Web API OAuth Bearer Token security

Question

I'm sure I'm missing something here, so hopefully somebody here can fill me in.

I'm looking at the OAuth 2.0 implementation in .NET 4.5 Web API (version 2 I guess?), and I've implemented a very simple demo where I have a console app calling some basic actions. I get a token from the "/Token" endpoint, and I pass it back as a "bearer" token in the Authorization header. It all works fine.

However, what I'm missing is how this is not susceptible to MITM, replay or other attacks? If I am simply handing credentials around (in the form of a token), and they are the same credentials all the time, what kind of security is wrapped around this to make sure that nobody has simply stolen my token and is impersonating me?

Admittedly, I'm using SSL as well, but is that the only security built around this? Perhaps I should be using some kind of nonce as well, or a timestamp check? If so, how does one do that in Web API?

Anyway, I'm sure there is a very simple explanation here, so I would appreciate the info.

Also note that I am running both servers in two Visual Studio 2013 Web application projects that are in different VS 2013 solutions that are running on different ports. I am not sure if that matters, but thought I would mention it.

Answer 1

OAuth 2.0 bearer tokens depend solely on SSL/TLS for its security, there is no internal protection or bearer tokens. if you have the token you are the owner. In many API providers who relay on OAuth 2.0 they put in bold that client developers should store securely and protect the token during it is transmission.

You can read this intersting post by Eran Hammer who used to work with the community which standardize OAuth 2.0 but I believe he left them for conflict in opinions. Check his post OAuth Bearer Tokens are a Terrible Idea and you can read this post too.

But at the end it is becoming the standard way and you must transmit it over https and store it securely.