Web API Security and Authentication - bearer token

6
votes

I am working on learning about Web API and API's methodology in general.

At this time, I'm am investigating Authentication.

I know there are several ways for API authentication and authorization. The most common seems to be bearer token.

I also see SAML and I know about x509 as well (From my WCF days).

I'd like to talk about bearer token today. Bearer token is passed as a header. Headers are not encrypted might not be encrypted?, therefore, it could be possible for someone to grab said token and impersonate the user without consent. This is my view on a bearer token. It seems many popular services today use this method of authentication for API's.

What other options are out there besides bearer token but is more or less just as secure as HMACing the message, etc?

I seem to know a little about a lot of authentication methods. I am trying to understand more and would like to build a very secure API that allows for SSO (Single sign on) - If bearer token is the way to go, then great, it is very easy and out of the box solution. If there is something better and more secure, I am open to that even if the work and time is far more than bearer token.

I don't know why I don't like the sound of a bearer token, but it just seems to easy to attack and exploit. Especially for a payment related type service.

Thanks!

2
c#asp.netapisecurityauthentication
This isn't a complete answer, but I have toyed with WebAPI and tokens. Bearer tokens aren't just some random sequence of bytes. They contain encrypted information. For my case, I tried encrypting the client's ip address inside the token, so that even if someone were to hijack it, it wouldn't work unless the client's IP address matched what the token contained. I know this isn't a complete solution, but it worked.Nathan A
How did you control the token from the STS server handing out tokens?bugnuker
The headers are encrypted. See this answer stackoverflow.com/questions/187655/are-https-headers-encryptedSamV
I don't have the exact code, but I do know the WebAPI SDK allows you to override the default implementation for token generation and validation.Nathan A
Here is an article that goes into rejecting an existing token. There is likely an event for creating one as well inside the OAuthBearerAuthenticationProvider. pressinganswer.com/81522/…Nathan A

2 Answers

3
votes

Headers are encrypted using HTTPS - Bearer token is perfectly fine for security and I am using it in my enterprise application now.

2
votes

Bearer token is passed as a header. Headers are not encrypted, therefore, it could be possible for someone to grab said token and impersonate the user without consent.

While this may not always be an ideal solution, you could make sure that you are only passing data using https. According to Eran Hammer (who is actually advising against using bearer tokens in this article), header information will remain safe if passed using HTTPS. Also, you could add your own encryption algorithm to the token or sensitive data when you need to use it again.
See #8 in 10 Things You Should Know About Tokens