Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using a bearer token for authentication(≠ authorization)

Tags:

http

authentication

web

api

bearer-token

A request using the Authorization: bearer [token] can be used for authentication?

or

Should we use another method to authenticate a client and issue a token then use the token as a bearer token like OAuth2 does? Why popular web services(e.g. Github, AWS, Google..) uses other method(like AWS does: Authorization: AWS4-HMAC-SHA256 Credential=...) to authenticate a client. The point of the question is: is there any valunerables or violation of standards in the following flow or not.

I would like to use the following flow:

the client: which is like Twitter client.
the server: which is like Twitter API.

  1. the client makes the token(encrypted user ID, password, and etc).
  2. the client requests a resource to the server with Authorization: bearer [token].
  3. the server decrypts the token and authenticates the client.
  4. the server response the resource.

I read the following RFC but I haven't found any reason why I shouldn't or should use the flow above.

https://www.rfc-editor.org/rfc/rfc7235
https://www.rfc-editor.org/rfc/rfc6750

Thanks

like image 537
sndyuk Avatar asked Mar 06 '17 03:03

sndyuk

People also ask

Is bearer token used for authentication or Authorization?

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.”

How do you authenticate with bearer?

You use the bearer token to get a new Access token. To get an access token you send the Authentication server this bearer token along with your client id. This way the server knows that the application using the bearer token is the same application that the bearer token was created for.

What is the difference between basic auth and bearer token?

The Basic and Digest authentication schemes are dedicated to the authentication using a username and a secret (see RFC7616 and RFC7617). The Bearer authentication scheme is dedicated to the authentication using a token and is described by the RFC6750.

What is the point of a bearer token?

A bearer token allows developers to have a more secure point of entry for using the Twitter APIs, and are one of the core features of OAuth 2.0. Authentication, which uses a Bearer Token, is also known as application-only authentication.

1 Answers

I would recommend to stick to the OAuth2 spec. If you want to use a username and password to obtain a token you should use the "Client Credentials" flow. That means you need an "https" endpoint where the user can obtain an access token through the following POST request:

POST /token HTTP/1.1
Authorization: Basic base64_encode("username:password")
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials

If the client credentials are valid the endpoint should create an access token on the server. Beside the token you should store who has obtained the token and a timestamp when the token expires. So the token should not be the username and password encrypted like in your example instead it should be a random string which is assigned to the user.

The access token can then be used by the client to access protected parts of your API. If your API receives an bearer token you can look up the assigned user in your token table.

That being said in OAuth2 you typically get an access token though an app key and secret which you have obtained previously by the API provider. This has the advantage that the user does not need to share any credentials with an 3rd party app. But whether this is needed depends on your use case.

like image 84
Christoph Kappestein Avatar answered Sep 21 '22 06:09

Christoph Kappestein
Sign in to Comment

Related questions

Getting Private Repos From Organization with GitHub API V3
WooCommerce API for mobile App
How to retrieve all the contributors of a repo using github api
Separate authentication server for users and APIs
Simple product search API [closed]
How to confirm client-side Facebook app login from server side
Facebook Open Graph Not Showing Object Title
Google Place API for Parking Spots
REST API multi-tenant security
Using the Twitter streaming API, is it possible to only display tweets from a specific user?
Live Video Chat for iPhone and HTTP Live Streaming
History Api: How to tell the browser, that the page is loading?
Use refresh token if auth token expired in account authenticator
api authentication in rails 3
How to write a JavaScript API? [closed]
facebook graph api comment list sort , like 'orderby=desc'?
Magento API: Publish a new method in soap V2
Is there a test account for Instagram
How can i get the scores and schedules using ESPN API?
What is Java EE Endorsed API?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!