What exactly is the difference between following two headers:
Authorization : Bearer cn389ncoiwuencr
vs
Authorization : cn389ncoiwuencr
All the sources which I have gone through, sets the value of 'Authorization' header as 'Bearer' followed by the actual token. However, I have not been able to understand the significance of it. What if I simply put the token in the Authorization header?
Then the service receiving the header would not know how to interpret it. Instead of bearer, it could also be basic for example in which case the encoded string is a base64 encoded username/password instead of a token.
There are a number of authentication schemes possible. Which one is used is indicated by the identifier in the header.
Related
I am currently working with a group of applications that are running on two separate, but equivalent, environments (Referred to as ENV1 and ENV2). I have been using OAuth 2.0 for Authorization and when I receive a response after requesting an access token from the OAuth service (I am making my requests through Postman) I get a response that looks like this from ENV1 and ENV2:
As far as I am aware, I believe that this "token_type": "Bearer" means that when I send in the access_token to my application I need to do so like this:
By sending in the token through the Authorization header, prefixed with "Bearer". This approach works fine on ENV1 but on ENV2 the request fails unless I send in the token alone with no "Bearer" prefix:
If I send in the Authorization header with the "Bearer" prefix, I get a 401 Unauthorized error as the response. This is the help tip that Postman provides(Emphasis mine):
Similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
The problem here is that there IS a WWW-Authenticate header field, and it contains "Bearer", which I would assume is a "challenge applicable to the requested resource" seeing as the token response contained "token_type": "Bearer":
Questions:
Why would this be different between environments?
How is this even possible? The documentation I have found on OAuth 2.0 shows that the "Bearer" prefix is needed for requests like the ones I am trying to make. (for example, in section 2.1 of the documentation here)
From your description, it seems that the environments are not actually identical. E.g. maybe ENV2 is behind a gateway that adds the Bearer prefix to the header. Or the API on ENV2 (or the gateway) is configured to read the header without the prefix.
When the OAuth Server returns the access token, it gives you the type - a bearer token. That type means, that the token is just this - a bearer token - as opposed to a Proof-of-Possession token. When you send a bearer token to an API, you don't have to provide any additional information that would prove that you are the owner of the token. (you can compare bearer with the DPoP standard)
The Bearer Token Usage standard does require you to use the prefix Bearer in the authorization header (as you pointed out), but it doesn't mean that all the APIs and gateways implement that standard correctly, or that they use that standard at all.
To summarize:
it's up to the gateway/API to decide in what format they want the Authorization header, and that has nothing to do with the type of the token (a bearer token). It's nice when they use standards, but they don't have to.
In your setup, there must be some kind of difference between the environments if the same request is treated differently between them. If you own the environments you should investigate what is configured differently. If you don't own them, you should contact the owner's support to solve the issue.
I know modheader extension allows us to modify the header of a request. And as such we can handle authorization use cases by specifying Token. But what I've seen so far is the use of basic tokens. My question is : Does modheader allow us to specify Bearer Token as in tools like Postman or Thunder Client ? If Yes then how to do it ? Thanks for any hint
It works using the header Name "Authorization" and the value "Bearer YOURTOKEN"
Header configuration
I am new to Here and am trying to make my first API call but I keep getting back this error:
{"Type":"Unauthorized","Message":["Bearer token invalid. Bearer missing or bearer value missing."]}
Here's the URL that I'm using to call the API:
https://fuel-v2.cc.api.here.com/fuel/stations.json?apiKey=${hereApiKey}&prox=${lat},${lng},1600
I have also tried including the api key in an authorization header and get the exact same thing. I've tried with apikey= and apiKey= and the results are the same. I've also tried moving the apikey param to after the prox param (though I know that shouldn't matter). I feel like I'm following the documentation when it says that I can use api key authentication for this call and that app code authentication is deprecated, so I'm not sure what I'm doing wrong.
I am currently on a Here Freemium plan and making this call from a Node JS server application.
The token expires in 24 hours, you need to generate a new token and test again
In order to use OAuth token authentication please use the below request
https://fuel-v2.cc.ls.api.here.com/fuel/stations.xml?prox=52.516667,13.383333,5000
And in header please include
Authorization = Bearer "Oauth token"
other way to include the token is -
https://developer.here.com/documentation/fuel-prices/dev_guide/topics/request-here-environments.html
Is there a difference between using a "Bearer" Authorization header and using a custom header? For example, the "Basic" Authorization header is different from a custom header because browsers treat "Basic" Authorization headers as a special case (some browsers cache the "Basic" Authorization header). In other words, is "Bearer" just an arbitrary string or do browsers know about it?
If I don't want future browsers to cache my bearer token, should I be safe and use a custom header?
For example, is there a difference between these (assuming my server can handle both):
header('Authorization: Bearer 12345');
header('Mysite-Bearer-Token: 12345');
Bearer token is defined by OAuth 2.0. You can get more details from https://www.rfc-editor.org/rfc/rfc6750.
I want to redirect my users browser using HTTP code 303 to a GET URL that I secure using HMAC. Because the request will come from the users browser, I will not have fore-knowledge of the request headers. So I am generating the HMAC hash using the values of the HTTP method and URL only. For example, the URL I want the browser to do to might be:
GET /download
?name=report.pdf
&include=http://url1
&include=http://url2
This create report.pdf for me, containing the contents of all the urls specified using the include query param.
My HMAC code will change this URL to be
GET /download
?name=report.pdf
&include=http://url1
&include=http://url2
&hmac-algorithm=simple-hmac
&hmac-signature=idhihhoaiDOICNK
I can issue HTTP 303 to the user using this URL, and the user will get their report.pdf.
As I am not including the request headers in the signature, I am wondering two things:
1) Can a would-be attacker take advantage of the fact that I am not signing the request headers?
2) Is there a better way to achieve what I am trying to do?
When I realised that what I am talking about here is a signed URL, I checked the Amazon Docs and found "REST Authentication Example 3: Query String Authentication Example" in this document: http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html.
This example is about a signed URL for use through a browser. About signing the headers, the document says:
You know that when the browser makes the GET request, it won't provide a Content-Md5 or a Content-Type header, nor will it set any x-amz- headers, so those parts are all kept empty.
In other words, Amazon leave the headers out of the signature.
Amazon make no mention of potential security holes, so until I hear otherwise (or get hacked :) ), I will assume my approach above is fine.