NetTalk Central

Author Topic: Bearer authentication in a webservice - how?  (Read 2357 times)

Niels Larsen

  • Sr. Member
  • ****
  • Posts: 431
    • View Profile
    • Email
Bearer authentication in a webservice - how?
« on: February 26, 2024, 07:54:58 AM »
Hi

I have been given the task of coding an api where the access control is Bearer. Is there anyone who has done something similar and would like to share how it can be attacked.
As I see it, there are two tasks. One where I have to generate a token (from Account id, Client ID and a secret) which must be kept alive for a period of time and then the actual validation of the token.

Regards Niels

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Bearer authentication in a webservice - how?
« Reply #1 on: February 26, 2024, 10:09:03 PM »
Hi Niels,

I expect you will want to better understand what they are actually asking for. It sounds like they are assuming that "Bearer" means something, and I'm not sure that you (or I) are on board yet with what it actually means (to them). It might be useful to understand where the token comes from, how it works, and so on.

In terms of incoming requests - there's an Authenticate embed in WebHandler which takes a token. (You're probably familiar with the one that takes user and password, used in basic authentication, but there's also one for brearer.) You can obviously add any code you like to authenticate the token in there.

In terms of what the token is, maybe you generate it - or maybe they generate it? Or maybe it's generated by a 3rd-party service (like "log in with google").

Incidentally an example of bearer token authentication is in Secwin 7. Web apps protected with Secwin 7 allow the user to "be remembered". This generates a token, which is sent to the client. This token is then sent back to the server, and evaluated as above when the user reconnects later on. but that's just an example, I don't know what your requirement actually is.

Cheers
Bruce


Niels Larsen

  • Sr. Member
  • ****
  • Posts: 431
    • View Profile
    • Email
Re: Bearer authentication in a webservice - how?
« Reply #2 on: February 26, 2024, 11:16:36 PM »
Hi Bruce

Thanks for the feedback. It's always good to have some questions thrown back in your face - it certainly doesn't hurt to have to think about things yourself.

I think it ends up being a token I issue (based on client ID and client secret) which can then live for x number of minutes after which a new one must be issued.
In my world, it makes no security difference whether I use basic authentication or a form of token - but I recognize that I still have a lot to learn.

Regards Niels
« Last Edit: February 27, 2024, 02:41:07 AM by Niels Larsen »