Wondering if that’s the best way to authenticate a website

  architecture, authentication, html, javascript, web

I started to build a website.

In the website I want to give permission to some resources only to authenticated users/

I’m wondering if by flow is ok or not:

a user loges in to the website with user and password, and then the server response is access token.

1. User loges in:

when user loges in I making http request via JavaScript to server, the client sends the request:

url: http://.../login

body:

{
 "username":"<some user>",
 "password":"<some password>",
 "grant_type":"password",
}

2. Server response:

{
    "access_token": "piF3...AFFNs",
    "token_type": "bearer",
    "expires_in": 86399
}

3. User ask for resource:

url: http://.../resource1

Header:

Authorization : Bearer piF3...AFFNs

I’m not sure if this flow is more for REST API’s or if it’s convention to authenticate this way to a website

Source: Ask Javascript Questions

LEAVE A COMMENT