I am working on learning about Web API and API's methodology in general.
At this time, I'm am investigating Authentication.
I know there are several ways for API authentication and authorization. The most common seems to be bearer token.
I also see SAML and I know about x509 as well (From my WCF days).
I'd like to talk about bearer token today. Bearer token is passed as a header. Headers are not encrypted might not be encrypted?, therefore, it could be possible for someone to grab said token and impersonate the user without consent. This is my view on a bearer token. It seems many popular services today use this method of authentication for API's.
What other options are out there besides bearer token but is more or less just as secure as HMACing the message, etc?
I seem to know a little about a lot of authentication methods. I am trying to understand more and would like to build a very secure API that allows for SSO (Single sign on) - If bearer token is the way to go, then great, it is very easy and out of the box solution. If there is something better and more secure, I am open to that even if the work and time is far more than bearer token.
I don't know why I don't like the sound of a bearer token, but it just seems to easy to attack and exploit. Especially for a payment related type service.
Thanks!
This token has to passed with the reqeust for authorization and once request is authorized, communication is set between client and Web API and user can get the response. Request goes to Authorization server which generated encrypted token which is also known as bearer token.
Token based authentication scheme where anyone in possession of a valid “token” can gain access to the associated secured resources, in this case our API. Considered secure, it is widely adopted in industry and is the scheme, (specified in RFC 6750 ), we’ll use to secure our API.
Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response...
Authorization: Bearer <token>. The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC 6750, but is sometimes also used on its own. Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).
Headers are encrypted using HTTPS - Bearer token is perfectly fine for security and I am using it in my enterprise application now.
Bearer token is passed as a header. Headers are not encrypted, therefore, it could be possible for someone to grab said token and impersonate the user without consent.
While this may not always be an ideal solution, you could make sure that you are only passing data using https. According to Eran Hammer (who is actually advising against using bearer tokens in this article), header information will remain safe if passed using HTTPS. Also, you could add your own encryption algorithm to the token or sensitive data when you need to use it again.
See #8 in 10 Things You Should Know About Tokens
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With