In a HTTP request, why is the bearer token header required
What exactly is the difference between following two headers:
Authorization : Bearer cn389ncoiwuencr
vs
Authorization : cn389ncoiwuencr
All the sources which I have gone through, set the value of the 'Authorization' header as 'Bearer' followed by the actual token. However, I have not been able to understand the significance of it. What if I simply put the token in the Authorization header?
The Authorization: pattern was introduced by the W3C in HTTP 1.0, and has been reused in many places since. Many web servers support multiple methods of authorization. In those cases sending just the token isn't sufficient.
Sites that use the
Authorization : Bearer cn389ncoiwuencr
formats are most likely implementing OAuth 2.0 bearer token header.The OAuth 2.0 Authorization Framework sets a number of other requirements to keep authorization secure, for instance requiring the use of HTTPS/TLS.
If you're integrating with a service that is using OAuth 2.0 it is a good idea to get familiar with the framework so that the flow you're using is implemented correctly, and avoiding unnecessary vulnerabilities. There are a number of good tutorials available online.
Sites that use the
Authorization : Bearer cn389ncoiwuencr
formats are most likely implementing OAuth 2.0 bearer token header.The OAuth 2.0 Authorization Framework sets a number of other requirements to keep authorization secure, for instance requiring the use of HTTPS/TLS.
If you're integrating with a service that is using OAuth 2.0 it is a good idea to get familiar with the framework so that the flow you're using is implemented correctly, and avoiding unnecessary vulnerabilities. There are a number of good tutorials available online.