What is the OAuth 2 0 Bearer Token exactly

Question

According to RFC6750-The OAuth 2 0 Authorization Framework  Bearer Token Usage  the bearer token is      A security token with the property that any party in possession of the token  a  bearer   can use the token in any way that any other party in possession of it can    To me this definition is vague and I can t find any specification     Suppose I am implementing an authorization provider  can I supply any kind of string for the bearer token  Can it be a random string  Does it have to be a base64 encoding of some attributes  Should it be hashed  And does the service provider need to query the authorization provider in order to validate this token    Thank you for any pointer

User · Answer

As I read your question  I have tried without success to search on the Internet how Bearer tokens are encrypted or signed  I guess bearer tokens are not hashed  maybe partially  but not completely  because in that case  it will not be possible to decrypt it and retrieve users properties from it    But your question seems to be trying to find answers on Bearer token functionality      Suppose I am implementing an authorization provider  can I supply any   kind of string for the bearer token  Can it be a random string  Does   it has to be a base64 encoding of some attributes  Should it be   hashed    So  I ll try to explain how Bearer tokens and Refresh tokens work   When user requests to the server for a token sending user and password through SSL  the server returns two things  an Access token and a Refresh token   An Access token is a Bearer token that you will have to add in all request headers to be authenticated as a concrete user   Authorization  Bearer  lt access token gt    An Access token is an encrypted string with all User properties  Claims and Roles that you wish   You can check that the size of a token increases if you add more roles or claims   Once the Resource Server receives an access token  it will be able to decrypt it and read these user properties  This way  the user will be validated and granted along with all the application   Access tokens have a short expiration  ie  30 minutes   If access tokens had a long expiration it would be a problem  because theoretically there is no possibility to revoke it  So imagine a user with a role  Admin  that changes to  User   If a user keeps the old token with role  Admin  he will be able to access till the token expiration with Admin rights  That s why access tokens have a short expiration   But  one issue comes in mind  If an access token has short expiration  we have to send every short period the user and password  Is this secure  No  it isn t  We should avoid it  That s when Refresh tokens appear to solve this problem   Refresh tokens are stored in DB and will have long expiration  example  1 month    A user can get a new Access token  when it expires  every 30 minutes for example  using a refresh token  that the user had received in the first request for a token   When an access token expires  the client must send a refresh token  If this refresh token exists in DB  the server will return to the client a new access token and another refresh token  and will replace the old refresh token by the new one    In case a user Access token has been compromised  the refresh token of that user must be deleted from DB  This way the token will be valid only till the access token expires because when the hacker tries to get a new access token sending the refresh token  this action will be denied

User · Answer

A bearer token is like a currency note e.g 100$ bill . One can use the currency note without being asked any/many questions.

Bearer Token A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of-possession).

User · Answer

Please read the example in rfc6749 sec 7.1 first.

The bearer token is a type of access token, which does NOT require PoP(proof-of-possession) mechanism.

PoP means kind of multi-factor authentication to make access token more secure. ref

Proof-of-Possession refers to Cryptographic methods that mitigate the risk of Security Tokens being stolen and used by an attacker. In contrast to 'Bearer Tokens', where mere possession of the Security Token allows the attacker to use it, a PoP Security Token cannot be so easily used - the attacker MUST have both the token itself and access to some key associated with the token (which is why they are sometimes referred to 'Holder-of-Key' (HoK) tokens).

Maybe it's not the case, but I would say,

access token = payment methods
bearer token = cash
access token with PoP mechanism = credit card (signature or password will be verified, sometimes need to show your ID to match the name on the card)

BTW, there's a draft of "OAuth 2.0 Proof-of-Possession (PoP) Security Architecture" now.

User · Answer

Bearer Token   A security token with the property that any party in possession of   the token  a  bearer   can use the token in any way that any other   party in possession of it can   Using a bearer token does not   require a bearer to prove possession of cryptographic key material    proof-of-possession     The Bearer Token is created for you by the Authentication server  When a user authenticates your application  client  the authentication server then goes and generates for you a Token    Bearer Tokens are the predominant type of access token used with OAuth 2 0    A Bearer token basically says  Give the bearer of this token access    The Bearer Token is normally some kind of opaque value created by the authentication server  It isn t random  it is created based upon the user giving you access and the client your application getting access   In order to access an API for example you need to use an Access Token  Access tokens are short lived  around an hour   You use the bearer token to get a new Access token  To get an access token you send the Authentication server this bearer token along with your client id  This way the server knows that the application using the bearer token is the same application that the bearer token was created for  Example  I can t just take a bearer token created for your application and use it with my application it wont work because it wasn t generated for me   Google Refresh token looks something like this   1 mZ1edKKACtPAb7zGlwSzvs72PvhAbGmB8K1ZrGxpcNM  copied from comment  I don t think there are any restrictions on the bearer tokens you supply  Only thing I can think of is that its nice to allow more than one  For example a user can authenticate the application up to 30 times and the old bearer tokens will still work  oh and if one hasn t been used for say 6 months I would remove it from your system  It s your authentication server that will have to generate them and validate them so how it s formatted is up to you   Update   A Bearer Token is set in the Authorization header of every Inline Action HTTP Request  For example   POST  rsvp eventId 123 HTTP 1 1 Host  events-organizer com Authorization  Bearer AbCdEf123456 Content-Type  application x-www-form-urlencoded User-Agent  Mozilla 5 0  X11  Linux x86 64  AppleWebKit 1 0  KHTML  like Gecko  Gmail Actions   rsvpStatus YES   The string  AbCdEf123456  in the example above is the bearer authorization token  This is a cryptographic token produced by the authentication server  All bearer tokens sent with actions have the issue field  with the audience field specifying the sender domain as a URL of the form https     For example  if the email is from noreply example com  the audience is https   example com   If using bearer tokens  verify that the request is coming from the authentication server and is intended for the the sender domain  If the token doesn t verify  the service should respond to the request with an HTTP response code 401  Unauthorized    Bearer Tokens are part of the OAuth V2 standard and widely adopted by many APIs

User · Answer

Bearer token is one or more repetition of alphabet, digit, "-" , "." , "_" , "~" , "+" , "/" followed by 0 or more "=".

RFC 6750 2.1. Authorization Request Header Field (Format is ABNF (Augmented BNF))

The syntax for Bearer credentials is as follows:

     b64token    = 1*( ALPHA / DIGIT /
                       "-" / "." / "_" / "~" / "+" / "/" ) *"="
     credentials = "Bearer" 1*SP b64token

It looks like Base64 but according to Should the token in the header be base64 encoded?, it is not.

Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**, however, I see that b64token is just an ABNF syntax definition allowing for characters typically used in base64, base64url, etc.. So the b64token doesn't define any encoding or decoding but rather just defines what characters can be used in the part of the Authorization header that will contain the access token.

This fully addresses the first 3 items in the OP question's list. So I'm extending this answer to address the 4th question, about whether the token must be validated, so @mon feel free to remove or edit:

The authorizer is responsible for accepting or rejecting the http request. If the authorizer says the token is valid, it's up to you to decide what this means:

Does the authorizer have a way of inspecting the URL, identifying the operation, and looking up some role-based access control database to see if it is allowed? If yes and the request comes through, the service can assume it is allowed, and does not need to verify.
Is the token an all-or-nothing, so if the token is correct, all operations are allowed? Then the service doesn't need to verify.
Does the token mean "this request is allowed, but here is the UUID for the role, you check whether the operation is allowed". Then it's up to the service to look up that role, and see if the operation is allowed.

[oauth] What is the OAuth 2.0 Bearer Token exactly?

The answer is

References

Examples related to oauth

Examples related to bearer-token

Tags