Answered by:
Bearer Token

Question
-
User1536465747 posted
Hello Guys,
What could be disadvantage (if any) of using header authorization with a token without Bearer prefix?
Namely my token is a GUID value and it's NOT in the well known format HEADER.PAYLOAD.SIGNATURE, and honestly I don't see any issues with that. However, I doubt that I possibly miss something. Do I?
Thank you in advance
Friday, February 19, 2021 10:44 AM
Answers
-
User475983607 posted
KulerMaster
Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?It seems like you made up your mind before asking this question. I would use a JWT because JWT is an industry standard. Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs. I prefer to use existing libraries rather than writing and testing a custom solution.
Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great. You just need to let the clients know how the token works and the client will need to write a little custom code.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Saturday, February 20, 2021 12:51 PM
All replies
-
User475983607 posted
I think you are asking about JavaScript Web Tokens (JWT).
Friday, February 19, 2021 12:27 PM -
User1536465747 posted
Actually no. This is an API with authentication. They send username and password and get token which imo doesn't need to be a Bearer.
Thus, my question is if it's bad decision to have the token string to be simply a GUID?
Thanks
Friday, February 19, 2021 3:04 PM -
User475983607 posted
Thus, my question is if it's bad decision to have the token string to be simply a GUID?Probably a poor decision but we don't know your security requirements.
The bearer token is an industry standard in token authentication. I recommend doing a little research so you understand the standard. Then you can make a decision. Given the little information you have provide, I would fail the design in a code review with the recommendation to use standards.
Friday, February 19, 2021 3:24 PM -
User-474980206 posted
The main disadvantage of using a guid as token, is it requires a server lookup to translate the token to user credentials, while a bearer token just requires decryption or validation. If your app requires persistent state also then this may not be an issue.
Friday, February 19, 2021 3:30 PM -
User1536465747 posted
Probably a poor decision but we don't know your security requirements.
Basically, it is an API that returns JSON data to the consumers. The data itself is not so sensitive but, anyway I plan to have some really sensitive data over there and I want to be 100% sure if I should keep using the GUID as token or follow the standards?
From what I read here it seems that I should stick to the standard anyway. Right?
Friday, February 19, 2021 7:16 PM -
User1536465747 posted
The main disadvantage of using a guid as token, is it requires a server lookup to translate the token to user credentials, while a bearer token just requires decryption or validation. If your app requires persistent state also then this may not be an issue.
Actually all that I do is checking against the database if certain token (GUID) is present and if it's not expired. I do not translate nor decrypt anything. Meaning, as said it is a very basic API with IAuthorizationFilter set to guard the controllers (endpoints).
- you POST your username and pwd e.g. {"username":"admin","pwd":"123"} to https://api.domain.com/auth
- if the login is valid you get your token in the response
- you make new GET request adding the token in the header (Authorization)
- if your token is valid you get the data you need e.g. https://api.domain.com/items
Thank you so much
Friday, February 19, 2021 7:25 PM -
User-474980206 posted
then thats fine. the use of JWT bearer Tokens is to avoid a database access or a 3rd party source (your code does not have access to the database).
Friday, February 19, 2021 10:53 PM -
User1536465747 posted
Hmm I am not quite sure that I understand the last answer.
Do you say that I SHOULD use JWT Bearer Token if my API code has access to the database?
Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?
Thank you
Saturday, February 20, 2021 11:41 AM -
User475983607 posted
KulerMaster
Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?It seems like you made up your mind before asking this question. I would use a JWT because JWT is an industry standard. Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs. I prefer to use existing libraries rather than writing and testing a custom solution.
Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great. You just need to let the clients know how the token works and the client will need to write a little custom code.
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Saturday, February 20, 2021 12:51 PM -
User1536465747 posted
It seems like you made up your mind before asking this question. I would use a JWT because JWT is an industry standard. Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs. I prefer to use existing libraries rather than writing and testing a custom solution.
Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great. You just need to let the clients know how the token works and the client will need to write a little custom code.
Ha you are right. I am just looking for a confirmation :)
Thank you for the good points. It's much appreciated
Saturday, February 20, 2021 1:28 PM