Wondering if that’s the best way to authenticate a website

  architecture, authentication, html, javascript, web

I started to build a website.

In the website I want to give permission to some resources only to authenticated users/

I’m wondering if by flow is ok or not:

a user loges in to the website with user and password, and then the server response is access token.

1. User loges in:

when user loges in I making http request via JavaScript to server, the client sends the request:

url: http://.../login


 "username":"<some user>",
 "password":"<some password>",

2. Server response:

    "access_token": "piF3...AFFNs",
    "token_type": "bearer",
    "expires_in": 86399

3. User ask for resource:

url: http://.../resource1


Authorization : Bearer piF3...AFFNs

I’m not sure if this flow is more for REST API’s or if it’s convention to authenticate this way to a website

Source: Ask Javascript Questions