What are Bearer Tokens and token type in OAuth 2

Question

I m trying to implement the Resource Owner  amp  Password Credentials flow from the OAuth 2 spec  I m having trouble understanding the token type value that gets sent back with a valid response  In the spec all the examples show  token type   example  but says it should be     token type            REQUIRED   The type of the token issued as described in            Section 7 1   Value is case insensitive    Can someone please explain this to me

User · Answer

Anyone can define  token type  as an OAuth 2 0 extension  but currently  bearer  token type is the most common one   https   tools ietf org html rfc6750  Basically that s what Facebook is using  Their implementation is a bit behind from the latest spec though   If you want to be more secure than Facebook  or as secure as OAuth 1 0 which has  signature    you can use  mac  token type   However  it will be hard way since the mac spec is still changing rapidly   https   tools ietf org html draft-ietf-oauth-v2-http-mac-05

User · Answer

From RFC 6750  Section 1 2   Bearer Token A security token with the property that any party in possession of the token  a  quot bearer quot   can use the token in any way that any other party in possession of it can  Using a bearer token does not require a bearer to prove possession of cryptographic key material  proof-of-possession    The Bearer Token or Refresh token is created for you by the Authentication server  When a user authenticates your application  client  the authentication server then goes and generates for your a Bearer Token  refresh token  which you can then use to get an access token  The Bearer Token is normally some kind of cryptic value created by the authentication server  it isn t random it is created based upon the user giving you access and the client your application getting access  See also  Mozilla MDN Header Information

User · Answer

token type is a parameter in Access Token generate call to Authorization server  which essentially represents how an access token will be generated and presented for resource access calls  You provide token type in the access token generation call to an authorization server  If you choose Bearer  default on most implementation   an access token is generated and sent back to you  Bearer can be simply understood as  quot give access to the bearer of this token  quot  One valid token and no question asked  On the other hand  if you choose Mac and sign type  default hmac-sha-1 on most implementation   the access token is generated and kept as secret in Key Manager as an attribute  and an encrypted secret is sent back as access token  Yes  you can use your own implementation of token type  but that might not make much sense as developers will need to follow your process rather than standard implementations of OAuth

[oauth-2.0] What are Bearer Tokens and token_type in OAuth 2?

Examples related to oauth-2.0