locked
Bearer Token RRS feed

  • Question

  • User1536465747 posted

    Hello Guys,

    What could be disadvantage (if any) of using header authorization with a token without Bearer prefix? 

    Namely my token is a GUID value and it's NOT in the well known format HEADER.PAYLOAD.SIGNATURE, and honestly I don't see any issues with that. However, I doubt that I possibly miss something. Do I?

    Thank you in advance

    Friday, February 19, 2021 10:44 AM

Answers

  • User475983607 posted

    KulerMaster

    Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?

    It seems like you made up your mind before asking this question.  I would use a JWT because JWT is an industry standard.  Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs.  I prefer to use existing libraries rather than writing and testing a custom solution.   

    Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great.  You just need to let the clients know how the token works and the client will need to write a little custom code.

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, February 20, 2021 12:51 PM

All replies

  • User475983607 posted

    I think you are asking about JavaScript Web Tokens (JWT).   

    https://jwt.io/introduction

    Friday, February 19, 2021 12:27 PM
  • User1536465747 posted

    Actually no. This is an API with authentication.  They send username and password and get token which imo doesn't need to be a Bearer.

    Thus, my question is if it's bad decision to have the token string to be simply a GUID? 

    Thanks 

    Friday, February 19, 2021 3:04 PM
  • User475983607 posted

    Thus, my question is if it's bad decision to have the token string to be simply a GUID? 

    Probably a poor decision but we don't know your security requirements.  

    The bearer token is an industry standard in token authentication.  I recommend doing a little research so you understand the standard.  Then you can make a decision.  Given the little information you have provide, I would fail the design in a code review with the recommendation to use standards. 

    Friday, February 19, 2021 3:24 PM
  • User-474980206 posted

    The main disadvantage of using a guid as token, is it requires a server lookup to translate the token to user credentials, while a bearer token just requires decryption or validation. If your app requires persistent state also then this may not be an issue.

    Friday, February 19, 2021 3:30 PM
  • User1536465747 posted

    Probably a poor decision but we don't know your security requirements. 

    Basically, it is an API that returns JSON data to the consumers. The data itself is not so sensitive but, anyway I plan to have some really sensitive data over there and I want to be 100% sure if I should keep using the GUID as token or follow the standards?

    From what I read here it seems that I should stick to the standard anyway. Right?

    Friday, February 19, 2021 7:16 PM
  • User1536465747 posted

    The main disadvantage of using a guid as token, is it requires a server lookup to translate the token to user credentials, while a bearer token just requires decryption or validation. If your app requires persistent state also then this may not be an issue.

    Actually all that I do is checking against the database if certain token (GUID) is present and if it's not expired. I do not translate nor decrypt anything. Meaning, as said it is a very basic API with IAuthorizationFilter set to guard the controllers (endpoints). 

    1. you POST your username and pwd e.g. {"username":"admin","pwd":"123"} to https://api.domain.com/auth
    2. if the login is valid you get your token in the response
    3. you make new GET request adding the token in the header (Authorization)
    4. if your token is valid you get the data you need e.g. https://api.domain.com/items

    Thank you so much

    Friday, February 19, 2021 7:25 PM
  • User-474980206 posted

    then thats fine. the use of JWT bearer Tokens is to avoid a database access or a 3rd party source (your code does not have access to the database).

    Friday, February 19, 2021 10:53 PM
  • User1536465747 posted

    Hmm I am not quite sure that I understand the last answer. 

    Do you say that I SHOULD use JWT Bearer Token if my API code has access to the database? 

    Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?

    Thank you

    Saturday, February 20, 2021 11:41 AM
  • User475983607 posted

    KulerMaster

    Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?

    It seems like you made up your mind before asking this question.  I would use a JWT because JWT is an industry standard.  Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs.  I prefer to use existing libraries rather than writing and testing a custom solution.   

    Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great.  You just need to let the clients know how the token works and the client will need to write a little custom code.

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, February 20, 2021 12:51 PM
  • User1536465747 posted

    It seems like you made up your mind before asking this question.  I would use a JWT because JWT is an industry standard.  Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs.  I prefer to use existing libraries rather than writing and testing a custom solution.   

    Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great.  You just need to let the clients know how the token works and the client will need to write a little custom code.

     

    Ha you are right. I am just looking for a confirmation :)

    Thank you for the good points. It's much appreciated

    Saturday, February 20, 2021 1:28 PM