Menu
A request using the Authorization: bearer [token] can be used for authentication?
or
Should we use another method to authenticate a client and issue a token then use the token as a bearer token like OAuth2 does?
Why popular web services(e.g. Github, AWS, Google..) uses other method(like AWS does: Authorization: AWS4-HMAC-SHA256 Credential=...) to authenticate a client. The point of the question is: is there any valunerables or violation of standards in the following flow or not.
I would like to use the following flow:
the client: which is like Twitter client.the server: which is like Twitter API.
Authorization: bearer [token].I read the following RFC but I haven't found any reason why I shouldn't or should use the flow above.
https://www.rfc-editor.org/rfc/rfc7235
https://www.rfc-editor.org/rfc/rfc6750
Thanks
537
Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.”
You use the bearer token to get a new Access token. To get an access token you send the Authentication server this bearer token along with your client id. This way the server knows that the application using the bearer token is the same application that the bearer token was created for.
The Basic and Digest authentication schemes are dedicated to the authentication using a username and a secret (see RFC7616 and RFC7617). The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750.
A bearer token allows developers to have a more secure point of entry for using the Twitter APIs, and are one of the core features of OAuth 2.0. Authentication, which uses a Bearer Token, is also known as application-only authentication.
I would recommend to stick to the OAuth2 spec. If you want to use a username and password to obtain a token you should use the "Client Credentials" flow. That means you need an "https" endpoint where the user can obtain an access token through the following POST request:
POST /token HTTP/1.1
Authorization: Basic base64_encode("username:password")
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
If the client credentials are valid the endpoint should create an access token on the server. Beside the token you should store who has obtained the token and a timestamp when the token expires. So the token should not be the username and password encrypted like in your example instead it should be a random string which is assigned to the user.
The access token can then be used by the client to access protected parts of your API. If your API receives an bearer token you can look up the assigned user in your token table.
That being said in OAuth2 you typically get an access token though an app key and secret which you have obtained previously by the API provider. This has the advantage that the user does not need to share any credentials with an 3rd party app. But whether this is needed depends on your use case.
84
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
