Web API OAuth Bearer Token security

14
votes

I'm sure I'm missing something here, so hopefully somebody here can fill me in.

I'm looking at the OAuth 2.0 implementation in .NET 4.5 Web API (version 2 I guess?), and I've implemented a very simple demo where I have a console app calling some basic actions. I get a token from the "/Token" endpoint, and I pass it back as a "bearer" token in the Authorization header. It all works fine.

However, what I'm missing is how this is not susceptible to MITM, replay or other attacks? If I am simply handing credentials around (in the form of a token), and they are the same credentials all the time, what kind of security is wrapped around this to make sure that nobody has simply stolen my token and is impersonating me?

Admittedly, I'm using SSL as well, but is that the only security built around this? Perhaps I should be using some kind of nonce as well, or a timestamp check? If so, how does one do that in Web API?

Anyway, I'm sure there is a very simple explanation here, so I would appreciate the info.

Also note that I am running both servers in two Visual Studio 2013 Web application projects that are in different VS 2013 solutions that are running on different ports. I am not sure if that matters, but thought I would mention it.

1
securityasp.net-web-apioauth-2.0
I really get frustrated with this editing concept in StackOverflow. I don't see how this edit matters at all to the spirit of the question. I think it should be obvious that it is a conceptual question, and that how I am running my setup doesn't impact the answer. I only used it as a context for where my question came from. Why not just add this as a comment, or ask a question if this is what I meant before putting words in my mouth? I also think it makes no sense to edit a question after an answer has been accepted. This edit could change the answer given. Frustration abounds.ChrisC
some times people like to play with the toys they are given :) Also, its one of the ways to increase your reputation as per this post here >> meta.stackexchange.com/questions/17204/…user20358

1 Answers

21
votes

OAuth 2.0 bearer tokens depend solely on SSL/TLS for its security, there is no internal protection or bearer tokens. if you have the token you are the owner. In many API providers who relay on OAuth 2.0 they put in bold that client developers should store securely and protect the token during it is transmission.

You can read this intersting post by Eran Hammer who used to work with the community which standardize OAuth 2.0 but I believe he left them for conflict in opinions. Check his post OAuth Bearer Tokens are a Terrible Idea and you can read this post too.

But at the end it is becoming the standard way and you must transmit it over https and store it securely.