How to properly use Bearer tokens?

php authentication oauth http-headers bearer-token
Ashish Ranjan picture Ashish Ranjan · Nov 14, 2016 · Viewed 56k times · Source

I'm making an authorization system in PHP, and I came across this Bearer scheme of passing JWT tokens, I read RFC 6750. I've got the following doubts:

  1. How is this improving the security?
  2. The server responses the client with a JWT token in its body after a successful authorization and login, and now when the client makes another request, I am not clear how to actually do that, I want to send token from client in Authorization header in the request, so now should I just prefix "Bearer" to the token which I received in the previous response from the server and If yes, then server on receiving the Authorization header, should just split the string with space, and take the second value from the obtained array and then decode it? For example Authorization: Bearer fdbghfbfgbjhg_something, how is server supposed to handle this, decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])?

Answer

Ngô Văn Thao picture Ngô Văn Thao · Nov 14, 2016

1.Improving the security because if token is not sent in the header that sent in url, it will be logged by the network system, the server log ....

2.A good function to get Bearer tokens

/** 
 * Get header Authorization
 * */
function getAuthorizationHeader(){
        $headers = null;
        if (isset($_SERVER['Authorization'])) {
            $headers = trim($_SERVER["Authorization"]);
        }
        else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
            $headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
        } elseif (function_exists('apache_request_headers')) {
            $requestHeaders = apache_request_headers();
            // Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
            $requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
            //print_r($requestHeaders);
            if (isset($requestHeaders['Authorization'])) {
                $headers = trim($requestHeaders['Authorization']);
            }
        }
        return $headers;
    }
/**
 * get access token from header
 * */
function getBearerToken() {
    $headers = getAuthorizationHeader();
    // HEADER: Get the access token from the header
    if (!empty($headers)) {
        if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
            return $matches[1];
        }
    }
    return null;
}

Related questions

Laravel: Auth::user()->id trying to get a property of a non-object

I'm getting the following error "trying to get a property of a non-object" when I submit a form to add a user, the error is apparently on the first line: Auth::user()->id of the following: $id = Auth::…

Read More
Authenticating in PHP using LDAP through Active Directory

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success? Edit: …

Read More
How should I choose an authentication library for CodeIgniter?

I see there are a few. Which ones are maintained and easy to use? What are their pros and cons?

Read More