Menu
I'm making an authorization system in PHP, and I came across this Bearer scheme of passing JWT tokens, I read [RFC 6750][1]. I've got the following doubts:
Authorization: Bearer fdbghfbfgbjhg_something, how is server supposed to handle this, decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])?
[1]: https://www.rfc-editor.org/rfc/rfc6750
355
Bearer tokens enable requests to authenticate using an access key, such as a JSON Web Token (JWT). The token is a text string, included in the request header. In the request Authorization tab, select Bearer Token from the Type dropdown list. In the Token field, enter your API key value.
OAuth 2.0 bearer tokens depend solely on SSL/TLS for its security, there is no internal protection or bearer tokens. if you have the token you are the owner. In many API providers who relay on OAuth 2.0 they put in bold that client developers should store securely and protect the token during it is transmission.
Renew tokens A valid bearer token (with active access_token or refresh_token properties) keeps the user's authentication alive without requiring him or her to re-enter their credentials frequently. The access_token can be used for as long as it's active, which is up to one hour after login or renewal.
It's not required, it's rather a convention agreed to denote the Authorization scheme used. When the authorization scheme Bearer, it means that application presenting the bearer token is in fact the party the token was issued to. Some synonyms for word bearer in English are holder, or carrier.
1.Improving the security because if token is not sent in the header that sent in url, it will be logged by the network system, the server log ....
2.A good function to get Bearer tokens
/**
* Get header Authorization
* */
function getAuthorizationHeader(){
$headers = null;
if (isset($_SERVER['Authorization'])) {
$headers = trim($_SERVER["Authorization"]);
}
else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
} elseif (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
//print_r($requestHeaders);
if (isset($requestHeaders['Authorization'])) {
$headers = trim($requestHeaders['Authorization']);
}
}
return $headers;
}
/**
* get access token from header
* */
function getBearerToken() {
$headers = getAuthorizationHeader();
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
return $matches[1];
}
}
return null;
}
I would recommend to use the following RegEx to check, if it's a valid jwt-token:
/Bearer\s((.*)\.(.*)\.(.*))/
and access it also with matches[1].
This is the structure of a JWT-Token, see: https://jwt.io/
4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
