3

I have a question regarding the auth-scheme. I stumble across JSON Web Tokens and one of the official page:

https://jwt.io/introduction/

They use 

Authorization: Bearer <token>

In the past, I am familiar with the Authorization: JWT <token> and had assume that was correct until today, I read the official JWT webpage and they used Bearer <token> instead.

I was testing the Knock Rails gem: https://github.com/nsarno/knock and with this library, I was able to make a Postman request to my Rails API with random auth-scheme:

example 1

I could even get rid of the auth-scheme completely:

example 2

When I remove my JWT token from the Authorization header, however, it returns 401 Unauthorized response as expected, so I know it's...working?

example 3

So I began to think...is there a purpose to the auth-scheme ?

Is a library or web server suppose to honour/respect/enforce the correct usage of auth-scheme in the Authorization header?

I came across this Stackoverflow post in my quest for answer:

Custom HTTP Authorization Header

It showed the official format is:

credentials = auth-scheme #auth-param

The example given was even more bizarre:

Authorization: FIRE-TOKEN apikey="0PN5J17HBGZHT7JJ3X82", hash="frJIUN8DYpKDtOLCwo//yllqDzg="

I don't know if this qualifies as a programming question. I can blindly follow/use a third party library.

What's the purpose of the auth-scheme ?

I'm no cryptography/computer security expert.

Maybe someone can shed some light on the issue (or maybe non-issue?) ?

Community
  • 1
  • 1
Zhang
  • 11,549
  • 7
  • 57
  • 87

1 Answers1

2

The authorization scheme is just an indication to the server of what type of credentials are following. A client can use basic scheme

Authorization: Basic <base64(username:password)>

Or bearer scheme

Authorization: Bearer <base64(JWT)>

Or the Hawk scheme

Authorization: Hawk id="...", ts="...", nonce="...", ext="...", mac="..."

Or any other scheme it can agree on with the server.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • Yes, auth-scheme is to tell the server what the following token is, that's rather obvious. The more important question is whether a server should enforce it ? – Zhang May 25 '16 at 07:39
  • 1
    @Zhang If the server only takes JWT tokens as authorization, it can be forgiving and ignore the auth scheme identifier. But if the server supports multiple auth schemes, it needs the identifier to be able to tell what is following it. – MvdD May 25 '16 at 15:39
  • Sounds sensible :) I guess my concern is whether it poses as a security problem in the future if the server doesn't enforce the auth-scheme with received token. – Zhang May 25 '16 at 15:43
  • I don't see a security concern. As long as the passed credentials are validated. But neither do I see any advantage in omitting the identifier. – MvdD May 25 '16 at 16:38