6

I am working on learning about Web API and API's methodology in general.

At this time, I'm am investigating Authentication.

I know there are several ways for API authentication and authorization. The most common seems to be bearer token.

I also see SAML and I know about x509 as well (From my WCF days).

I'd like to talk about bearer token today. Bearer token is passed as a header. Headers are not encrypted might not be encrypted?, therefore, it could be possible for someone to grab said token and impersonate the user without consent. This is my view on a bearer token. It seems many popular services today use this method of authentication for API's.

What other options are out there besides bearer token but is more or less just as secure as HMACing the message, etc?

I seem to know a little about a lot of authentication methods. I am trying to understand more and would like to build a very secure API that allows for SSO (Single sign on) - If bearer token is the way to go, then great, it is very easy and out of the box solution. If there is something better and more secure, I am open to that even if the work and time is far more than bearer token.

I don't know why I don't like the sound of a bearer token, but it just seems to easy to attack and exploit. Especially for a payment related type service.

Thanks!

bugnuker
  • 3,918
  • 7
  • 24
  • 31
  • This isn't a complete answer, but I have toyed with WebAPI and tokens. Bearer tokens aren't just some random sequence of bytes. They contain encrypted information. For my case, I tried encrypting the client's ip address inside the token, so that even if someone were to hijack it, it wouldn't work unless the client's IP address matched what the token contained. I know this isn't a complete solution, but it worked. – Nathan A Aug 19 '14 at 22:17
  • How did you control the token from the STS server handing out tokens? – bugnuker Aug 19 '14 at 22:20
  • 1
    The headers are encrypted. See this answer http://stackoverflow.com/questions/187655/are-https-headers-encrypted – SamV Aug 19 '14 at 22:23
  • I don't have the exact code, but I do know the WebAPI SDK allows you to override the default implementation for token generation and validation. – Nathan A Aug 19 '14 at 22:29
  • 1
    Here is an article that goes into rejecting an existing token. There is likely an event for creating one as well inside the `OAuthBearerAuthenticationProvider`. http://www.pressinganswer.com/81522/how-do-you-reject-a-katana-bearer-tokens-identity – Nathan A Aug 19 '14 at 22:33

2 Answers2

3

Headers are encrypted using HTTPS - Bearer token is perfectly fine for security and I am using it in my enterprise application now.

bugnuker
  • 3,918
  • 7
  • 24
  • 31
2

Bearer token is passed as a header. Headers are not encrypted, therefore, it could be possible for someone to grab said token and impersonate the user without consent.

While this may not always be an ideal solution, you could make sure that you are only passing data using https. According to Eran Hammer (who is actually advising against using bearer tokens in this article), header information will remain safe if passed using HTTPS. Also, you could add your own encryption algorithm to the token or sensitive data when you need to use it again.
See #8 in 10 Things You Should Know About Tokens

disappointed in SO leadership
  • 2,243
  • 2
  • 32
  • 43
  • I did see/find that headers are encrypted - this is a bonus. I'd still like to see what other options are out there, such as something that involves MACing the message? – bugnuker Aug 19 '14 at 22:24
  • This really should have been a comment to begin with, I apologize. I'm not as familiar with other methodology, but I can say that I'm decently satisfied with the security provided by the bearer token. I'm using it with an MVC Web API, over HTTPS. – disappointed in SO leadership Aug 19 '14 at 22:29