访问令牌机器的可移植性

Question

I'm developing a REST API which uses an Access Token for verifying & validating.

There is one scenario where user can obtain the Access Token by providing proper credentials and use the same Access Token from a different machine to access any REST API.

I just wanted to check if there's any downside to allowing such a case?

Answer 1

Assuming we're talking OAuth 2.0: it actually depends on the access token type: a so-called Bearer access tokens can be used by any Client that gets hold of it. Bearer access tokens are used in the majority of OAuth 2.0 deployments today.

Other types of access tokens are emerging (so-called Proof of Possession tokens) that require the Client to prove that they are really the intended presenter. In that case just having the access token on a different machine is not enough. In even more advanced emerging scenario's ("token binding") the token may be bound to the TLS connection so it can never be used by another Client or on another connection.

But as said, for the majority of OAuth 2.0 deployments today, it would be possible to use the Bearer access token from another machine.

Answer 2

The access token should be signed by the server, and shouldn't include any information about the specific client/machine used to access it.

For example, in the OAuth 2.0 password grant flow, the username/password is exchanged for an access token. The token is signed by the issuing token server, and represents that user's authentication and authorization claims. What machine the user is making requests from makes no difference.

So, tl;dr - yes, access tokens are portable between machines. It's not a typical use case (how would the access token get from one machine to another?), but it's perfectly valid.