Bearer Token

Question

User1536465747 posted

Hello Guys,

What could be disadvantage (if any) of using header authorization with a token without Bearer prefix? 

Namely my token is a GUID value and it's NOT in the well known format HEADER.PAYLOAD.SIGNATURE, and honestly I don't see any issues with that. However, I doubt that I possibly miss something. Do I?

Thank you in advance

Answer 1

User475983607 posted

I think you are asking about JavaScript Web Tokens (JWT).   

https://jwt.io/introduction

Answer 2

User1536465747 posted

Actually no. This is an API with authentication.  They send username and password and get token which imo doesn't need to be a Bearer.

Thus, my question is if it's bad decision to have the token string to be simply a GUID? 

Thanks 

Answer 3

User475983607 posted

Thus, my question is if it's bad decision to have the token string to be simply a GUID? 

Probably a poor decision but we don't know your security requirements.  

The bearer token is an industry standard in token authentication.  I recommend doing a little research so you understand the standard.  Then you can make a decision.  Given the little information you have provide, I would fail the design in a code review with the recommendation to use standards. 

Answer 4

User-474980206 posted

The main disadvantage of using a guid as token, is it requires a server lookup to translate the token to user credentials, while a bearer token just requires decryption or validation. If your app requires persistent state also then this may not be an issue.

Answer 5

User1536465747 posted

Probably a poor decision but we don't know your security requirements. 

Basically, it is an API that returns JSON data to the consumers. The data itself is not so sensitive but, anyway I plan to have some really sensitive data over there and I want to be 100% sure if I should keep using the GUID as token or follow the standards?

From what I read here it seems that I should stick to the standard anyway. Right?

Answer 6

User1536465747 posted

The main disadvantage of using a guid as token, is it requires a server lookup to translate the token to user credentials, while a bearer token just requires decryption or validation. If your app requires persistent state also then this may not be an issue.

Actually all that I do is checking against the database if certain token (GUID) is present and if it's not expired. I do not translate nor decrypt anything. Meaning, as said it is a very basic API with IAuthorizationFilter set to guard the controllers (endpoints). 

1. you POST your username and pwd e.g. {"username":"admin","pwd":"123"} to https://api.domain.com/auth
2. if the login is valid you get your token in the response
3. you make new GET request adding the token in the header (Authorization)
4. if your token is valid you get the data you need e.g. https://api.domain.com/items

Thank you so much

Answer 7

User-474980206 posted

then thats fine. the use of JWT bearer Tokens is to avoid a database access or a 3rd party source (your code does not have access to the database).

Answer 8

User1536465747 posted

Hmm I am not quite sure that I understand the last answer. 

Do you say that I SHOULD use JWT Bearer Token if my API code has access to the database? 

Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?

Thank you

Answer 9

User475983607 posted

KulerMaster

Also I was wondering if it's OK to have a non-standard Bearer token and still making the consumers to use it like it is a bearer token? e.g. Authorization: Bearer <non-standard-formatted-token> OR I need to set the format according to the standard in case I want to use Bearer authorization?

It seems like you made up your mind before asking this question.  I would use a JWT because JWT is an industry standard.  Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs.  I prefer to use existing libraries rather than writing and testing a custom solution.   

Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great.  You just need to let the clients know how the token works and the client will need to write a little custom code.

 

Answer 10

User1536465747 posted

It seems like you made up your mind before asking this question.  I would use a JWT because JWT is an industry standard.  Frameworks like .NET come with libraries for handling JWTs and most clients software already know how to handle JWTs.  I prefer to use existing libraries rather than writing and testing a custom solution.   

Design and implement whatever you like and if that design is an Authorization header with a bearer guid then great.  You just need to let the clients know how the token works and the client will need to write a little custom code.

 

Ha you are right. I am just looking for a confirmation :)

Thank you for the good points. It's much appreciated