User and Account Provisioning
Authentication and Authorization Standards
SAML
OAuth
OpenID Connect (OIDC)
Identity Orchestration

Token-based Authentication


Token-based authentication is the process of verifying a user and granting them a token that allows the user access to specific resources for a limited duration.

After the user’s credentials are validated, a token is issued for a limited duration (called a user session) that grants the user access to a specific set of sites, applications, or other resources based on the level of authorization determined by the token.


The user doesn’t need to re-enter their credentials every time they want to request access to certain resources protected by the token. The user only has to authenticate once per session. As long as the session is active, the token can be used for continuous authentication. Because tokens expire when the session is over, token-based authentication adds a greater degree of protection to user’s accounts.


Compared to standard password-based authentication, administrators have greater control over authentication tokens. It's up to administrators to determine the duration of token sessions and the finer details of the token transactions. Administrators can set tokens to reset when a user signs off or can set specific time limits for how long the token remains active in a given session.


Note: There are multiple authentication token types to use depending on your business needs. For example, deciding between an OAuth token, SAML token, or JSON web token (JWT) is situational and varies based on your use cases.

How does token-based authentication work?


The process for token-based authentication is generally as follows:
 

  1. A user requests access to a protected server, site, application, or resource and is prompted to authenticate.

  2. The server verifies the user’s credentials to determine if they are who they say they are.

  3. After verification, the server issues the user a security token that grants them access to their authorized resources.

  4. The token is stored in the user’s browser for the duration of the session and is referenced every time the user tries to access a different part of the server. The user’s access to certain resources is determined on the authorization built into the token.

  5. The token session expires when the session times out, the user signs off, or the connection to the server is severed.

Related Resources

Blog

Ultimate Guide to Token-based Authentication

Get answers to all of your questions about token-based authentication.

Blog

Access Denied: Token Revocation

Follow along as we walk through the steps of using token revocation to deny bad actors access to protected resources.

Blog

Go with the Flow, OAuth 2.0

Learn the basics of OAuth 2.0 with a real-life analogy.

Start Today

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.

Contact Sales

sales@pingidentity.com

+1 877-898-2905

Request a free demo