Cookies vs Token Authentication

[danutzplusplus]

Hello,

I've a question regarding the authentication mechanisms that the Admin module seems to support. From what I can see the Admin app is a spa-like app, that uses tokens (either issued by itself or external providers) to authenticate its calls for the idserver-configuration APIs.

And my question, or curiosity, is why was this chosen, to use tokens and not cookies to authenticate requests to the APIs? Especially since the APIs are hosted in the same domain as the spa.

I'm under the impression, from most of what I read (and please correct me if I'm under a false impression), that cookies are definitely a more secure way of transiting and storing the authentication tokens that are generated server-side. Especially since the browser has first-class knowledge of them, and offers security options both in storage and in transport, whereas tokens are basically just strings for the browser.

And if cookies are a more secure way of handling authentication, and considering the sensitivity of this kind of web app (it handles admin settings for the idserver), and that the APIs are under the same host, why were cookies not chosen?

I do see some configurations which mention cookies as an authentication mechanism, but that doesn't seem to be used anywhere (unless I missed something). Or was the cookie implementation planned, but never finished due to other priorities?

Thanks, and look forward to your answer.
Have a good one.

Kind regards,
Dan