Who issued the bearer tokenUsing bearer tokens and cookie authentication togetherHow are bearer tokens stored server-side in Web API 2?JWT (JSON Web Token) automatic prolongation of expirationBest practices for server-side handling of JWT tokensDecrypt jwt token Authorization bearerASP.NET5 & JWT Bearer TokensWhat's the difference between JWTs and Bearer Token?How to properly use Bearer tokens?Manually decode OAuth bearer token in c#OAuth2RestTemplate Bearer Token Type
Why was this character made Grand Maester?
xcolor breaking ligatures
The disk image is 497GB smaller than the target device
What are nvme namespaces? How do they work?
Shorten or merge multiple lines of `&> /dev/null &`
How would a developer who mostly fixed bugs for years at a company call out their contributions in their CV?
What were the Ethiopians doing in Xerxes' army?
Testing using real data of the customer
Why is unzipped directory exactly 4.0k (much smaller than zipped file)?
I want to know what "marumaru" means
Which European Languages are not Indo-European?
What is the use case for non-breathable waterproof pants?
Sorting with IComparable design
Does French have the English "short i" vowel?
Interpretation of ROC AUC score
Heat lost in ideal capacitor charging
How to let other coworkers know that I don't share my coworker's political views?
Why isn't 'chemically-strengthened glass' made with potassium carbonate? To begin with?
Using too much dialogue?
Cardio work for Muay Thai fighters
Freedom of Speech and Assembly in China
Why did Jon Snow admit his fault in S08E06?
Are cells guaranteed to get at least one mitochondrion when they divide?
Burned out due to current job, Can I take a week of vacation between jobs?
Who issued the bearer token
Using bearer tokens and cookie authentication togetherHow are bearer tokens stored server-side in Web API 2?JWT (JSON Web Token) automatic prolongation of expirationBest practices for server-side handling of JWT tokensDecrypt jwt token Authorization bearerASP.NET5 & JWT Bearer TokensWhat's the difference between JWTs and Bearer Token?How to properly use Bearer tokens?Manually decode OAuth bearer token in c#OAuth2RestTemplate Bearer Token Type
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
My server gets a bearer token in the header like so: Authorization: Bearer <token>. Now I need to validate that token, and for that to happen, I need who issues the token. For example, a Google token would require me to validate it using a Google API, and a Facebook issued token would need me to validate it using a Facebook API.
So how can I tell where the token originated from? Perhaps I need another field in the header that specifies it's origin?
authentication oauth-2.0 jwt
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
add a comment |
My server gets a bearer token in the header like so: Authorization: Bearer <token>. Now I need to validate that token, and for that to happen, I need who issues the token. For example, a Google token would require me to validate it using a Google API, and a Facebook issued token would need me to validate it using a Facebook API.
So how can I tell where the token originated from? Perhaps I need another field in the header that specifies it's origin?
authentication oauth-2.0 jwt
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
add a comment |
My server gets a bearer token in the header like so: Authorization: Bearer <token>. Now I need to validate that token, and for that to happen, I need who issues the token. For example, a Google token would require me to validate it using a Google API, and a Facebook issued token would need me to validate it using a Facebook API.
So how can I tell where the token originated from? Perhaps I need another field in the header that specifies it's origin?
authentication oauth-2.0 jwt
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
My server gets a bearer token in the header like so: Authorization: Bearer <token>. Now I need to validate that token, and for that to happen, I need who issues the token. For example, a Google token would require me to validate it using a Google API, and a Facebook issued token would need me to validate it using a Facebook API.
So how can I tell where the token originated from? Perhaps I need another field in the header that specifies it's origin?
authentication oauth-2.0 jwt
authentication oauth-2.0 jwt
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
asked Mar 23 at 23:36
Barry SteynBarry Steyn
7622923
7622923
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Since you are using multiple authorization providers, I guess you don't utilize scopes other than profile (to get user's identity). So I think you could use your own OAuth2 server that supports authentication using external providers (Google, Facebook). Then your application would deal only with access tokens issued by your OAuth2 server, which would also keep info about the user's identity. This solution has an added benefit that you could support users without a social network account - they would create a new account at your OAuth2 server.
Another solution is probably less elegant, but easier to implement. Create a rule, that before using an access token, clients must register the token at some new endpoint with information about the token issuer (Google, Facebook ...). Then you can keep the info about who issued which token. At this point, after validating the access token, you can also consider replacing the token for a session cookie that would be used later for accessing your API instead of the access token. This solution is stateful, which makes it harder to scale, but using cookies would probably make clients easier to implement (no need for token refreshing).
As you wrote, your can also require extra info about who issued the token. You could use a custom HTTP header or a token prefix for it. It's easy to implement and it would not introduce a state to your backend.
Maybe there are some more solutions. It's up to you to choose one that would suite your needs.
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
Yes, in the medium term, I will be using my own OAuth2 server (or openId server), and I will definitely implement the solution you propose. For now, I think the header approach is the best.
– Barry Steyn
Mar 25 at 16:01
add a comment |
If you mean Authorization: Bearer <token> to be the Bearer Token Usage defined by RFC6750, then there are few options to consider.
If by any means the token (token sent in header) is a JSON Web Token (JWT), then your API can validate the issuer parameter in the JWT to identify the issuer. To use this approach, request sending client need to obtain JWT access tokens. Check with different providers about this capability.
If first option fails, then you will have to use a custom header to communicate issuer details. Access tokens by definition (other than when a JWT is used) are opaque, so your API has no way to derive issuer by looking at it. So your client will need to communicate issuer details.
Third option is to have a client registration prior allowing them to consume your API. Once registered, you can issue them an identifier which you can map the access token issuer. When the client make a request, you can ask them to communicate client information through for example a header. This way you restrict your API consuming capability for anyone who can obtain an access token.
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55319373%2fwho-issued-the-bearer-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Since you are using multiple authorization providers, I guess you don't utilize scopes other than profile (to get user's identity). So I think you could use your own OAuth2 server that supports authentication using external providers (Google, Facebook). Then your application would deal only with access tokens issued by your OAuth2 server, which would also keep info about the user's identity. This solution has an added benefit that you could support users without a social network account - they would create a new account at your OAuth2 server.
Another solution is probably less elegant, but easier to implement. Create a rule, that before using an access token, clients must register the token at some new endpoint with information about the token issuer (Google, Facebook ...). Then you can keep the info about who issued which token. At this point, after validating the access token, you can also consider replacing the token for a session cookie that would be used later for accessing your API instead of the access token. This solution is stateful, which makes it harder to scale, but using cookies would probably make clients easier to implement (no need for token refreshing).
As you wrote, your can also require extra info about who issued the token. You could use a custom HTTP header or a token prefix for it. It's easy to implement and it would not introduce a state to your backend.
Maybe there are some more solutions. It's up to you to choose one that would suite your needs.
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
Yes, in the medium term, I will be using my own OAuth2 server (or openId server), and I will definitely implement the solution you propose. For now, I think the header approach is the best.
– Barry Steyn
Mar 25 at 16:01
add a comment |
Since you are using multiple authorization providers, I guess you don't utilize scopes other than profile (to get user's identity). So I think you could use your own OAuth2 server that supports authentication using external providers (Google, Facebook). Then your application would deal only with access tokens issued by your OAuth2 server, which would also keep info about the user's identity. This solution has an added benefit that you could support users without a social network account - they would create a new account at your OAuth2 server.
Another solution is probably less elegant, but easier to implement. Create a rule, that before using an access token, clients must register the token at some new endpoint with information about the token issuer (Google, Facebook ...). Then you can keep the info about who issued which token. At this point, after validating the access token, you can also consider replacing the token for a session cookie that would be used later for accessing your API instead of the access token. This solution is stateful, which makes it harder to scale, but using cookies would probably make clients easier to implement (no need for token refreshing).
As you wrote, your can also require extra info about who issued the token. You could use a custom HTTP header or a token prefix for it. It's easy to implement and it would not introduce a state to your backend.
Maybe there are some more solutions. It's up to you to choose one that would suite your needs.
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
Yes, in the medium term, I will be using my own OAuth2 server (or openId server), and I will definitely implement the solution you propose. For now, I think the header approach is the best.
– Barry Steyn
Mar 25 at 16:01
add a comment |
Since you are using multiple authorization providers, I guess you don't utilize scopes other than profile (to get user's identity). So I think you could use your own OAuth2 server that supports authentication using external providers (Google, Facebook). Then your application would deal only with access tokens issued by your OAuth2 server, which would also keep info about the user's identity. This solution has an added benefit that you could support users without a social network account - they would create a new account at your OAuth2 server.
Another solution is probably less elegant, but easier to implement. Create a rule, that before using an access token, clients must register the token at some new endpoint with information about the token issuer (Google, Facebook ...). Then you can keep the info about who issued which token. At this point, after validating the access token, you can also consider replacing the token for a session cookie that would be used later for accessing your API instead of the access token. This solution is stateful, which makes it harder to scale, but using cookies would probably make clients easier to implement (no need for token refreshing).
As you wrote, your can also require extra info about who issued the token. You could use a custom HTTP header or a token prefix for it. It's easy to implement and it would not introduce a state to your backend.
Maybe there are some more solutions. It's up to you to choose one that would suite your needs.
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
Since you are using multiple authorization providers, I guess you don't utilize scopes other than profile (to get user's identity). So I think you could use your own OAuth2 server that supports authentication using external providers (Google, Facebook). Then your application would deal only with access tokens issued by your OAuth2 server, which would also keep info about the user's identity. This solution has an added benefit that you could support users without a social network account - they would create a new account at your OAuth2 server.
Another solution is probably less elegant, but easier to implement. Create a rule, that before using an access token, clients must register the token at some new endpoint with information about the token issuer (Google, Facebook ...). Then you can keep the info about who issued which token. At this point, after validating the access token, you can also consider replacing the token for a session cookie that would be used later for accessing your API instead of the access token. This solution is stateful, which makes it harder to scale, but using cookies would probably make clients easier to implement (no need for token refreshing).
As you wrote, your can also require extra info about who issued the token. You could use a custom HTTP header or a token prefix for it. It's easy to implement and it would not introduce a state to your backend.
Maybe there are some more solutions. It's up to you to choose one that would suite your needs.
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
answered Mar 24 at 18:39
Ján HalašaJán Halaša
4,7721619
4,7721619
Yes, in the medium term, I will be using my own OAuth2 server (or openId server), and I will definitely implement the solution you propose. For now, I think the header approach is the best.
– Barry Steyn
Mar 25 at 16:01
add a comment |
Yes, in the medium term, I will be using my own OAuth2 server (or openId server), and I will definitely implement the solution you propose. For now, I think the header approach is the best.
– Barry Steyn
Mar 25 at 16:01
Yes, in the medium term, I will be using my own OAuth2 server (or openId server), and I will definitely implement the solution you propose. For now, I think the header approach is the best.
– Barry Steyn
Mar 25 at 16:01
Yes, in the medium term, I will be using my own OAuth2 server (or openId server), and I will definitely implement the solution you propose. For now, I think the header approach is the best.
– Barry Steyn
Mar 25 at 16:01
add a comment |
If you mean Authorization: Bearer <token> to be the Bearer Token Usage defined by RFC6750, then there are few options to consider.
If by any means the token (token sent in header) is a JSON Web Token (JWT), then your API can validate the issuer parameter in the JWT to identify the issuer. To use this approach, request sending client need to obtain JWT access tokens. Check with different providers about this capability.
If first option fails, then you will have to use a custom header to communicate issuer details. Access tokens by definition (other than when a JWT is used) are opaque, so your API has no way to derive issuer by looking at it. So your client will need to communicate issuer details.
Third option is to have a client registration prior allowing them to consume your API. Once registered, you can issue them an identifier which you can map the access token issuer. When the client make a request, you can ask them to communicate client information through for example a header. This way you restrict your API consuming capability for anyone who can obtain an access token.
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
add a comment |
If you mean Authorization: Bearer <token> to be the Bearer Token Usage defined by RFC6750, then there are few options to consider.
If by any means the token (token sent in header) is a JSON Web Token (JWT), then your API can validate the issuer parameter in the JWT to identify the issuer. To use this approach, request sending client need to obtain JWT access tokens. Check with different providers about this capability.
If first option fails, then you will have to use a custom header to communicate issuer details. Access tokens by definition (other than when a JWT is used) are opaque, so your API has no way to derive issuer by looking at it. So your client will need to communicate issuer details.
Third option is to have a client registration prior allowing them to consume your API. Once registered, you can issue them an identifier which you can map the access token issuer. When the client make a request, you can ask them to communicate client information through for example a header. This way you restrict your API consuming capability for anyone who can obtain an access token.
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
add a comment |
If you mean Authorization: Bearer <token> to be the Bearer Token Usage defined by RFC6750, then there are few options to consider.
If by any means the token (token sent in header) is a JSON Web Token (JWT), then your API can validate the issuer parameter in the JWT to identify the issuer. To use this approach, request sending client need to obtain JWT access tokens. Check with different providers about this capability.
If first option fails, then you will have to use a custom header to communicate issuer details. Access tokens by definition (other than when a JWT is used) are opaque, so your API has no way to derive issuer by looking at it. So your client will need to communicate issuer details.
Third option is to have a client registration prior allowing them to consume your API. Once registered, you can issue them an identifier which you can map the access token issuer. When the client make a request, you can ask them to communicate client information through for example a header. This way you restrict your API consuming capability for anyone who can obtain an access token.
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
If you mean Authorization: Bearer <token> to be the Bearer Token Usage defined by RFC6750, then there are few options to consider.
If by any means the token (token sent in header) is a JSON Web Token (JWT), then your API can validate the issuer parameter in the JWT to identify the issuer. To use this approach, request sending client need to obtain JWT access tokens. Check with different providers about this capability.
If first option fails, then you will have to use a custom header to communicate issuer details. Access tokens by definition (other than when a JWT is used) are opaque, so your API has no way to derive issuer by looking at it. So your client will need to communicate issuer details.
Third option is to have a client registration prior allowing them to consume your API. Once registered, you can issue them an identifier which you can map the access token issuer. When the client make a request, you can ask them to communicate client information through for example a header. This way you restrict your API consuming capability for anyone who can obtain an access token.
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
answered Mar 25 at 8:31
Kavindu DodanduwaKavindu Dodanduwa
6,74121735
6,74121735
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55319373%2fwho-issued-the-bearer-token%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
