stackoom
  简体   繁体   中英

Web API Security and Authentication - bearer token

 原文  2014-08-19 22:07:02       c#/ asp.net/ api/ security/ authentication

Question

I am working on learning about Web API and API's methodology in general.

At this time, I'm am investigating Authentication.

I know there are several ways for API authentication and authorization. The most common seems to be bearer token.

I also see SAML and I know about x509 as well (From my WCF days).

I'd like to talk about bearer token today. Bearer token is passed as a header. Headers are not encrypted might not be encrypted?, therefore, it could be possible for someone to grab said token and impersonate the user without consent. This is my view on a bearer token. It seems many popular services today use this method of authentication for API's.

What other options are out there besides bearer token but is more or less just as secure as HMACing the message, etc?

I seem to know a little about a lot of authentication methods. I am trying to understand more and would like to build a very secure API that allows for SSO (Single sign on) - If bearer token is the way to go, then great, it is very easy and out of the box solution. If there is something better and more secure, I am open to that even if the work and time is far more than bearer token.

I don't know why I don't like the sound of a bearer token, but it just seems to easy to attack and exploit. Especially for a payment related type service.

Thanks!

2 answers

solution1
 3 ACCPTED  2014-09-15 22:15:45

标头使用HTTPS加密 - Bearer令牌对于安全性非常好,我现在在我的企业应用程序中使用它。

solution2
 2  2014-08-19 22:23:41

Bearer token is passed as a header. Headers are not encrypted, therefore, it could be possible for someone to grab said token and impersonate the user without consent.

While this may not always be an ideal solution, you could make sure that you are only passing data using https. According to Eran Hammer (who is actually advising against using bearer tokens in this article), header information will remain safe if passed using HTTPS. Also, you could add your own encryption algorithm to the token or sensitive data when you need to use it again.
See #8 in 10 Things You Should Know About Tokens

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Web API 2 OWIN Bearer token custom authentication Very basic bearer token authentication and authorization in Web API 2 Decrypt Bearer Token in Web API How to set some user data when token generate using web api bearer token base authentication Azure AD with Bearer token authentication for Web API not working throwing error as “Authorization has been denied for this request.” How to force Invalid Bearer token in web api? Web API token authentication Signalr Bearer token authentication OWIN Bearer Token Authentication Azure B2C Authentication (angular + .net core Web API) - Neither scope or roles claim was found in the bearer token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM