dimanche 5 mars 2017

Using a bearer token for authentication(≠ authorization)

A request using the Authorization: bearer [token] can be used for authentication?

or

Should we use another method to authenticate a client and issue a token then use the token as a bearer token like OAuth2 does? Why popular web services(e.g. Github, AWS, Google..) uses other method(like AWS does: Authorization: AWS4-HMAC-SHA256 Credential=...) to authenticate a client. The point of the question is: is there any valunerables or violation of standards in the following flow or not.

I would like to use the following flow:

the client: which is like Twitter client.
the server: which is like Twitter API.

  1. the client makes the token(encrypted user ID, password, and etc).
  2. the client requests a resource to the server with Authorization: bearer [token].
  3. the server decrypts the token and authenticates the client.
  4. the server response the resource.

I read the following RFC but I haven't found any reason why I shouldn't or should use the flow above.

http://ift.tt/1oCNYa3
http://ift.tt/1kr2jsZ

Thanks




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)