407

What exactly is the difference between following two headers:

Authorization : Bearer cn389ncoiwuencr

           vs

Authorization : cn389ncoiwuencr

All the sources which I have gone through, sets the value of 'Authorization' header as 'Bearer' followed by the actual token. However, I have not been able to understand the significance of it. What if I simply put the token in the Authorization header?

Anmol Gupta
  • 4,171
  • 2
  • 10
  • 5
  • 49
    There are other methods of http authentication, like [basic](https://en.wikipedia.org/wiki/Basic_access_authentication) or [digest](https://en.wikipedia.org/wiki/Digest_access_authentication). I suppose it's nice to be able to distinguish them. – Cthulhu Dec 21 '15 at 07:57
  • 1
    The question is specifically about Token based authentication, which is usually done after basic authentication so that user doesn't have to provide the username and password with each request. – Anmol Gupta Dec 21 '15 at 08:00
  • 1
    I had a similar question as well. I wanted to choose a scheme for a short lived token implementation, which is not fully Oauth 2.0 compliant. I was wondering if i could use Bearer or any non-standard value without getting in trouble with proxies' and servers' interpretation. The closest i came to finding an answer was : http://stackoverflow.com/questions/7802116/custom-http-authorization-header and http://stackoverflow.com/questions/8463809/customize-the-authorization-http-header – airboss Dec 28 '15 at 17:26
  • Do servers generally return a token via the same route i.e. "Authorization: Bearer" of the HTTP response? Or is it nearly always part of the response body? – w5m Jan 20 '17 at 11:36
  • 3
    This [HTTP authentication page on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication) is very useful for the discussion. – Ricardo Jun 28 '18 at 22:21

5 Answers5

290

The Authorization: <type> <credentials> pattern was introduced by the W3C in HTTP 1.0, and has been reused in many places since. Many web servers support multiple methods of authorization. In those cases sending just the token isn't sufficient.

Sites that use the

Authorization : Bearer cn389ncoiwuencr

format are most likely implementing OAuth 2.0 bearer tokens.The OAuth 2.0 Authorization Framework sets a number of other requirements to keep authorization secure, for instance requiring the use of HTTPS/TLS.

If you're integrating with a service that is using OAuth 2.0 it is a good idea to get familiar with the framework so that the flow you're using is implemented correctly, and avoiding unnecessary vulnerabilities. There are a number of good tutorials available online.

Vegard
  • 3,102
  • 1
  • 11
  • 8
  • I'm not familiar with the MS Graph API, might be a quirk of their implementation. – Vegard Apr 13 '16 at 08:17
  • Thats what i was thinking. Given your knowledge of Bearer Tokens and tokens in general, can you see any security implications by the fact that the API accepts the token without the Bearer keyword? – DaRoGa Apr 13 '16 at 08:18
  • 1
    Not really, but I agree with one comment in that question - if their implementation differs on this point, what else is different? That being said there are a number of OAuth-like implementations out there that deviate from the RFCs. It does not automatically mean that their implementations are less secure, though. – Vegard Apr 13 '16 at 08:42
61

Long before bearer authorization, this header was used for Basic authentication. For interoperability, the use of these headers is governed by W3C norms, so even if you're reading and writing the header, you should follow them. Bearer distinguishes the type of Authorization you're using, so it's important.

bbsimonbb
  • 949
  • 7
  • 12
18

The word Bearer wants to provide the authorization scheme. since there are Different Authorization Schemes like:

  • Basic use for http-basic-Authentication
  • Digest MD5 hashed http-basic-authentication (deprecated)
  • Negotiate SPNEGO-based Kerberos for MS Windows Systems
  • AWS4-HMAC-SHA256 used in AWS, specify credential & required service in header (signed)
  • Bearer

& Non Commons are:

  • HOBA HTTP Origin-Bound Authentication, based on digital sinature drafted
  • Mutal
  • VAPID
  • SCRAM
Abilogos
  • 281
  • 2
  • 5
9

A Bearer Token is set in the Authorization header of every Inline Action HTTP Request and Bearer itself determines the type of authentication.

Ref https://developers.google.com/gmail/markup/actions/verifying-bearer-tokens

Yasser Gersy
  • 173
  • 1
  • 5
  • 15
    This answer is specific to gmail developers, not to all web developers. An 'action' is a gmail concept. – aeb0 Aug 08 '19 at 01:19
-1

Because "Authorization" already is a reserved word to work in headers (See Mozilla docs), with the syntax <type> <token>. The browsers identify it and work with it, but you are right, you can create your own, for example, MyAuthorization and do MyAuthorization: cn389ncoiwuencr. But some facilities of your server will not know that MyAuthorization is an Authorization header.

I think the better that you do not reinvent the wheel and use "Authorization" with the syntax that is already known.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • I don't think this answers the question. I don't think you ended up saying what you wanted to say. Do you mean that systems like OAUTH need to add a word to the token because they can't invent their own word? But what about the Mozilla documentation you referenced? It explains that the `Bearer` word is just part of the scheme. This is covered by another answer. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization#directives – schroeder Sep 02 '22 at 06:17