Menu
I have looked into various OAuth2 java libraries (spring-security-oauth, cxf, scribe, google-oauth-java-client) and could not find anything out there that supports the Mac token type as described here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-http-mac-01
All of them support the Bearer token type by default and nothing else. Is there any particular reason why this token type is not supported at all?
658
Understand OAuth 2.0 for Token Authentication in Java Authorization means that it provides a way for applications to ensure that a user has permission to perform an action or access a resource. OAuth 2.0 does not provide tools to validate a user's identity. That's authentication.
Security protocols like OAuth2 use JWT tokens to secure APIs. At this point, most, but not all, Identity Provider vendors are using JWT tokens as OAuth2 Access Tokens.
OAuth2. 0 is an open authorization protocol, which allows accessing the resources of the resource owner by enabling the client applications on HTTP services such as Facebook, GitHub, etc. It allows sharing of resources stored on one site to another site without using their credentials.
The reason behind most of the Java libraries for OAuth 2.0 supports Bearer token types is that Bearer Token profile brings a simplified scheme for authentication. Any user which has a bearer token can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). The OAuth 2.0 Authorization Framework: Bearer Token Usage specifications describes the use of bearer tokens in HTTP requests to access OAuth 2.0 protected resources.
Response for Bearer Access Token
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
MAC Token Profile defines the HTTP MAC access authentication scheme, providing a method for making authenticated HTTP requests with partial cryptographic verification of the request, covering the HTTP method, request URI, and host. Each access token type definition specifies the additional attributes (mac_key, mac_algorithm) sent to the client together with the access_token response parameter.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG",
"token_type":"mac",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8",
"mac_key":"adijq39jdlaska9asud",
"mac_algorithm":"hmac-sha-256"
}
The access_token or the MAC key identifier is a string identifying the MAC key used to calculate the request MAC. The string is usually opaque to the client. The server typically assigns a specific scope and lifetime to each set of MAC credentials. The identifier may denote a unique value used to retrieve the authorization information (e.g. from a database), or self-contain the authorization information in a verifiable manner (i.e. a string consisting of some data and a signature).
Scribe is the library in Java for OAuth 2.0 with MAC Token profile.
Source: OAuth 2.0 Bearer Token Profile Vs MAC Token Profile
103
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
