Bearer Token

From MgmtWiki
Revision as of 09:03, 23 August 2018 by Tom (talk | contribs) (Context)

Jump to: navigation, search

Full Title or Meme

A data structure that passes Authorization grants to a Resource server.

Context

RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage" defines the Bearer Token.

Problem

  • Original Problem: Channel Rely is an attack against an Authentication process in certain scenarios. If an attacker manages to elicit a client to connect to him, that attacker could take advantage of the authentication mechanism and use it to authenticate against a third party server on which the client has an account with identical credentials. In addition, the attacker could even authenticate against a service running on the client itself. Evan so, the attacker could never learn the user’s password.
  • Using channel binding between endpoints on protects the token between the endpoints. With the rise of off-loading secure support for IPSec and TLS (HTTPS) results in a gap in protection as the packet travels beyond the secure end point to the server that supports the business logic.
  • Token reuse: OAuth 2.0 or OpenID Connect use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. If this feature gets dropped from Chrome, this enterprise use case doesn't go away and only Microsoft Browsers support the feature.

Solution

  • Microsoft introduced EAP
  • Protection from the secure channel endpoint to a front end server

Reference