Bearer token recommendations from RFC
1) Bearer tokens must be safeguarded since it gives access to the bearer. It should not appear in the clear such as in the header or in cookies. It should be passed only over secured traffic.
2) TLS certificate chains should be validated otherwise DNS hijackers can steal the token and gain unintended access
3) https should be used for all OAuth communications. The transport layer security is necessary for encrypting the traffic and securing the endpoints.
4) Bearer tokens should not be stored in the cookies. Implementations must not store bearer tokens in cookies because it can lead to cross site forgery attacks.
5) Bearer tokens should only be issued as short lived. One hour or less is recommended. Using short lived bearer tokens means that very few will gain access to it to misuse it.
6) Bearer tokens should always be scoped, scoping their use to the designated user or party. This is important because we don't want to grant universal access.
7) Bearer tokens should not be passed in page URLs since browses, web servers, and other software may not adequately secure URLS. The token may appear in web server logs and other data structures.
Appropriate error codes must be returned to deny specific requests. These include:
1) invalid_request - resource access error response This covers cases where the request is to be denied on grounds of invalid user or client. Http Status code is 400
2) invald_token - This is also a resource access error response. This covers the case where the token may have expired or the client has used a fabricated token. Http Status code is 401 (unauthorized)
3) insufficient_scope - this is also a resource access error response. This covers the case where the token has not been scoped and may cause security vulnerability. Http Status code is 403 (forbidden).
An example of a successful response could be
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
1) Bearer tokens must be safeguarded since it gives access to the bearer. It should not appear in the clear such as in the header or in cookies. It should be passed only over secured traffic.
2) TLS certificate chains should be validated otherwise DNS hijackers can steal the token and gain unintended access
3) https should be used for all OAuth communications. The transport layer security is necessary for encrypting the traffic and securing the endpoints.
4) Bearer tokens should not be stored in the cookies. Implementations must not store bearer tokens in cookies because it can lead to cross site forgery attacks.
5) Bearer tokens should only be issued as short lived. One hour or less is recommended. Using short lived bearer tokens means that very few will gain access to it to misuse it.
6) Bearer tokens should always be scoped, scoping their use to the designated user or party. This is important because we don't want to grant universal access.
7) Bearer tokens should not be passed in page URLs since browses, web servers, and other software may not adequately secure URLS. The token may appear in web server logs and other data structures.
Appropriate error codes must be returned to deny specific requests. These include:
1) invalid_request - resource access error response This covers cases where the request is to be denied on grounds of invalid user or client. Http Status code is 400
2) invald_token - This is also a resource access error response. This covers the case where the token may have expired or the client has used a fabricated token. Http Status code is 401 (unauthorized)
3) insufficient_scope - this is also a resource access error response. This covers the case where the token has not been scoped and may cause security vulnerability. Http Status code is 403 (forbidden).
An example of a successful response could be
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"mF_9.B5f-4.1JqM",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
No comments:
Post a Comment